Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | readallucan |
View: | 229 times |
Download: | 0 times |
of 12
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
1/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
Port scannerFrom Wikipedia, the free encyclopedia
A port scanner is a software application designed to probe a server or ho
for open ports. This is often used by administrators to verify security
policies of their networks and by attackers to identify running services on
host with the view to compromise it.
A port scan or portscan is "An attack that sends client requests to a range
of server port addresses on a host, with the goal of finding an active port
and exploiting a known vulnerability of that service."[1]
To portsweep is to scan multiple hosts for a specific listening port. Thelatter is typically used in searching for a specific service, for example, an
SQL-based computer worm may portsweep looking for hosts listening on
TCP port 1433.[2]
Contents1 TCP/IP basic knowledge
2 Port scanning assumptions
3 Port scanning types
3.1 TCP scanning
3.2 SYN scanning
3.3 UDP scanning3.4 ACK scanning
3.5 Window scanning
3.6 FIN scanning
3.7 Other scan types
4 Port filtering by ISPs
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
2/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
6 Legal implications
7 See also
8 References
9 External links
TCP/IP basic knowledge
The design and operation of the Internet is based on the Internet Protocol
Suite, commonly also called TCP/IP. In this system, hosts and host
services are referenced using two components: an address and a port
number. There are 65536 distinct and usable port numbers. Most servicesuse a limited range of numbers.
Some port scanners scan only the most common port numbers, or ports
most commonly associated with vulnerable services, on a given host. See
List of TCP and UDP port numbers.
The result of a scan on a port is usually generalized into one of three
categories:
1. Open orAccepted: The host sent a reply indicating that a service is
listening on the port.
2. ClosedorDeniedorNot Listening: The host sent a reply indicating
that connections will be denied to the port.
3. Filtered,DroppedorBlocked: There was no reply from the host.
Open ports present two vulnerabilities of which administrators must be
wary:
1. Security and stability concerns associated with the program
responsible for delivering the service - Open ports.
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
3/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
2. Security and stability concerns associated with the operating system
that is running on the host - Open or Closed ports.
Filtered ports do not tend to present vulnerabilities.
Port scanning assumptionsMany forms of port scanning rely on the assumption that the targeted host
is compliant with RFC 793 - Transmission Control Protocol
(http://www.faqs.org/rfcs/rfc793.html) . Although it is the case most of th
time, there is still a chance a host might send back strange packets or even
generate false positives when the TCP/IP stack of the host is non-RFC-
compliant or has been altered. This is especially true for less common scatechniques that are OS-dependent (FIN scanning, for example).[3] The
TCP/IP stack fingerprinting method also relies on these kind of different
network responses from a specific stimulus to guess the type of the
operating system the host is running.
Port scanning types
TCP scanning
The simplest port scanners use the operating system's network functions
and is generally the next option to go to when SYN is not a feasible option
(described next). Nmap calls this mode connect scan, named after the Un
connect() system call. If a port is open, the operating system completes th
TCP three-way handshake, and the port scanner immediately closes the
connection to avoid performing a kind of Denial-of-service attack.[3]
Otherwise an error code is returned. This scan mode has the advantage th
the user does not require special privileges. However, using the OS
network functions prevents low-level control, so this scan type is less
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
4/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
common. This method is "noisy", particularly if it is a "portsweep": the
services can log the sender IP address and Intrusion detection systems can
raise an alarm.
SYN scanning
SYN scan is another form of TCP scanning. Rather than use the operating
system's network functions, the port scanner generates raw IP packets
itself, and monitors for responses. This scan type is also known as "half-
open scanning", because it never actually opens a full TCP connection.
The port scanner generates a SYN packet. If the target port is open, it will
respond with a SYN-ACK packet. The scanner host responds with a RST
packet, closing the connection before the handshake is completed.
[3]
The use of raw networking has several advantages, giving the scanner full
control of the packets sent and the timeout for responses, and allowing
detailed reporting of the responses. There is debate over which scan is les
intrusive on the target host. SYN scan has the advantage that the individu
services never actually receive a connection while some services can be
crashed with a connect scan.[citation needed] However, the RST during the
handshake can cause problems for some network stacks, in particular
simple devices like printers. There are no conclusive arguments either
way.
