A port scan is a procedure for checking networks by determining the open and closed ports of a system. In network communication, ports serve as interfaces for data exchange between computers. By scanning these ports, it can be determined which services are active and potentially available for connections. A distinction is made between TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) ports, which use different communication protocols.
Why are Port Scans Performed?
Port scans have both legitimate and illegitimate applications. Network administrators use them for diagnostics and security checks. They help identify vulnerabilities and analyze network structure. On the other hand, attackers use port scans to discover potential points of attack. Both Red Teams (attack simulation) and Blue Teams (defense) use port scans to test system security.
How do Port Scanners Work?
Port scanners are specialized programs that systematically address different ports of a target system. They send targeted packets and analyze the responses to determine the status of each port. A port can be classified as open, closed, or filtered:
Open: The port accepts connections and responds to requests.
Closed: The port is reachable but rejects connections.
Filtered: The port does not respond, possibly due to a firewall or filter.
What Port Scanning Techniques Exist?
There are various techniques for scanning ports:
- Ping scan
Using ICMP echo requests to detect active hosts. - TCP half-open scan
Sending SYN packets without complete connection establishment. - TCP connect scan
Complete TCP three-way handshake for port verification. - UDP scan
Scanning UDP ports by sending UDP packets. - Stealth scan
Using special TCP flags (FIN, XMAS, NULL) to bypass firewalls. - Other techniques
TCP ACK scan, TCP window scan, custom TCP flags.
What Tools are Used for Port Scans?
Various tools are available for port scans:
- Nmap
The most well-known tool - besides port scanning, it also offers vulnerability scanning. - Netcat
A flexible tool for port scans and establishing simple connections. - masscan
Well-known and high-performance tool for checking many hosts - fast but sometimes not accurate. - naabu
Go tool to quickly and relatively accurately find open ports, no service scans.
Who Uses Port Scans and Why?
In general, IT experts use port scanners. IT administrators use them to analyze their networks and look for open ports. Security experts search for ports to find services that might be vulnerable and could be exploited. The same applies to Black Hat Hackers - they also use port scans to search for additional attack surface.
Tools like nmap are an integral part of eASM, such as Argos (see External Attack Surface Management). They are used to identify and reduce a company's attack surface.
Examples for Running nmap
Use case: You want to quickly check which hosts in a network are online and which common ports are open.
nmap -sn 192.168.1.0/24Use case: You want detailed information about the open ports and services running on a specific host.
nmap -sV -p 1-65535 192.168.1.100Use case: You want to perform a deeper analysis of a network to find out which operating systems are running on the hosts, which ports are open, and if firewalls are active.
sudo nmap -O -sS -sU -p T:80,443,U:53 192.168.1.0/24Use case: You want to gather as much information as possible about a host or network, including ports, services, operating systems, and possible vulnerabilities.
sudo nmap -A -T4 192.168.1.100Thank you for your feedback! We will review it and optimize this content.
