A port scan is one of the fundamental technique that is used to identify the open doors or weak-points in a network. Network admins use this to discover the potential vulnerabilities by sending packets to specific ports and analyze response. You can use tools like IP scanning, Nmap, Netcat, etc. to ensure that your network and systems are secure or not.
The same technique is also used by threat-actors to find the possible entry-points in your network. They can find out whether the given port is being used or closed, they can even identify the services or programs that might be using the given port. It can also reveal to them whether active security devices, e.g., Firewall is being used by your organisation, to filter out the packets or traffic.
Active port scanning by malicious actors can ring severe alarm-bells for your organisation, because it can reveal a lot of information about your network. For example,
*) Services that are running or using the port(s)
*) Users who own services
*) Whether anonymous logins are allowed
*) Which network services require authentication, etc
What are Ports?
A port is a point on a computer or network device where actual exchange of information between programs, internet to your network devices & computers happens.
In order to achieve consistency, ports are always some numbers. We identify ports via these port numbers. These port numbers work alongside with an IP address and together they build a piece of highly vital information that every ISP or program needs to fulfill your data requests.
If you are fully aware of Ports then you would know that -- Port numbers range from 0 through to 65,535 and are ranked in terms of popularity.
1. Well-Known Ports
These are ports numbered 0 to 1,023 and are typically reserved for internet usage but can also have specialized purposes. These ports are assigned by the Internet Assigned Numbers Authority (IANA) and held by leading businesses and Structured Query Language (SQL) services.
2. Registered Ports
These are ports numbered from 1,024 to 49,151 and they are registered by software companies.
3. Dynamic/Private Ports
These are ports numbered from 49,152 to 65,535 and can be used by almost everyone on the internet.
Ports are generally managed by 2-protocols (there are some other protocols too):
1) TCP, which defines how to establish and maintain a network conversation between applications
2) UDP, which is primarily used for establishing low-latency and loss-tolerating connections between applications.
Some of the most popular and frequently used ports are mentioned here:
- Port 20 (UDP): File Transfer Protocol (FTP) used for transferring data a second channel for data transport
- Port 21 (UDP): FTP used for command and Control of FTP Server
- Port 22 (TCP): Secure Shell (SSH) protocol used for FTP, port forwarding, and secure logins
- Port 23 (TCP): The Telnet protocol used for unencrypted TXT-communication
- Port 43 (TCP): Used by SMTP for mailing systems
- Port 53 (UDP): The Domain Name System (DNS), which translates internet domain names into machine-readable IP addresses
- Port 80 (TCP): The World Wide Web HTTP
- Port 443(TCP): HTTP Secure (Https)
1. Ping scan
A ping scan is the simplest of port scanning techniques and known as ICMP-requests also. In this scan, you send a group of several ICMP requests to various servers in an attempt to get a response. A ping scan can be used by administrators to troubleshoot issues, and you can block or disable these pings using your firewall easily.
2. Vanilla scan
In this scan, you attempt to connect to ALL of 65,536 ports at the same time. It sends a SYN flag (request to connect) and upon receiving a SYN-ACK (acknowledgement of connection) response, sends back an ACK flag. This whole sequence of SYN, SYN-ACK, ACK exchange creates a complete TCP handshake. These scans are also called as Full connect scans. They are accurate, but can very easily be detected because full connections are ALWAYS logged by your firewall.
3. SYN scan
This scan is also called Half-open scan, because it only sends a SYN, and waits for a SYN-ACK response from the target. That's it. If a response is received, the scanner never responds to it. Since the TCP connection was not completed, your system or Firewall doesn’t log this interaction, but the sender (you) have learned if the given port is open or not. This is a quick technique that hackers use to find weaknesses.
4. XMAS and FIN scans
Christmas tree scans (XMAS scans) and FIN scans are, in fact, more discrete attack methods. XMAS scans got their name from the set of flags that are TURNED ON within a packet which, when viewed in a protocol analyzer like Wireshark, appear to be blinking like a Christmas tree. This type of scan sends a set of flags, which, when responded to, can disclose valuable insights about the firewall and whether the port is open or not.
In a FIN scan, an attacker sends a FIN flag to a port. You need to know that this FIN-flag is often used to end an established session, to a specific port. How the system responds to that FIN-flag, can help the attacker understand -- what is the level of activity on that port, and how the firewall is being used by your organisation.
5. FTP Bounce scan
This scan allows the sender to disguise his actual location by bouncing the packet through an FTP server. This is also designed for the sender to go undetected.
6. Sweep scan
This sort of scan tilt heavily towards network scanning, less to port-scanning. In this scan, you or attacker pings the same port across a number of computers on your network to identify which computers on the network are active. This does not reveal information about the port’s state, instead it tells the sender which systems on a network are active. Thus, it can be used as a preliminary scan.
As you may have already sensed that network-scanning activity (host discovery) would precede the port-scanning. Indeed, network scanning is a process that identifies a list of active hosts on a network and maps them to their IP addresses, which need to be compiled before running a port scan.
Network Scanning is often the first step hackers take in staging an attack.
When you want to scan your LAN, you would be using ARP Scan. An ARP scan maps IP addresses to MAC addresses and can be used to determine hosts that are active. But if you or attacker is not inside the LAN, then this scan cannot be used.
Thus, if you want to scan out of a LAN environment, then you need to execute number of ICMP scans. You would be executing this sort of scans by using ICMP requests for address mark, echo, and timestamp, etc. If you don't get a response from an IP address, then it means that there is no host at the target address or your request was blocked by a firewall or packet filter solution.
Once the network scan has been completed and a list of available hosts compiled, a port scan attack can identify the usage of specific ports. It will typically classify ports as open, closed, or filtered.
Open ports: Open ports indicate that the target server or network is actively accepting connections or datagrams and has responded with a packet that indicates it is listening. It also indicates that the service used for the scan (typically TCP or UDP) is in use as well.
Closed ports: Closed ports indicate that the server or network received the request, but there is no service “listening” on that port. A closed port is still accessible and can be useful in showing that a host is on an IP address.
Filtered ports: Filtered ports indicate that a request packet was sent, but the host did not respond and is not listening. This usually means that a request packet was filtered out and/or blocked by a firewall. If packets do not reach their target location, attackers cannot find out more information. Filtered ports often respond with error messages reading “destination unreachable” or “communication prohibited.”
HOW TO DEFEND AGAINST PORT SCANNING BY THREAT-ACTORS?
Since cyber criminals search through networks to assess how ports react, which enables them to understand your business's security levels and the systems they deploy.
Some important defense mechanisms you can use are:
1. A network based IPS
To protect your business from internal threats...
2. A strong firewall
A firewall can prevent unauthorized access to your company’s private network. It controls ports and their visibility, as well as detects when a port scan is in-progress before shutting it down.
3. TCP wrappers
These will allow you to have the flexibility to permit or deny access to servers based on IP addresses and domain names.
4. Uncover holes in own network
You can conduct your own internal port scans to determine whether more ports are open than required. You should regularly check your systems to identify potential weak points or vulnerabilities that could be exploited by an attacker.
Some tools such as network monitoring, packet filtering, and IP mapping, etc will improve your ability to identify attacks and offer advanced visibility across your networks.