Port Scanning: It's Not Just an Offensive Tool Anymore

Gary C. Kessler
May 2001


An edited version of this paper with the title "Plugging Leaky Holes" originally appeared in the June 2001 issue of Information Security Magazine (www.infosecuritymag.com). Copyright © 2001. All rights reserved.


System administrators are constantly being advised to check their systems for open ports and services that might be running that are either unintended or unnecessary. In some cases, the services might be Trojans just waiting to be exploited.

The most common host-based tool for checking for open ports on Windows or Unix systems is the netstat command. But running this command means actually walking or remotely accessing each and every server; and you miss other host systems that might be listening on improper ports. This is where port scanners come in; with this tool, a system, network, or security administrator can check a group of hosts all at once.

Port scanning software has long been in the hacker's arsenal and is finally emerging as an important defensive tool as well. Originally only available for Unix/Linux systems and distributed on underground hacker web sites, port scanners are now also available for Windows platforms and have even entered the realm of reputable, commercial software. If you don't know what a port scanner is, you should; and if you don't use a port scanner to test your defenses, you should.

So, What's a Port?

Let's start with the basics. In the TCP/IP protocol stack, messages associated with the common application protocols that most of us are familiar with — such as HTTP for the Web; SMTP, POP, and IMAP for e-mail; Telnet and SSH for remote logon; and FTP for file transfers — operate over the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP); TCP and UDP messages, in turn, are carried inside Internet Protocol (IP) packets. The primary difference between TCP and UDP is that TCP is connection-oriented and UDP is connectionless. When using TCP, then, two hosts must first establish a logical connection before they can exchange data (analogous to establishing a telephone connection) while hosts using UDP do not require a logical connection before the exchange of information (analogous to sending a letter through the postal service).

Both TCP and UDP employ port numbers to identify the higher layer applications at the hosts that are communicating with each other. End-to-end data communications on the Internet, in fact, are uniquely identified by the source and destination host IP addresses and the source and destination TCP/UDP port numbers.

TCP/IP applications generally employ a client/server model, exemplified by the relationship between your Web client software (i.e., the browser) and a Web server; the user "points" their browser at the Web server which is usually listening on port 80. Port numbers can take on a value between 1 and 65535, with server applications generally being assigned a value below 1024. There are a large number of so-called well-known ports, including:

A complete list of port numbers can be found at the Internet Assigned Numbers Authority (IANA) list of port numbers at http://www.iana.org/assignments/port-numbers.

Port Scanner Operation

A port scanner, most simply, probes a computer system running TCP/IP to determine which TCP and UDP ports are open and listening, which indicates all of the services that this system is offering to other TCP/IP hosts. As an example, you would expect an e-mail server to be listening on the SMTP and POP3 ports, and a Web server to be listening on the HTTP, and perhaps the SSL/HTTPS, ports. For good or for bad, however, most systems have many more open ports than intended. You can use the netstat -a command to find out which ports are open on a local Linux/Unix or Windows system (Figure 1), but netstat can't be used remotely across a network.


FIGURE 1: The netstat command can be used from the Linux or Windows command line to check on
open ports on the local computer.

While firewalls presumably block inappropriate traffic going in and out of a given Internet site, they can't protect a server from intended traffic; incoming HTTP traffic to the Web server, for example, is appropriate and will not be blocked. Those servers have to be secured and protected themselves.

Once an attacker has found available servers using a port scanner, he or she can use this information to attempt to connect to those services, determine what specific software is running, and check to see if there are any known vulnerabilities with that software that might be exploited. Port scanners are particularly effective when they find unadvertised servers since many sites fail to adequately protect these experimental, non-production systems since "no one knows about them." As an example, attackers can use port scanners to look for systems running Web or DNS services. They can then target those hosts looking for vulnerable software, such as older versions of the Internet Information Service (IIS) or exploitable versions of the Berkeley Internet Domain Daemon (BIND).

Port scanners can also be used to examine hosts for known Trojan horses, distributed denial-of-service (DDoS) tools, or other malicious services running on a host. These kinds of port scans or port probes are seen all of the time. A short list of some of the default "bad" ports are:

[AUTHOR'S NOTE: There is no official list of these "bad" ports but I maintain one such list at http://www.garykessler.net/library/bad_ports.html.]

nmap

Perhaps the best known port scanner is nmap, available for Linux systems from http://www.insecure.org/nmap. As shown in Figure 2, the nmap command can be used to find all open ports on a range of IP addresses (in this case, two hosts were found in the 192.168.0.0 Class C subnet). Note that two very significant pieces of information about these hosts are also returned: the likelihood of successfully guessing the TCP initial sequence number (a common mechanism for another type of attack) and the host's operating system (an essential piece of information when searching for vulnerabilities). All of this information provides an attacker with potential information with which to launch an attack against one or more of these hosts.


