ASSIGNMENT-1

NETWORK SECURITY

ON
PORT SCANNING

SUBMITTED BY:
KAVEESH NAYAK
ROLL. NO. 11401049
M.TECH (COMPUTER ENGG.)

UNIVERSITY COLLEGE OF ENGINEERING

PUNJABI UNIVERSITY, PATIALA
PUNJAB

PORT SCANNING
1. INTRODUCTION
Port scanning is the art of scanning the target system to obtain a list of open ports that are
listening for connections. In other words, port scanning is carried out to determine a list
of open ports on the remote host that have certain services or daemons running. In port
scanning, the attacker connects to various UDP and TCP ports and tries to determine
which ports are in listening mode. This technique of information gathering is crucial for
an attacker because it helps determine the list of open ports on the target system, the
services running on them, and any vulnerability that might exist. In certain cases, port
scanning can also be used to determine the operating system running on the target
system.

Fig. 1 Port scanning process

Port scanning is among the most common information gathering techniques used by
attackers. Indeed, the first step in an attackers quest to break into a remote system will
almost always be to conduct a port scan on the target system and obtain a list of open
ports and services running on them.
Port Scanner : A port scanner is a software application designed to probe a server or host
for open ports. This is often used by administrators to verify security policies of their
networks and by attackers to identify running services on a host with the view to
compromise it.
Portsweep : Portsweep means to scan multiple hosts for a specific listening port.

2. WHAT ARE PORTS?

There are two type of ports. The first are hardware ports - such as COM1, COM2 and
parallel ports which are the slots behind CPU cabinet of the system that is used to plug in
or connect the hardware. But here we are concerned about the other type of ports which
are software ports. These are the virtual ports that the system uses to pipe information in
and out.
Every open software port has a service or daemon running on it. A service or daemon is a
term used to describe the software running on these ports which provides a certain service
to the users who connect to it. For eg: port 25 is always open on a server handing mail, as
it is the port where the sendmail service runs by default.

Fig. 2 Some common ports

3. TCP/IP BASIC KNOWLEDGE

The design and operation of the Internet is based on the Internet Protocol Suite,
commonly also called TCP/IP. In this system, hosts and host services are referenced
using two components: an address and a port number. There are 65536 distinct and
usable port numbers. Most services use a limited range of numbers.
Some port scanners scan only the most common port numbers, or ports most commonly
associated with vulnerable services, on a given host.
The result of a scan on a port is usually generalized into one of three categories:
1. Open or Accepted: The host sent a reply indicating that a service is
listening on the port.
2. Closed or Denied or Not Listening: The host sent a reply indicating that
connections will be denied to the port.
3. Filtered, Dropped or Blocked: There was no reply from the host.
Open ports present two vulnerabilities of which administrators must be wary:

1. Security and stability concerns associated with the program responsible for
delivering the service - Open ports.
2. Security and stability concerns associated with the operating system that is
running on the host - Open or Closed ports.
Filtered ports do not tend to present vulnerabilities.

4. CHECK LISTENING PORTS ON WINDOWS

Listening ports can be checked on Windows by entering following command in cmd:
netstat -an | find /i "listening"

5.TCP PORT SCANNING:

The traditional example of a port scan technique is the manual port scan. In such a port
scanning technique, the attacker uses the telnet application to manually connect to all
TCP ports on the target system and jots down all information returned. Manual port
scans require a full three way handshake to take place between the attacker and the target
system. All TCP/IP connections are initiated with a three-way handshake. A typical
TCP/IP handshake has following steps:
1. The client sends a SYN packet to the server
2. The server replies with a SYN packet and acknowledges the clients SYN packet
by sending an ACK packet.
3. The client acknowledges the SYN sent by the sender.
This three way handshake must take place each time a TCP/IP connection is established
on the Internet. Not surprisingly, manual port scanning using telnet is not the easiest way
to get an open list of ports on a remote system. For one thing, no one wants to telnet to
thousand of remote ports. Besides thanks to the full three way TCP handshake that
occurs, manual port scans are easily detected and logged by the remote system. For this
reason, a number of other port scanning techniques hace been developed:
1.
2.
3.
4.
5.
6.
7.
8.

TCP connect scan

TCP stealth scan
XMAS scan
FIN scan
NULL scan
TCP ACK scan
TCP window scan
UDP scan

5.1 TCP connect scan: TCP connect is a three-way handshake between the client and the
server. If the three-way handshake takes place, then communication has been established.

A client trying to connect to a server on port 80 initializes the connection by sending a

TCP packet with the SYN flag set and the port to which it wants to connect (in this case
port 80). If the port is open on the server and is accepting connections, it responds with a
TCP packet with the SYN and ACK flags set. The connection is established by the client
sending an acknowledgement ACK and RST flag in the final handshake. If this three-way
handshake is completed, then the port on the server is open.

