The main aim of a hacker is to gain information about the target whom he will attack. Port scanning is the first step he follows to accomplish this task. The fundamental step of scanning is to check the host end what services its using, what version of services are working on the target system, what is the state of the port (open, closed or filtered),what operating system he is using and many other information can be gathered through port scanning.
So, port scanning is the process of sending messages to establish a connection on the ranges of ports on ranges of hosts. In simple terms it is a process where a thief tries to find out which window and door are open of a house by peeping into the house from neighborhood. Since the act of scanning is not harmful, it is not a crime. It completely depends how the information gathered by scanning is used. Many organizations perform port scanning daily to check the vulnerabilities in their network. Port scanning is done basically for the ports which act as a application specific and process specific software serving as a communication end point. It is used by Transport Layer protocols of the Internet Protocol Suite, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). A specific port is identified by its number, commonly known as the port number, the IP address with which it is associated, and the protocol used for communication. Port number is a 16 bit unsigned number. There are 65536 ports which are classified by IANA(internet assigned numbers authority) as :- well known ports(0-1023), registered ports(1024-49151) and private ports(49152-65535).There are various styles adopted by the attacker as mentioned below:-
• FTP Bounce Scan – Attempts that are directed through a File Transfer Protocol server to disguise the cracker’s location
- Fragmented Packets – Scans by sending packet fragments that can get through simple packet filters in a firewall
- UDP – Scans for open User Datagram Protocol ports
- Sweep – Scans the same port on a number of Computers
- Strobe – An attempt to connect to only selected ports (typically, under 20)
- Stealth scan – Several techniques for scanning that attempt to prevent the request for connection being logged
- Vanilla – an attempt made to connect all ports (65,536).
We all know how a manual Port Scan works. You launch Telnet and manually Telnet to each Port jotting down information that you think is important. In a manual Port Scan, when you telnet to a port of a remote host, a full three way handshake takes place, which means that a complete TCP connection is open. However, this indeed is not the most convenient method of getting a list of open port on a remote system. One would not really want to telnet to thousands and thousands of remote ports. Such manual port scanning is highly and easily detectable. As in a manual port scan, a full TCP three-way handshake takes place; they are easily logged by the remote system. So, with the need to make port scanning a more convenient i.e. to make work for hackers easier, a number of different other port scanning techniques were developed.
Let us now, discuss the various Port Scanning mechanisms one by one.
Port Scanning TCP Ports
Almost all Port Scans are based on the client sending a packet to the target port of the remote system, containing a particular flag. A TCP Packet header contains six different types of flags, which are-:
URG- the Urgent Flag indicates that some urgent data has been placed.
ACK -the Acknowledgement Number is Valid.
PSH- the data should be passed to the Application as soon as possible.
RST -It resets the connection.
SYN -It synchronizes Sequence Numbers to initiate a connection.
FIN- It means that the sender of the flag has finished sending data.
Now, the underlying rule of all port scans is the fact that a RST or a reset packet is sent by a system, whenever the system receives a packet that is not correct or contains information which is either wrong or not enough to initiate a proper connection.
TCP Connect Scan
The Basic process of detecting whether a port is open or not has been described below:
1.) You send a TCP Packet containing the SYN flag (which in turn contains the Port Number to remote host.
2.) Now the remote host checks whether the port is open or not. If the port is open then it replies with a TCP packet containing both an ACK message confirming that the port is open and a SYN flag. On the other hand if the port is closed then the remote host sends the RST flag which resets the connection, in short closes the connection.
3.) This third phase is optional and involves the sending of an ACK message by the client.
The basic structure or the basic process that happens in a TCP three-way handshake can be described as:
1. Client sends a SYN packet to the server.
2. The server replies with a SYN packet and acknowledges the Client’s SYN packet, by sending an ACK packet.
3. The client then acknowledges the SYN sent by the server.
TCP SYN Scan (or Half Open Scanning)
To understand the working of a SYN or Half SYN Port Scanner simply read its 4 step working-:
1. SYN Port Scanner sends the first TCP packet containing the SYN flag (which in turn contains the port number) to the remote host.
