The 4 important things you need to know about port scanning

1. What is port scanning? 

Port scanning is a method used to detect which ports in a given network are open and available for use. It also involves sending packets to certain ports on a host to inspect responses to detect potential, underlying vulnerabilities.   

This activity cannot occur without initially identifying current hosts and mapping them to their IP addresses. This is referred to as host discovery, which is initiated by carrying out a network scan.  

The aim of port scanning and network scanning is to identify the arrangement of IP addresses, hosts and ports to accurately detect open or vulnerable server connections and identify the security levels.   

Post performing a comprehensive scan and gathering a list of active hosts, open ports available for unauthorised access can be identified.  

Port and network scanning can be carried out by cyber criminals to identify underlying exploitable vulnerabilities and by IT administrators to check the security policies of the network in question. Port or network scanning is typically the first step taken by the attackers before an attack is deployed upon the targeted system. Regular port and network scanning is important for IT administrators to carry out as it provides information regarding network security levels, helping them to keep the networks safe from cyber-attacks.  

2. The basics  

A port scanner will send a TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) network packet and inquire the port about their status. The responses will either be: 

1. Open/Accepted – From where the computer is open to further requests. The challenge IT administrators face is to install firewalls to provide protection without blocking access for legitimate users.  
2. Closed/Not Listening – From where the computer will notify you of its unavailability as it is already in use. Closed ports can still show that a host is on an IP address and IT administrators still need to monitor closed ports as when they open, potential vulnerabilities may be created. Closed ports should be blocked with a firewall by IT administrators, turning them into filtered ports.   
3. Filtered/Dropped/Blocked – You won’t receive further responses after this notification. This is because the packet request has either been filtered out or blocked by a firewall. If an attacker sent the request packet and was met with this response, it will indicate to the attacker that the network is secure and cannot be further intruded into. Sometimes, the responses may be “destination unreachable” or “communication prohibited”.

3. Port scanning techniques

Ping Scanner  

Ping scans are the simplest forms of port scans. A ping is an Internet Control Message Protocol (ICMP) echo request and a ping scan involves sending out a large number of ICMP echo requests to different targets to identify responders. This process is carried out as part of an automated effort. Technically, ping scans cannot be classified as a port scanning technique as the most you can receive is if there is a computer on the other side. It is however related to port scans and it is the first activity that is carried out prior to doing a port scan.  

Administrators typically disable ICMP on the firewall or on the router that handles external traffic. Instead, it is left open inside the network. ICMP can be turned on or off quickly, making it almost impossible to explore or inspect the network in this way. ICMP can be used as a troubleshooting tool however, disabling it can make tracking network problems more difficult. 

TCP Half Open  

TCP half-open port scanning (also known as SYN scanning) is a more commonly used technique for conducting port scanning. It’s a fast scan that can be used by hackers to detect open ports on the target computer. 

SYN packets ask for a response from the computer to which an ACK packet is received. During a common TCP transaction, there is an SYN, an ACK from the service and a third ACK which is a confirmation message. 

This type of scan is fast and difficult to detect as the 3-way handshape characteristic of the full TCP is not completed. Complete connection is not established through sending the third ACK, which leaves the target vulnerable.  

Any SYN-ACK responses are potential open ports. An RST (reset) response signifies that the port is closed but that the computer is live. No response signifies that the target is fitted with a filtered port. An ICMP no response can be considered the same as a filtered response.  

TCP Connect  

This technique is similar to the TCP half-open scan however, instead of leaving the target without a finalised connection, full connection is established.   

This technique is not as popular as the TCP half-open method as in order to conduct it, you need to sent one more packet per scan, increasing the amount of ‘noise’ you make on a network. A hacker will refrain from using this method as a full connection will be questioned and investigated.  

Target systems are also likely to log full TCP connections made and intrusion detection systems (IDS) will likely sound an alarm if multiple TCO connections are formed from the same host. 

To conduct a TCP scan, a user does not require the same level of privilege they need in order to carry out a half-open scan. The protocols implemented are the same for any other connection protocols.  

UDP  

UDP scans are slower compared to TCP scans and UDP ports require the same amount of enforced security practices implemented on TCP ports.   

UDP scans involve sending a specific request for example, asking if a DNS server is running. Other UDP ports are sent empty packets. An ICMP unreachable response means that the port is either closed or filtered. This is the same if there is no response.  

Stealth Scanning  

Some port scans can be more easily detected than others. The following TCP flags are used by attackers used to make their port scans more difficult to detect.  

From the perspective of a hacker, if you sent a port scan with a packet and a FIN flag, you may not expect a response. If you receive an RST response, the port may be closed. If you receive nothing, the port may still be open. Firewalls typically search for SYN packets, enabling FIN packets to slip into the system undetected. Similar to the FIN scan, an X-MAS scan sends packets with the flags FIN, URG and PUSH packets. 

Packets can be sent without flags, which are referred to as NULL packets. The response received may compromise either no answer or an RST. 

These scans do not usually appear in logs however, more recent IDSs (Intrusion Detection Software) can pick up on these. 

4. Issues that may arise from port scanning 

Some services may fail after conducting port scans such as internally ran systems. Conducting port scans without authorisation will be deemed with suspicion and if you use a shared network, you may end up scanning a system that is not in your control.  

Port scans are nevertheless, crucial for ensuring system safety and defence against threat actors seeking to cause damage to your system. Conducting port scans enable you to shut possible openings for exploitations and make the jobs of hackers as difficult as possible.  

It is important that hackers recognise that your system will waste too much time and effort for them to hack. 

In addition to regular port scans, your data also needs to be monitored and backed up with the same level of caution.