FIGURE 2: nmap command line tools for Linux/Unix.


FIGURE 3: nmap graphical front end for Linux/Unix.

For users who prefer a graphical user interface (GUI), there is also a graphical front end for nmap (Figure 3). The nmap GUI shows a number of interesting features such as how to easily change the form of the port scanning attack. The most basic form of port scanning might be accomplished by attempting to establish a Telnet session to each port on the target host in sequence; successful connections indicate an open port. But not only is this type of attack time consuming, it is sure to be detected if the target network uses any form of logging or intrusion detection.

Several forms of "quiet" port scanning can be used, however, that are less detectable. In one scheme, the attacker starts to establish a Telnet connection on each port on the target host but does not complete the required three-way SYN/ACK handshake. Another method is for the attacker to close a non-existent Telnet connection on ports on the target host; by monitoring the target host's response, the attacker can determine whether the port was open in the first place. There are other methods as well, and one of the best descriptions of port scanning can be found in "The Art of Port Scanning" by Fyodor (nmap's author) in Phrack Magazine (http://www.phrack.com/search.phtml?view&article=p51-11). Both the command line and GUI for nmap support many types of port scanning probes.

Security managers are constantly told that a site needs to have a security policy. Once policies have been written, they need to be implemented and this includes configuring the firewall to properly allow and deny traffic. nmap can play an important role in auditing the firewall, or ensuring that the firewall actually implements the intended policies, by testing to see what ports are allowed to pass through the firewall. In this way, the defender — or attacker — can learn which ports the firewall is defending and which applications are only protected by the server itself.

(Testing the ports that can pass through the firewall is very different than testing what ports — or services — are open at the firewall. Determining what ports are open at the firewall yields possible ways to attack the firewall itself. Testing to see what ports are allowed to pass through the firewall allows the sysadmin to ensure that the firewall packet filtering is performing as desired and properly protecting the internal systems.)

Another important tool in this genre is hping, which might be best described as a port scanner on steroids (http://www.kyuzz.org/antirez/hping.html). hping is a Unix-based command-line TCP/IP packet assembler/analyzer. It can be used for many tasks, including firewall testing, advanced port scanning, network and intrusion detection testing (by crafting TCP/IP packets), remote OS fingerprinting, and TCP/IP stack auditing.

Other Port Scanning Software

Port scanning software is no longer limited to the Linux/Unix environment. nmap itself has now been ported (no pun intended!) to Windows NT and can be found at eEye Digital Security's Web site at http://www.eeye.com/html/Research/Tools/nmapnt.html.


FIGURE 4: Port scanner function in the J. River Network Toolbox.

There are other Windows-based port scanners and one of the better ones can be found at the J. River Network Toolbox Web site (http://www.jriver.com). As shown in Figure 4, this port scanner finds open TCP, but not UDP, ports. The software also includes ping, traceroute, IP address scanning, finger, and whois functions.


FIGURE 5: Foundstone's SuperScan port scanner.

Foundstone, the company founded by the three authors of the most excellent book Hacking Exposed, distributes SuperScan (Figure 5), a port scanner that is among several interesting tools available at their site (http://www.foundstone.com). WildPackets distributes iNetTools, an add-on to their EtherPeek packet sniffer software, that includes DNS lookup, finger, name lookup and scanning, ping, port scanning, traceroute, and whois (http://www.wildpackets.com/products/inettools).

CONCLUSION

Why use a "hacker tool" to help defend your network? There are a number of reasons. First, the hackers use this tool because it is a good way to learn about your network. You can use it to learn about your network, too. You can also learn what the hackers are learning about your network. Second, port scanning provides an excellent way in which you can audit your network's security policies and as a first pass towards assessing your network's potential exposures.

Bottom-line: A port scanner is an important tool in the security manager's toolkit. It has, like all of the best security tools today, both offensive and defensive capabilities — but that is no reason not to use it yourself.



ABOUT THE AUTHOR: Gary C. Kessler is an Assistant Professor and program coordinator of the Computer Networking major at Champlain College in Burlington, Vermont, and an independent consultant and writer. His e-mail address is kumquat@sover.net.