The client sends the first handshake using the SYN flag and port to connect to the server
in a TCP packet. If the server responds with a RST instead of a SYN-ACK, then that
particular port is closed on the server.

5.2 TCP stealth scan:

This technique is similar to the TCP connect scan. The client sends a TCP packet with the
SYN flag set and the port number to connect to. If the port is open, the server responds
with the SYN and ACK flags inside a TCP packet. But this time the client sends a RST
flag in a TCP packet and not RST+ACK, which was the case in the TCP connect scan.
This technique is used to avoid port scanning detection by firewalls.

The closed port check is same as that of TCP connect scan. The server responds with an
RST flag set inside a TCP packet to indicate that the port is closed on the server.
5.3 XMAS scan:

In the XMAS scan, a TCP packet with the PSH, FIN, and URG flags set, along with the
port to connect to, is sent to the server. If the port is open, then there will be no response
from the server.

If the server responds with the RST flag set inside a TCP packet, the port is closed on the
server.

If the server responds with the ICMP packet with an ICMP unreachable error type 3 and
ICMP code 1, 2, 3, 9, 10, or 13, then the port is filtered and it cannot be inferred from the
response whether the port is open or closed.

5.4 FIN scan:

The FIN scan utilizes the FIN flag inside the TCP packet, along with the port number to
connect to on the server. If there is no response from the server, then the port is open.

If the server responds with an RST flag set in the TCP packet for the FIN scan request
packet, then the port is closed on the server.

An ICMP packet with ICMP type 3 and code 1, 2, 3, 9, 10, or 13 in response to the FIN
scan packet from the client means that the port is filtered and the port state cannot be
found.
5.5 NULL scan:

In a NULL scan, no flag is set inside the TCP packet. The TCP packet is sent along with
the port number only to the server. If the server sends no response to the NULL scan
packet, then that particular port is open.

If the server responds with the RST flag set in a TCP packet, then the port is closed on
the server.

An ICMP error of type 3 and code 1, 2, 3, 9, 10, or 13 means the port is filtered on the
server.
5.6 TCP ACK scan: The TCP ACK scan is not used to find the open or closed state of a
port; rather, it is used to find if a stateful firewall is present on the server or not. It only
tells if the port is filtered or not. This scan type cannot find the open/closed state of the
port.

10

A TCP packet with the ACK flag set and the port number to connect to is sent to the
server. If the server responds with the RSP flag set inside a TCP packet, then the port is
unfiltered and a stateful firewall is absent.

If the server doesnt respond to our TCK ACK scan packet or if it responds with a TCP
packet with ICMP type 3 or code 1, 2, 3, 9, 10, or 13 set, then the port is filtered and a
stateful firewall is present.
5.7 TCP window scan: A TCP window scan uses the same technique as that of TCP ACK
scan. It also sends a TCP packet with the ACK flag set and the port number to connect to.
But this scan type can be used to find the state of the port on the server. In a TCP ACK
scan, an RST indicates an unfiltered state. But in a TCP windows scan, when an RST is
11

received from the server, it then checks the value of the windows size. If the value of
window size is positive, then the port is open on the server.

If the windows size of the TCP packet with the RST flag set to zero, then the port is
closed on the server.

5.8 UDP scan: TCP is a connection-oriented protocol and UDP is a connection-less

protocol.

12

A connection-oriented protocol is a protocol in which a communication channel should

be available between the client and server and only then is a further packet transfer made.
If there is no communication channel between the client and the server, then no further
communication takes place.
A Connection-less protocol is a protocol in which a packet transfer takes place without
checking if there is a communication channel available between the client and the server.
The data is just sent on to the destination, assuming that the destination is available.

The client sends a UDP packet with the port number to connect to. If the server responds
to the client with a UDP packet, then that particular port is open on the server.

13

The client sends a UDP packet and the port number it wants to connect to, but the server
responds with an ICMP port unreachable error type 3 and code 3, meaning that the port is
closed on the server.

If the server responds to the client with an ICMP error type 3 and code 1, 2, 9, 10, or 13,
then that port on the server is filtered.

If the server sends no response to the clients UDP request packet for that port, it can be
concluded that the port on the server is either open or filtered. No final state of the port
can be decided.

14

6. PORT SCANNER TOOLS

Some common port scanner tools are:
1. nmap: Runs on LINUX as well as Windows (link: www.nmap.org)
2. strobe: Runs on UNIX platforms (link:
http://packetstormsecurity.org/UNIX/utilities/strobe-1.04.tgz)
3. Netcat : UNIX based scanner
4. SuperScan: One of the best port-scanners available for Windows OS.
5. ipEye: Runs on Windows OS.

7. TOOLS TO COUNTER PORT SCANNING

Some common tools for prevention of port scanning are:
1. Scanlogd
2. BlackIce
3. Abacus PortSentry
4. NukeNabber

15