Port scanning: a double-hedge sword?
Port scanning refers to the activity of determining which port within a network can receive and send data, by sending packets to specific ports and analyzing responses to detect flows or vulnerabilities.
The main goal of port scanning is identifying IP addresses, hosts, and ports to determine which one of them are open or vulnerable to unauthorized access. Vice versa, threat actors can use this method to find out the security levels in place between devices and servers.
Thus, it is important to stress that port scanning may be used by hackers in their attempts to violating systems and networks via open ports or weak entry points, being ports access one of the most popular way to assess how to start a violation.
Learn more on our blog below!
What are ports
In a computer, ports are its gateway, that is where information from or to a software or a computer flow. Along with IP addresses, they are vital to allow any Internet Service Provider to fulfil requests.
How many ports are there outside in the net? They are numbered and limited. They range from 0 to 65,536.
Some of them are free and dynamic to use by everyone, other have specific functions.
“Prominent” ports are assigned to service providers and top-tier IT companies.
Port scanning techniques
Scanning them may reveal the presence or the absence of a firewall by the port that protects the way between servers and devices.
There are three main techniques: ping, SYN, and XMAS scans.
The ping type is the simplest. One may verify whether a data packet may be sent through an IP address without errors. Easily noticeable, this method is used by IT administrator to troubleshoot. Firewalls can stop ping smoothly;
The SYN type is much more silent. It can determine port status without establishing a full connection. Works well with open ports (see below);
Finally, XMAS is the stealthiest technique. They terminate a connection once they find a virtual “handshake” on the other end through FIN packets. FINs go unnoticed as firewalls indeed often look for SYN ones.
XMASs work as follows. If there is no response to the FIN packets request, it means the port is open. Alternatively, if the port is closed, an RST response would pass through.
Port scanning results
What does “open” or “closed” port mean though?
Once the scan is performed, one may discover the status of a network by looking at its results, which are:
Open ports. This indicates the acceptance of connections by the targeted network or server and that the targeted network or system is listening and responding with packets. This result is what cybercriminals hope from a port scanning, being the green light to a quite easy violation. IT administrators have to put a firewall to limit access from outside.
Closed ports. This indicates the receipt of a request by a network or a system, but no service is listening there. This does not mean that hacker cannot get in. Firewalls should be put in place, if ports change their status to “open”.
Filtered ports. Indicates the sending of a request, but the host is neither responding nor listening. Usually, this means that a firewall has filtered out the initial request. By doing so, attackers cannot get more information on the target.
Conclusion
Port scanning is one of the most popular way to gather intelligence prior to starting a violation. It is a reconnaissance phase where an attacker could learn about network security of the targets.
These scans are popular because they are particularly sneaky. They basically test targets defense, operating system and presence of firewalls, among others.
Monitoring traffic by the means of a threat intelligence program may reduce exposure from attackers using port scanning to detect easy entry point.