UDP scanning
UDP scanning is also possible, although there are technical challenges.
UDP is a connectionless protocol so there is no equivalent to a TCP SYN
packet. However, if a UDP packet is sent to a port that is not open, the
system will respond with an ICMP port unreachable message. Most UDP
port scanners use this scanning method, and use the absence of a response
to infer that a port is open. However, if a port is blocked by a firewall, thi
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
5/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
method will falsely report that the port is open. If the port unreachable
message is blocked, all ports will appear open. This method is also
affected by ICMP rate limiting.[citation needed]
An alternative approach is to send application-specific UDP packets,
hoping to generate an application layer response. For example, sending a
DNS query to port 53 will result in a response, if a DNS server is present.
This method is much more reliable at identifying open ports. However, it
is limited to scanning ports for which an application specific probe packe
is available. Some tools (e.g., nmap) generally have probes for less than 2
UDP services, while some commercial tools (e.g., nessus) have as many a
70. In some cases, a service may be listening on the port, but configured
not to respond to the particular probe packet.
To cope with the different limitations of each approach, some scanners
offer a hybrid method. For example, using nmap with the -sUV option wil
start by using the ICMP port unreachable method, marking all ports as
either "closed" or "open|filtered". The open|filtered ports are then probed
for application responses and marked as "open" if one is received.
ACK scanning
ACK scanning is one of the more unique scan types, as it does not exactly
determine whether the port is open or closed, but whether the port is
filtered or unfiltered. This is especially good when attempting to probe fo
the existence of a firewall and its rulesets. Simple packet filtering will
allow established connections (packets with the ACK bit set), whereas a
more sophisticated stateful firewall might not.[citation needed]
Window scanning
Rarely used because of its outdated nature, window scanning is fairly
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
6/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
untrustworthy in determining whether a port is opened or closed. It
generates the same packet as an ACK scan, but checks whether the
window field of the packet has been modified. When the packet reaches i
destination, a design flaw attempts to create a window size for the packet
if the port is open, flagging the window field of the packet with 1's before
it returns to the sender. Using this scanning technique with systems that n
longer support this implementation returns 0's for the window field,
labeling open ports as closed.[citation needed]
FIN scanning
Since SYN scans are not surreptitious enough, firewalls are, in general,
scanning for and blocking packets in the form of SYN packets.[3]
FINpackets are able to pass by firewalls with no modification to its purpose.
Closed ports reply to a FIN packet with the appropriate RST packet,
whereas open ports ignore the packet on hand. This is typical behavior du
to the nature of TCP, and is in some ways an inescapable downfall. [4]
Other scan types
Some more unusual scan types exist. These have various limitations and
are not widely used. Nmap supports most of these.[5]
X-mas and Null Scan - Are similar to FIN scanning, but[3]:
X-mas sends packets with FIN, URG and PUSH flags
turned on like a Christmas tree
Null sends a packet with no TCP flags setProtocol scan - determines what IP level protocols (TCP, UDP,
GRE, etc.) are enabled.
Proxy scan - a proxy (SOCKS or HTTP) is used to perform the
scan. The target will see the proxy's IP address as the source. This
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
7/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
can also be done using some FTP servers.
Idle scan - Another method of scanning without revealing one's IP
address, taking advantage of the predictable ip id flaw.
CatSCAN - Checks ports for erroneous packets.
ICMP scan - determines if a host responds to ICMP requests, such
as echo (ping), netmask, etc.
Port filtering by ISPs
Many Internet service providers restrict their customers' ability to perform
port scans to destinations outside of their home networks. This is usually
covered in the terms of service or acceptable use policy to which the
customer must agree.[6][7] Some ISPs implement packet filters ortransparent proxies that prevent outgoing service requests to certain ports
For example, if an ISP provides a transparent HTTP proxy on port 80, por
scans of any address will appear to have port 80 open, regardless of target
host's actual configuration.
