What Is a Port Scan?

A port scan is when someone with ulterior motives sends a set of port scan messages in an attempt to break into a computer and understand the type of computer network services it provides (these network services are all related to port numbers). Port scanning is a way that computer decryption experts like. Attackers can use it to learn where to find attack weaknesses. Essentially, port scanning involves sending messages to each port, sending only one message at a time. The type of response received indicates whether the port is in use and weaknesses can be probed from this.

A port is a potential communication channel, which is also an intrusion channel. A port scan of the target computer can get a lot of useful information. There are many ways to scan, either manually or using port scanning software. When scanning manually, you need to be familiar with various commands. Analyze the output of the command execution. use
Port scanning, as the name implies, is to scan a section of ports or designated ports one by one. The scan results let you know which services are available on a computer, and then you can attack through known vulnerabilities of these services. The principle is that when a host makes a request to establish a connection to a port on a remote server, if the other party has this service, it will respond. If the other party does not have this service installed, even if you send a request to the corresponding port , The other party still does not respond. Using this principle, if you establish a connection to all the well-known ports or a well-known port within a certain range of your choice, and record the response given by the remote server, you can know the target by viewing a record. What services are installed on the server? This is port scanning. Through port scanning, you can collect a lot of useful information about the target host. For example, whether the other party provides FPT service, WWW service or other services.
The software that can perform port scanning is called a port scanner. Different scanners use different technologies, scanning algorithms, and scanning effects. Port scanners can be divided into several categories depending on the scanning process and results [1]
The scanner is an automatic detection remote or

Port scanning function

Scanner is not a program that directly attacks network vulnerabilities. It can only help us find some inherent weaknesses in the target machine. A good scanner can analyze the data it gets to help us find the vulnerability of the target host. But it will not provide detailed steps into a system.
The scanner should have three functions: the ability to discover a host or network; once a host is discovered, the ability to discover what services are running on this host; and the ability to discover vulnerabilities by testing these services.
Writing scanner programs requires a lot of TCP / IP programming and knowledge of C, Perl and or Shell languages. Requires some background in socket programming, a way to develop client / service applications. Developing a scanner is an ambitious project that usually pleases programmers.

Port scan port number

The following ports are commonly used by proxy servers:
. HTTP protocol proxy server commonly used port number: 80/8080/3128/8081/9080
. SOCKS proxy protocol server commonly used port number: 1080
. FTP (File Transfer) protocol proxy server commonly used port number: 21
. Telnet (remote login) protocol proxy server commonly used port: 23
HTTP server, the default port number is 80 / tcp (Trojan Executor opens this port);
HTTPS (securely transferring web pages) server, the default port number is 443 / tcp 443 / udp;
Telnet (unsecure text transmission), the default port number is 23 / tcp (the port opened by the Trojan Tiny Telnet Server);
FTP, the default port number is 21 / tcp (trojans Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash, and Blade Runner open ports);
TFTP (Trivial File Transfer Protocol), the default port number is 69 / udp;
SSH (secure login), SCP (file transfer), port redirection, the default port number is 22 / tcp;
SMTP Simple Mail Transfer Protocol (E-mail), the default port number is 25 / tcp (Trojan Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, WinSpy all open this port);
POP3 Post Office Protocol (E-mail), the default port number is 110 / tcp;
WebLogic, the default port number is 7001;
Webshpere application, the default port number is 9080;
webshpere management tool, the default port number is 9090;
JBOSS, the default port number is 8080;
TOMCAT, the default port number is 8080;
WIN2003 remote login, the default port number is 3389;
Symantec AV / Filter for MSE, the default port number is 8081;
Oracle database, the default port number is 1521;
ORACLE EMCTL, the default port number is 1158;
Oracle XDB (XML database), the default port number is 8080;
Oracle XDB FTP service, the default port number is 2100;
MS SQL * SERVER database server, the default port number is 1433 / tcp 1433 / udp;
MS SQL * SERVER database monitor, the default port number is 1434 / tcp 1434 / udp;
QQ, the default port number is 1080 / udp [2]

