Saturday, October 1, 2011

Understand Port Scanning in Detail - Novice to Expert

Hello friends. This is a tutorial of great importance. I will request all my readers to understand it in detail. It will help you clear lots of concepts of networking and port scanning. I will start from the very beginner level by giving some introductory idea about the TCP/IP and then a detailed analysis of different types of port scanning. I wont be showing any port scanning example here as it will require a separate post to practically show all types of port scanning. So lets start.

Quick review of some common terms

TCP/IP  is the standard protocol that is used to establish network communication between any two devices. The TCP or the Transmission control protocol is a reliable protocol that forms the basis of communication. It provides an ordered delivery of stream of packets form one computer to another over a network. IP or the Internet protocol solves the issue of delivery of packets from one host to another.

Ports are process or application specific software constructs which serve as the communication end point.
Port number is a 16 bit integer number ranging from 0 to 65535 which is used by the internet protocol suits to specifically identify a type of service packet. For example FTP by default runs on port 21 so any packet reaching to port 21 is obvious that it belongs to FTP service protocol. 

Now let us move on to the big stuff!!

Introduction to port scanning

Port scanning is an attack in which the attacker tries to gain information about the different open ports or services running on the target machine. The main aim of an attacker to port scan is to find the list of available services that are running on the target machine and use this information to attack the target. You can read a detailed article of attacking a target here. There can various types of port scanning operations performed on the target machine. Port scanners simply work by sending data packets randomly to all ports and analyse the return packets to decide weather a port is open or not.

The result of a scan on a port is usually generalized into one of three categories:

  • Open or Accepted: The host sent a reply indicating that a service is listening on the port.
  • Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
  • Filtered, Dropped or Blocked: There was no reply from the host.

Based on the above three postulates the scanner decides about the availability of a port number on the target machine.

Types of Port Scanning

 TCP Scanning :  TCP scanning is the most common type of scanning which uses the operating system's network functions. The attacker send a SYN packet to the victim and in case the port is oprn then an ACK packet is sent back to the attacker by the victim thus notifying that the port is open. This process is termed as 3-way handshaking.
Well lets not be bookish by stopping here. Lets have some attackers idea of TCP scanning as well. The advantage of this scanning is that you do not need any special privilege on the attackers machine to perform the attack. The connection is closed as soon as the port is discovered open so as to avoid Denial of service type of attack. This port scanning method has benifits but is is considered "noisy" and can easily raise alarm in Intrusion detection systems.

SYN Scanning :  SYN scan is another form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection while some services can be crashed with a connect scan. However, the RST during the handshake can cause problems for some network stacks, in particular simple devices like printers. There are no conclusive arguments either way.

UDP Scanning :  UDP is a connectionless protocol. This means that there is no notification sent back to the attacker weather the packet has been received or dropped by the victim ,machine.
 if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open.

 However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. So there is a major limitation of this type of scanning. So it is generally used as a hybrid scan which means it is used in combination with other scan processes in order to improve the efficiency of the scanning process.

ACK Scanning :  This is generally referred as the ACE of port scanning because of its special ability. IT doesnot tell us weather a port is open or not. Infact it tells us weather a port is filtered or unfiltered.

Since the ACK scan doesn't open any application sessions, the conversation between scanner and the remote device is relatively simple. This scan of a single port is unobtrusive and almost invisible when combined with the other network traffic.

FIN Scanning : sFIN packets are able to pass by firewalls with no modification to its purpose. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall. It is called the stralth scanning technique.

So these are some of the common port scanning techniques. Hope this tutorial must have provided you some basic knowledge about port scanning. Next time you will be able to decide yourself what type of scan you need rather than simply clicking the "default scan" button .
In the next section we will have a detailed analysis of port scanning using the popular scanning tool NMAP.
Post your comments and suggestions below.

Read the next sequence of this tutorial here - Complete guide to port scanning with Nmap



  1. I wanted to thank you for this great read!! I absolutely loved every bit of it. I have got you bookmarked to look at new stuff you post…