2. The remote system replies with either a SYN/ACK or a RST/ACK.
3. If the client receives a SYN/ACK from the server, then it means that the port is in listening state. However, if the client receives a RST/ACK then it means that the port is not listening or in other words there is no service running on that particular remote port.
4. When the SYN Port scanner receives one of the above responses, it knows whether the respective port is open or not and whether a daemon is ready listening for connections.
TCP SYN Scans or Half Open Scanning is a stealth method of port scanning, because a full TCP three-way handshake does not take place. Thus, they are less detectable as compared to traditional TCP connect Scans. However, newer version of various firewalls has no problems in detecting such scans.
TCP Fin Scan
In this type of a port scan, the client sends a FIN packet to the target port. The correct behavior of an open port is not to respond to a FIN Packet. However, if no service is running or if no daemon is listening i.e. if the port is closed, then the remote system replies with either of the following:
1.) In case of UDP ports, the remote system replies with an ICMP message.(More later in the manual)
2.) In case of TCP ports, the target system sends a RST or reset.
So, basically if the client gets a RST for a particular port, then it means that particular port is closed. Else, it is open and listening. Such a Port Scan is based on the golden rule that we discussed earlier in the manual:
“……the underlying rule of all port scans is the fact that a RST or a reset packet is sent by a system, whenever the system receives a packet that is not correct or contains information which is either wrong or not enough to initiate a proper connection……”
So, according to this rule, when we send a FIN Packet to a closed port, then the remote system is actually receiving a packet, which does not contain enough information to establish a proper connection. Because the port to which it is addressed does not have a service running. Thus, the remote system replies with a RST for all closed ports.
Although TCP Fin Scans are very popular they are mostly used on Unix Systems.
TCP Null Scan
Earlier, we had discussed the various flags, which are available in TCP. Now, if we send a packet to a remote system in which all the flags are turned off (That is, set to NULL), then the remote system would actually not know what to do with the packet or in other words, it would not know what this packet was meant for.
You see, each flag is supposed to perform a particular function. According to the function that you wish to perform, the various TCP flags are turned on and turned off. Now, when the client sends a packet with all the flags turned off, then the server has absolutely no idea as to what it has to do with the packet or as to why the client sent the packet. If the NULL packet is directed to an open port, then the service running on that port replies with a error message.
However, if the NULL packet is directed to a closed port, then the remote system replies with a RST or reset because the NULL packet it received did not contain enough information to establish a connection.
Port Scanning UDP Ports
For port scanning UDP Ports, a technique called the UDP Port Scanning is used, which involves the following procedure:
1.) A UDP Packet is sent to the target port.
2.) The typical behavior is that if the remote port is closed, then the server replies with an ICMP error message of ‘Port Unreachable’. [Such an error message has a type value of 3 and code value of 3.]
3.) However, if the port is open, then no such error message is generated.
This tells the client that the remote port is open.
In UDP, if the server receives a UDP datagram, whose destination port does not correspond to a port, which has a service running, then it replies with an ICMP Port Unreachable Error Message.
However, the downside of UDP Scanning is the fact that UDP is a connection less protocol, hence it accuracy depends on a number of factors, which often make the result of the UDP scan inaccurate.
Now, that we know how most port scanning techniques work, the question as to how to fight against port scans arises. Although there is simply no way that one can prevent or stop clients from port scanning your machine, it is however highly advisable that one uses software like the below to detect and track down Port Scanning Attempts.
For Unix Systems——-Scanlogd
For Windows Systems——–BlackICE,nmap
Nowadays, almost all firewalls too detect and filter out most port scanning attempts. But, whatever software one uses, it always pays to disable those services, which are not in use.