Port scan scan classification

TCP connect () scan
This is the most basic TCP scan. The connect () system call provided by the operating system is used to connect to the port of each target computer of interest. If the port is listening, then connect () will succeed. Otherwise, this port is unusable, that is, no service is provided. One of the biggest advantages of this technique is that you don't need any permissions. Any user in the system has the right to use this call. Another benefit is speed. If you use separate connect () calls in a linear fashion for each target port, it will take a long time, and you can speed up scanning by opening multiple sockets simultaneously. Using non-blocking I / O allows you to set a low time-out period and observe multiple sockets simultaneously. However, the disadvantage of this method is that it can be easily detected and filtered out. The logs file of the target computer will show a series of connections and service messages that the connection is in error, and it can be quickly closed.
TCP SYN scan
This technique is usually considered a "semi-open" scan because the scanner does not have to open a full TCP connection. The scanner sends a SYN packet as if preparing to open an actual connection and waiting for a response (refer to the TCP three-way handshake to establish a TCP connection). A SYN | ACK return message indicates that the port is listening. A RST is returned, indicating that the port is not listening. If a SYN | ACK is received, the scanner must send another RST signal to close the connection process. The advantage of this scanning technique is that it generally does not leave a record on the target computer. But one disadvantage of this method is that you must have root permissions to create your own SYN packets.
TCP FIN scan
Sometimes it is possible that the SYN scans are not secret enough. Some firewalls and packet filters monitor specific ports, and some programs can detect these scans. In contrast, FIN packets may pass without any trouble. The idea of this scanning method is that the closed port will reply with a proper RST to the FIN packet. On the other hand, open ports ignore replies to FIN packets. This method has a certain relationship with the implementation of the system. Some systems respond to RST regardless of whether the port is open. In this way, this scanning method is not applicable. And this method is very useful in distinguishing Unix from NT.
IP Segment Scan
This is not a new method, but a change in other technologies. It does not send TCP probe packets directly, it divides the packets into two smaller IP segments. This divides a TCP header into several packets, making it difficult for the filter to detect. But be careful. Some programs have trouble handling these small packets.
TCP reverse ident scan
The ident protocol allows (rfc1413) to see the username of the owner of any process connected over TCP, even if the connection was not initiated by the process. So you can, for example, connect to the http port and use identd to find out if the server is running as root. This method can only be seen after a complete TCP connection has been established with the target port.
FTP return attack
An interesting feature of the FTP protocol is that it supports proxy FTP connections. That is, the intruder can connect from his own computer to the target server's FTP server-PI (protocol interpreter) to establish a control communication connection. Then, request this server-PI to activate a valid server-DTP (data transfer process) to send files anywhere on the Internet. For a User-DTP, this is a guess, although the RFC explicitly defines that it is possible to request one server to send a file to another server. Hitting many servers, running out of disks, trying to cross firewalls. "
We use this for the purpose of scanning TCP ports from a proxy FTP server. This way, you can connect to an FTP server behind a firewall and scan the ports (these could have been blocked). If the FTP server allows reading and writing data from a directory, you can send arbitrary data to the open ports that it finds. [3]
For port scanning, this technique uses the PORT command to indicate that a passive User DTP is listening on a port on the target computer. The intruder then tried to list the current directory with the LIST command, and the result was sent through Server-DTP. If the target host is listening on a port, the transmission will succeed (a 150 or 226 response is generated). Otherwise, "425 Can't build data connection: Connection refused." Appears. Then, using another PORT command, try the next port on the target computer. The advantages of this method are obvious, it is difficult to track, and it can pass through the firewall. The main disadvantage is that it is very slow. Some FTP servers can finally get some clues and turn off the proxy function.
Scenarios where this approach can be successful:
220 xxxx. FTP server (Version wu-2.4 Wed Dec 14 ...) ready.
220 xxx.xxx. FTP server ready.
220 xx.Telcom. FTP server (Version wu-2.4 Tue Jun 11 ...) ready.
220 lem FTP server (SunOS 4.1) ready.
220 xxx. FTP server (Version wu-2.4 Sat Apr 27 ...) ready.
220 elios FTP server (SunOS 4.1) ready
Scenarios in which this method cannot be successful:
220 wcarchive. FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
220 xxx.xx.xx. Version wu-2.4.2-academ [BETA-12] Fri Feb 7
220 ftp Microsoft FTP Service (Version 3.0).
220 xxx FTP server (Version wu-2.4.2-academ [BETA-11] Tue Sep 3 ...) ready.
220 xxx.FTP server (Version wu-2.4.2-academ [BETA-13] ...) ready.

Port scan cannot scan

This method differs from the above methods in that it uses the UDP protocol. Because this protocol is simple, scanning becomes relatively difficult. This is because the open port does not send an acknowledgement to the scan probe, and the closed port does not need to send an error packet. Fortunately, many hosts return an ICMP_PORT_UNREACH error when you send a packet to an unopened UDP port. This way you can find out which port is closed. Neither UDP nor ICMP errors are guaranteed to arrive, so this scanner must also implement retransmissions when a packet appears to be lost. This scanning method is slow because the RFC specifies the rate at which ICMP error messages are generated. Again, this scanning method requires root privileges.

Port scan scan

When non-root users cannot directly read the port unreachable error, Linux can indirectly notify users when they arrive. For example, a second write () call to a closed port will fail. When recvfrom () is called on a non-blocking UDP socket, EAGAIN-retry is returned if an ICMP error has not arrived. If ICMP arrives, ECONNREFUSED is returned-the connection was rejected. This is the technique used to see if a port is open.
This is not really a scan. But sometimes ping is very useful in determining whether the host on a network is powered on. [3]

IN OTHER LANGUAGES

Was this article helpful? Thanks for the feedback Thanks for the feedback

How can we help? How can we help?

RELATED ARTICLES