A port scan is a bit like jiggling a bunch of doorknobs to see which doors are locked. The scanner learns which ports on a router or firewall are open, and can use this information to find a computer system’s potential weaknesses.
What’s a Port?
When a device connects to another device over a network, it specifies a TCP or UDP port number from 0 to 65535. Some ports are used more frequently, however. TCP ports 0 through 1023 are “well-known ports” that provide system services. For example, port 20 is FTP file transfers, port 22 is Secure Shell (SSH) terminal connections, port 80 is standard HTTP web traffic, and port 443 is encrypted HTTPS. So, when you connect to a secure website, your web browser is talking to the web server that’s listening on port 443 of that server.
Services don’t always have to run on these specific ports. For example, you could run an HTTPS web server on port 32342 or a Secure Shell server on port 65001, if you liked. These are just the standard defaults.
What’s a Port Scan?
A port scan is a process of checking all the ports at an IP address to see if they’re open or closed. The port-scanning software would check port 0, port 1, port 2, and all the way through to port 65535. It does this by simply sending a request to each port and asking for a response. In its simplest form, the port-scanning software asks about each port, one at a time. The remote system will respond and say whether a port is open or closed. The person running the port scan would then know which ports are open.
Any network firewalls in the way may block or otherwise drop traffic, so a port scan is also a method of finding which ports are reachable, or exposed to the network, on that remote system.
Why Do People Run Port Scans?
Port scans are useful for determining a system’s vulnerabilities. A port scan would tell an attacker which ports are open on the system, and that would help them formulate a plan of attack. For example, if a Secure Shell (SSH) server was detected as listening on port 22, the attacker could try to connect and check for weak passwords. If another type of server is listening on another port, the attacker could poke at it and see if there’s a bug that can be exploited. Perhaps an old version of the software is running, and there’s a known security hole.
These types of scans can also help detect services running on non-default ports. So, if you’re running an SSH server on port 65001 instead of port 22, the port scan would reveal this, and the attacker could try connecting to your SSH server on that port. You can’t just hide a server on a non-default port to secure your system, although it does make the server harder to find.
Port scans aren’t just used by attackers. Port scans are useful for defensive penetrating testing. An organization can scan its own systems to determine which services are exposed to the network and ensure they’re configured securely.
How Dangerous Are Port Scans?
A port scan can help an attacker find a weak point to attack and break into a computer system. It’s only the first step, though. Just because you’ve found an open port doesn’t mean you can attack it. But, once you’ve found an open port running a listening service, you can scan it for vulnerabilities. That’s the real danger.
On your home network, you almost certainly have a router sitting between you and the Internet. Someone on the Internet would only be able to port-scan your router, and they wouldn’t find anything aside from potential services on the router itself. That router acts as a firewall—unless you’ve forwarded individual ports from your router to a device, in which case those specific ports are exposed to the Internet.
For computer servers and corporate networks, firewalls can be configured to detect port scans and block traffic from the address that’s scanning. If all the services exposed to the internet are securely configured and have no known security holes, port scans shouldn’t even be too scary.
Types of Port Scans
In a “TCP full connection” port scan, the scanner sends an SYN (connection request) message to a port. If the port is open, the remote system replies with an SYN-ACK (acknowledgment) message. The scanner than responds with its own ACK (acknowledgment) message. This is a full TCP connection handshake, and the scanner knows the system is accepting connections on a port if this process takes place.
If the port is closed, the remote system will respond with an RST (reset) message. If the remote system just isn’t present on the network, there will be no response.
Some scanners perform a “TCP half-open” scan. Rather than going through a full SYN, SYN-ACK, and then ACK cycle, they just send an SYN and wait for an SYN-ACK or RST message in response. There’s no need to send a final ACK to complete the connection, as the SYN-ACK would tell the scanner everything it needs to know. It’s faster because fewer packets need to be sent.
Other types of scans involve sending stranger, malformed types of packets and waiting to see if the remote system returns an RST packet closing the connection. If it does, the scanner knows there is a remote system at that location, and that one particular port is closed on it. If no packet is received, the scanner knows that the port must be open.
A simple, port scan where the software requests information about each port, one by one, is easy to spot. Network firewalls can easily be configured to detect and stop this behavior.
That’s why some port-scanning techniques work differently. For example, a port scan could scan a smaller range of ports, or could scan the full range of ports over a much longer period so it would be more difficult to detect.
Port scans are a basic, bread-and-butter security tool when it comes to penetrating (and securing) computer systems. But they’re just a tool that lets attackers find ports that may be vulnerable to attack. They don’t give an attacker access to a system, and a securely configured system can certainly withstand a full port scan with no harm.