Ethics
The information gathered by a port scan has many legitimate uses
including network inventory and the verification of the security of a
network. Port scanning can, however, also be used to compromise security
Many exploits rely upon port scans to find open ports and send specific
data patterns in an attempt to trigger a condition known as a buffer
overflow. Such behavior can compromise the security of a network and th
computers therein, resulting in the loss or exposure of sensitiveinformation and the ability to do work.[3]
The threat level caused by a port scan can vary greatly according to the
method used to scan, the kind of port scanned, its number, the value of the
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
8/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
targete ost an t e a m n strator w o mon tors t e ost. But a port scanis often viewed as a first step for an attack, therefore considered seriously
because it can disclose much sensitive information about the host[8]
Despite this, the probability of a port scan alone followed by a real attackis small. The probability of an attack is much higher when the port scan is
associated with a vulnerability scan.
[9]
Legal implications
Because of the inherently open and decentralized architecture of theInternet, lawmakers have struggled since its creation to define legalboundaries that permit effective prosecution of cybercriminals. This has
resulted in different computer abuse legislation in various countries, aswell as different interpretations of those laws.[citation needed] Casesinvolving port scanning activities are an example of the difficultiesencountered in judging violations. Although these cases are rare, most ofthe time the legal process involves proving that an intent to commit abreak-in or unauthorized access existed, rather than just the performanceof a port scan:
In June 2003, an Israeli, Avi Mizrahi, was accused by the IsraeliPolice of the offense of attempting the unauthorized access ofcomputer material. He had port scanned the Mossad website. Hewas acquitted of all charges on February 29, 2004. The judge rulethat these kinds of actions should not be discouraged when they a
performed in a positive way.[10]
A 17-year old Finn was accused of attempted computer break-inby a major Finnish bank. On April 9, 2003, he was convicted of thcharge by the Supreme Court and ordered to pay US$ 12,000 forthe expense of the forensic analysis made by the bank. In 1998, hehad port scanned the bank network in an attempt to access the
closed network, but failed to do so.[11]
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
9/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
n ecem er , cott ou ton was arreste y t e an
accused of attempted computer trespassing under Georgia's
Computer Systems Protection Act and Computer Fraud and Abuse
Act of America. At this time, his IT service company had a
ongoing contract with Cherokee County of Georgia to maintain
and upgrade the 911 center security. He performed several port
scans on Cherokee County servers to check their security and
eventually port scanned a web server monitored by another IT
company, provoking a tiff which ended up in a tribunal. He was
acquitted in 2000, the judge ruling there was no damage impairin
the integrity and availability of the network.[12]
In 2007 and 2008, England, France, and Germany had voted laws that
make unlawful the creation, distribution, possession of materials whichallow someone to break any computer law. Port scanners fall under this
description. The area of effect of the French law is nevertheless limited to
people without legitimate motive.[13][14][15]
See also
Computer security
Computer system
Content Vectoring Protocol
Cracking
Service scan
Vulnerability scanner
References
1. ^ RFC 2828Internet Security Glossary
2. ^ http://support.microsoft.com/kb/313418
3. ^ abcdefErikson, JonHACKING the art of exploitation (2nd ed.) San
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
10/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
ranc sco: o arc ress p. - - -
4. ^ Maimon, Uriel (1996-11-08). "Port Scanning without the SYN flag"
(http://www.phrack.com/issues.html?issue=49&id=15) . Phrack issue 49.
http://www.phrack.com/issues.html?issue=49&id=15. Retrieved 2009-05-08
5. ^ "Port Scanning Techniques" (http://nmap.org/man/man-port-scanning-
techniques.html) .Nmap reference guide. 2001. http://nmap.org/man/man-
port-scanning-techniques.html. Retrieved 2009-05-07.6. ^ "Comcast Acceptable Use Policy" (http://www.comcast.net/terms/use/) .
Comcast. 2009-01-01. http://www.comcast.net/terms/use/. Retrieved 2009-
05-07.
