In a fit of boredom over the long holiday break I decided to dust off my Python skills and write a few toy programs, including a very simple port scanning application. A port scanner is a program used to probe a host for open ports. They’re often used by network admins to verify security policies, but they can also be used by bad actors to perform recon.
What is a Port?
No, these are not the physical ports on the back of your machine. In this context, think of a port as a (virtual) point on a computer where information is exchanged between multiple programs, devices, and the internet. To ensure consistency across different devices, ports are assigned port numbers. When someone runs a port scan, it’s like they’re knocking on your door to see if anybody answers. This reveals which port(s) are open and listening, and it also reveals the presence of security devices.
Port scanning can provide information such as:
- Services that are running
- Users who own services
- Whether anonymous logins are allowed
- Which network services require authentication
Port numbers range from 0 through to 65,536 and are ranked in according to popularity. Ports 0-1,023 are “well-known” ports typically reserved for internet usage (but can also have specialized purposes). These ports, which are assigned by the Internet Assigned Numbers Authority (IANA), are held by businesses and Structured Query Language (SQL) services.
Ports 1,024-49,151 are “registered ports,” and they are registered by software companies. Ports 49,152-65,536 are considered dynamic and private ports and can be used by everyone. There are also ports that, if open, indicated that the system is infected due to the port popularity with certain Trojans and viruses.
Some of the most popular and most frequently used ports include:
- Port 20 (udp) – File Transfer Protocol (FTP) for data transfer
- Port 22 (tcp) – Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
- Port 23 (tcp) – Telnet protocol for unencrypted text commutations
- Port 53 (udp) – Domain Name System (DNS) translates names of all computers on internet to IP addresses
- Port 80 (tcp) – World Wide Web HTTP
Types of Scans
The port scanner that I wrote is a very simple ping scanner, but there are other types of scans. Here is a list:
- Ping scans: The simplest scanning technique. Ping scans send ICMP requests to various servers in an attempt to get a response. Pings can be blocked and disabled via firewall.
- Vanilla scan: Another basic technique; attempts to connect to all of the 65,536 ports at once. It sends a SYN flag (a connect request), and when it receives a SYN-ACK response (acknowledgment of connection), it responds with an ACK flag. This SYN, SYN-ACK, ACK exchange comprises a TCP handshake and can be easily detected because a full connections are always logged by firewalls.
- SYN scan: AKA a half-open scan, this scan sends a SYN flag to the target and waits for a SYN-ACK response. If there is a response, the scanner does not respond back (meaning the TCP connection was not completed). This means interaction is not logged but the sender learns if the port is open. This is a technique that attackers use to find vulnerabilities.
- XMAS and FIN scans: Christmas tree scans (XMAS scans) and FIN scans are discrete attack methods. XMAS scans get their name from the set of flags turned on within a packet which, when viewed in Wireshark, seem to blink like Christmas lights. XMAS scans sends a set of flags that, if responded to, can disclose information about the firewall and open ports. In a FIN scan, an unsolicited FIN flag (used to end an established session) will be sent to a port. The system’s response to this seemingly random flag may reveal the state of the port or information about the firewall. For example, a closed port that receives an unsolicited FIN packet will respond with a RST (an instantaneous abort) packet, but an open port will ignore it.
- FTP bounce scan: This type of scan allows for the sender to disguise their location by using an FTP server to bounce a packet.
- Sweep scan: This is a preliminary port scanning technique in which pings are sent to the same port across several computers on a network to identify which are active. This does not share information about the port’s state, but it does inform the sender whether any systems are in use.