Monday, December 29, 2008

Port Scanning

I recently was gaining some in-depth knowledge on the network security side and hence I though I would share what I have learnt from all over the web. In this article, we will discuss about Port Scanning. Before we dive directly into Port Scanning, there sure must be a lot of readers wondering what the heck is a port first of all? No worries! We are going to discuss everything in detail.

What is a Port?

A Port can be defined from three different perspectives:

1. The term Port as a noun:

a) When it comes to Computer and telecommunication devices, a port is generally a specific place for being physically connected to some other device, usually with a socket and plug of some kind. You must have heard of the terminologies like Serial Port, USB Port, etc yeah? It exactly the same thing.

b) In case of Programming, a port (noun) is a "logical connection place" and specifically, using the Internet's protocol, TCP/IP, the way a client program specifies a particular server program on a computer in a network. To say in easy terms, when you are under a proxy server, you have something like a Port: 80 in your browser's Internet Settings, yeah? That is it and now you know why we call it as a 'Logical Connection Place'.

2. The term Port as a verb:

In the world of programming, the term port is also used as a verb. i.e., to move an application program from an operating system environment in which it was developed to another operating system environment so it can be run there. If you are or were in the IT Industry, you sure must have heard about porting projects. To quote one example from my own experience, there a project where we "ported" few of the features that were already there in a product A (which we already developed), to a new product B (which we were developing). simply, it is the concept of moving the feature from something already exists to a new one.

Now that we are clear about the term PORT, let's move on to the concept of Port scanning.

The term PORT in Port Scanning means the case 1 b) which we discussed above and hence we will concentrate more on the word PORT as how it is defined in 1 b). Hence, from now on if I ever say PORT down the line of this article, understand that I am referring it as how I defined in 1 b).

With that mindset, let me tell you that...

There Port number ranges from 0 through 65535 and they are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and(/or) Private Ports.

The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535

Well Known and Registered Ports are intended for use by server applications that desire a default contact point on a system. On most systems, Well Known Ports can only be used by system (or root) processes or by programs executed by privileged users, while Registered Ports can be used by ordinary user processes or programs executed by ordinary users. Dynamic and/or Private Ports are intended for temporary use, including client-side ports, out-of-band negotiated ports, and application testing prior to registration of a dedicated port.

Check out the List of TCP and UDP Port Numbers when you have some time.

Various states of a Port:

A port can fall under either of the below three states:

A service process is listening at the port. The OS (Operating System) receives packets arriving at this port and gives the messages to the service process. If the OS receives a SYN at an open port, this is the first packet of the three way handshake. (Note: The SYN we speak about here is NOT the progressive rock band of 2004 Lol You will get to know more about them if you are aware of the TCP Header structure but for now just understand that the SYN and RST we are discussing here are the Synchronize sequence numbers and Reset the connection respectively.)

No process is listening at the port. If the OS receives a SYN at a closed port, an RST is sent.

A packet filter is listening at the port

Each of these available ports (0 through 65535) are like the doors through which a hacker could gain control over your system and it so essential that you keep them doors locked. This is when Port Scanning comes into picture.

What is Port Scanning and Why is Port Scanning needed?

It is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked. Simply put, attackers wish to discover services they can break into. Port Scanning is a technique used by hackers on the Internet to discover open network ports in your computer which they can break into. Network ports are communication channels for services such as email, telnet, file transfer, HTTP, etc. Since a port is where information goes in and out of a computer, port scanning identifies open doors to a computer, and if a port is open, it could be exploited by the attacker by breaking through the vulnerabilities (bugs) in the computer system. For example, in sending email, spammers try to relay their spam through an SMTP server which has an open port for them to come in and send the spam through it.

As you know, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet.

As we discussed already, the first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP or DNS. Some of the addresses over 1023 also have commonly associated services, but the majority of these ports are not associated with any service and are available for a program or application to use to communicate on.

Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing.

If the port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. To get around this the intruder can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing the scan. By scanning the ports over a much longer period of time you reduce the chance that the target will trigger an alert.

There are a number of different methods to perform the actual port scans as well as tricks to hide the true source of port scan. You can read more about some of these by visiting these web sites: Port Scanning or Network Probes Explained.

It is possible to monitor your network for port scans. The trick, as with most things in information security, is to find the right balance between network performance and network safety. To help ensure that your network is protected and secure you may wish to perform your own port scans. An important thing here is to ensure you have the approval of all the powers that be before embarking on this project lest you find yourself on the wrong side of the law. To get accurate results it may be best to perform the port scan from a remote location using non-company equipment and a different ISP. Using software such as NMap you can scan a range of IP addresses and ports and find out what an attacker would see if they were to port scan your network. NMap in particular allows you to control almost every aspect of the scan and perform various types of port scans to fit your needs.

Technically, there is no way to stop someone from port scanning your computer while you are on the Internet. It is because in accessing any Internet service, your computer would open a port to Internet. There are, however, some things you can do to stay vigilant:

How to stay secured from Port Scanning attacks?

Once you find out what ports respond as being open by port scanning your own network you can begin to work on determining whether its actually necessary for those ports to be accessible from outside your network. If they're not necessary you should shut them down or block them. If they are necessary, you can begin to research what sorts of vulnerabilities and exploits your network is open to by having these ports accessible and work to apply the appropriate patches or mitigation to protect your network as much as possible.

  • To say in layman terms, Install an anti-virus software on your computers and remember to update the virus definitions and scan your PC for virus regularly (if possible, daily).
  • Install a firewall software to monitor for any scanning activities on your PC
  • Perform Windows Update - Microsoft will put out patches that will close up these open ports or fix other vulnerabilities when they are found. By performing Windows Update regularly, you can minimise the chances of your open ports being exploited. (Click the IE browser's menu Tools -> Windows Update -> Scan for Updates -> install all critical updates.)
  • Also, keep a eye on Updated and Latest Network Critical Security Alerts.

No one can deny the fact, If you are talented enough to stay secured, Hackers are more talented to find a way to break the security. However, taking preventive measures and staying secured does not hurt.

I have also read about the various types of Port Scanning and I shall share it with you all in an other article real soon.