7. ^ "BigPond Customer Terms"
(http://www.telstra.com.au/customerterms/docs/bp_part_a.pdf) . Telstra.
2008-11-06. http://www.telstra.com.au/customerterms/docs/bp_part_a.pdf.
Retrieved 2009-05-08.
8. ^ .Jamieson, Shaun (2001-10-08). "The Ethics and Legality of PortScanning" (http://www.sans.org/rr/whitepapers/legal/71.php) . SANS.
http://www.sans.org/rr/whitepapers/legal/71.php. Retrieved 2009-05-08.
9. ^ Cukier, Michel (2005). "Quantifying Computer Security"
(http://www.isr.umd.edu/research/research_briefs/Cukier_QuantCompSecur
y.pdf) . University of Maryland.
http://www.isr.umd.edu/research/research_briefs/Cukier_QuantCompSecuri
.pdf. Retrieved 2009-05-08.
10. ^ Hon. Abraham N. Tennenbaum (2004-02-29). "Verdict in the case Avi
Mizrahi vs. Israeli Police Department of Prosecution"
(http://www.law.co.il/media/computer-law/mizrachi_en.pdf) .
http://www.law.co.il/media/computer-law/mizrachi_en.pdf. Retrieved 2009-
05-08.
11. ^ Esa Halmari (2003). "First ruling by the Supreme Court of Finland on
attempted break-in" (http://insecure.org/stf/fin.html) .
http://insecure.org/stf/fin.html. Retrieved 2009-05-07.12. ^ Poulsen, Kevin (2000-12-18). "Port scans legal, judge says"
(http://www.securityfocus.com/news/126) . SecurityFocus.
http://www.securityfocus.com/news/126. Retrieved 2009-05-08.
13. ^ Leyden, John (2008-01-02). "UK gov sets rules for hacker tool ban"
(http://www.theregister.co.uk/2008/01/02/hacker_toll_ban_guidance/) . The
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
11/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
.wikipedia.org/wiki/Port_scanner
eg s er.
http://www.theregister.co.uk/2008/01/02/hacker_toll_ban_guidance/.
Retrieved 2009-05-08.
14. ^ Lemarteleur, Xavier (2008-06-13). "Le scan de ports : une intrusion dans
un STAD ?" (http://www.juriscom.net/documents/priv20080613.pdf) (in
French). Juriscom. http://www.juriscom.net/documents/priv20080613.pdf.
Retrieved 2009-05-08.15. ^ "German Security Professionals in the Mist"
(http://www.beskerming.com/commentary/2007/08/12/249/German_Securit
_Professionals_in_the_Mist) . Snnet Beskerming. 2007-08-12.
http://www.beskerming.com/commentary/2007/08/12/249/German_Security
Professionals_in_the_Mist. Retrieved 2009-05-08.
External links
Port list
IANA assigned ports list (http://www.iana.org/assignments/port-
numbers)
Papers
Port Scanning Techniques
(http://packetstormsecurity.org/files/view/54973/port-scanning-
techniques.txt) by Kris Katterjohn. Includes examples using Nma
and Hping.
Port Scanning Unscanned
(http://www.thenetworkadministrator.com/hack/PortScanning.htm
by Ankit FadiaTeo, Lawrence (December, 2000). Network Probes Explained:
Understanding Port Scans and Ping Sweeps. Linux Journal,
Retrieved September 5, 2009, from Linuxjournal.com
(http://www.linuxjournal.com/article/4234)
8/3/2019 Port Scanner - Wikipedia, The Free Encyclopedia
12/12
/26/11 Port scanner - Wikipedia, the free encyclopedia
e r eve rom p: en.w pe a.org w n ex.p p
title=Port_scanner&oldid=462355826"
Categories: Computer security software
Computer security exploits Internet Protocol based network software
This page was last modified on 25 November 2011 at 03:42.
Text is available under the Creative Commons Attribution-
ShareAlike License; additional terms may apply. See Terms of us
for details.
Wikipedia is a registered trademark of the Wikimedia
Foundation, Inc., a non-profit organization.