PortScanning

port scanning

The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.

Types of port scans:

* Vanilla: the scanner attempts to connect to all 65,535 ports * Strobe: a more focused scan looking only for known services to exploit * FragmentedPackets: the scanner sends packet fragments that get through simple packet filters in a firewall * UDP: the scanner looks for open UDP ports * Sweep: the scanner connects to the same port on more than one machine * Ftp Bounce: the scanner goes through an FtpServer in order to disguise the source of the scan * Stealth Scan: the scanner blocks the scanned computer from recording the port scan activities.

Port scanning in and of itself is not a crime. There is no way to stop someone from port scanning your computer while you are on the InTernet because accessing an InternetServer opens a port, which opens a door to your CoMputer. There are, however, software products that can stop a port scanner from doing any damage to your system. --

Nmap

http://www.insecure.org/nmap/nmap_doc.html

Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular need. Much of the field of advertising is based on this paradigm, and the "to current resident" brute force style of bulk mail is an almost perfect parallel to what we will discuss. Just stick a message in every mailbox and wait for the responses to trickle back.

Scanning entered the h/p world along with the phone systems. Here we have this tremendous global telecommunications network, all reachable through codes on our telephone. Millions of numbers are reachable locally, yet we may only be interested in 0.5% of these numbers, perhaps those that answer with a carrier.

The logical solution to finding those numbers that interest us is to try them all. Thus the field of "wardialing" arose. Excellent programs like Toneloc were developed to facilitate the probing of entire exchanges and more. The basic idea is simple. If you dial a number and your modem gives you a CONNECT, you record it. Otherwise the computer hangs up and tirelessly dials the next one.

While wardialing is still useful, we are now finding that many of the computers we wish to communicate with are connected through networks such as the Internet rather than analog phone dialups. Scanning these machines involves the same brute force technique. We send a blizzard of packets for various protocols, and we deduce which services are listening from the responses we receive (or don't receive).

--

Port scanning is the process of determining which of the many TCP (or UDP or other protocol) ports are being used by a particular computer. Some of the previous questions I've answered have defined what TCP ports are.

Port scanning is often one of the first things an attacker will do when attempting to penetrate a particular computer. Tools such as NmAp (available from http://www.insecure.org) provide an automated mechanism for an attacker to not only scan the machine to find out what ports are "open" (meaning being used), but also help to identify what operating system is being used by the machine.

Other tools also provide port scanning. Nessus (available from http://www.nessus.org) integrates NmAp with it to do a comprehensive port scan and also vulnerability checking. Used by the security professional, the results of Nessus can help in determining what security patches need to be applied or what services need to be disabled. Used by the attacker, the results can help in determining what ExPloit attempts will work and which ones will not.

See also: PortScanner