Port Scanning is the the technique used to identify available ports and services on hosts on a network. Security engineers sometimes use it to scan computers for vulnerabilities, and hackers also use it to target victims. It can be used to send connection requests to target computers and then track ports. Network scanners do not actually harm computers; instead, they make requests that are similar to those sent by human users who visit websites or connect to other computers using applications like Remote Desktop Protocol (RDP) and Telnet.
- Port scanning uses ICMP echo-request packets to probe hosts.
- Type 8 indicates an echo request, expecting a reply from the target.
- Type 0 means no response is expected from the target host.
- These flags help identify open or filtered ports on the network.
Ports and Services
Ports are like virtual doors on a computers that are used by different services to communicate with the other devices on a network. Each port has been given a number known as a port number. There are total 65,535 ports out of which not all are used but there are same famous and important ones that one must take care of. All the ports falls into the following three categories:
- Well-known ports (0–1023) used by standard services.
- Registered ports (1024–49151) used by user or vendor-specific services.
- Dynamic/private ports (49152–65535) used temporarily by apps.
Common Port Numbers and Their Services
| Port Number | Service | Purpose |
|---|---|---|
| 20, 21 | FTP (File Transfer Protocol) | Used for transferring files between systems |
| 22 | SSH (Secure Shell) | Secure login to remote computers |
| 23 | Telnet | Remote login (insecure, outdated) |
| 25 | SMTP (Simple Mail Transfer Protocol) | Sending emails |
| 53 | DNS (Domain Name System) | Translates domain names to IP addresses |
| 80 | HTTP (HyperText Transfer Protocol) | Loading websites |
| 110 | POP3 (Post Office Protocol 3) | Receiving emails |
| 143 | IMAP (Internet Message Access Protocol) | Managing and reading emails |
| 443 | HTTPS (HTTP Secure) | Secure version of HTTP |
| 3306 | MySQL | Used by MySQL databases |
| 3389 | RDP (Remote Desktop Protocol) | Remote desktop access on Windows |
These ports help hackers understand what services are running on a target system. Open ports can be entry points, which is why scanning and securing them is so important in ethical hacking.
Why Port Scanning is Done?
Port scanning is one of the first steps in ethical hacking after reconnaissance. It helps ethical hackers understand how a system is set up. Here are the main reasons port scanning is done:
1. Discover Open Ports
Port scanning helps in finding which ports on a device are open and accepting connections. An open port means that a service is running. By knowing which ports are open, an ethical hacker can figure out which parts of the system are exposed to the internet and exploit them.
2. Identify Running Services
When open ports are found, the next step is to find out what services are running on those ports. For example, if port 80 is open, it usually means a web server is running. If port 22 is open, it means SSH is available for remote access. Knowing which services are active helps in checking if they are secure or outdated.
3. Map the Attack Surface
The attack surface is the total number of ways an attacker can try to enter a system. Port scanning helps in mapping this by showing all the open ports. This information is useful to understand where defenses are weak and what areas need better protection.
Types of Port Scans
To protect your network from port scans, it is essential to understand the different types of port scans used by hackers.
- Vanilla Scan: This scan tries to connect to every single one of the 65,535 ports on a system to check which ones are open.
- Sweep Scan: Instead of scanning many ports on one device, this method checks the same port on multiple computers to find out which ones are active.
- FTP Bounce Scan: In this method, the scanner uses an FTP server to send scan requests and hide the real source of the scan.
- Stealth Scan: This type of scan avoids being recorded in the target system’s logs. It’s done in a way that the scanned computer doesn’t easily notice that it’s being scanned.
Types of Ports Found During Scan
Not all ports respond to scanning, there could be different reasons for this such as the port not being open or there could be a firewall preventing a data packet to reach to the port. There are usually the following types of ports found during a scan:
- Open: The host replies and announces that it is listening and open for queries. An undesired open port means that it is an attack path for the network.
- Closed: The host responds but notices that no application is listening. Hackers will scan again if it is opened.
- Filtered: The host does not respond to a request. This could mean that the packet was dropped due to congestion or a firewall.
Tools Used for Port Scanning
Several tools are commonly used in ethical hacking to perform port scanning. These tools help identify open ports, running services, and potential vulnerabilities in a network. Below are some of the most popular and effective ones:
- Nmap: Nmap is one of the most popular tools for network discovery and security auditing. It can scan thousands of ports quickly and provides detailed information about services.
- Angry IP Scanner: A lightweight and fast scanner that checks IP addresses and ports. It's easy to use and good for beginners for basic network scanning tasks.
- Netcat: It is used for port scanning, banner grabbing, and creating raw TCP/UDP connections.
- Zenmap: A GUI for Nmap. It makes Nmap easier to use.
- Advanced Port Scanner: A fast tool for scanning open ports on network devices. It also shows information about connected devices and available network services.
- MASSCAN: Known for its high speed, MASSCAN can scan the entire internet in minutes. It’s ideal for scanning large networks quickly.
Limitations of Port Scanning
- Firewalls and security systems may hide ports: Some security tools block or filter scan requests, which can prevent the scanner from detecting certain open ports.
- Port scans are not always accurate: Sometimes a scan may incorrectly report a port as open when it is actually closed, or miss a port that is open.
- Network conditions can affect results: If the network is slow, unstable, or experiencing heavy traffic, the scanning results may become unreliable.
- Scanning large networks takes time: When scanning many devices or a large range of ports, the process can be slow, especially if the scan is configured to avoid detection.