Insight

Dive Into Port Scan Technique in Cybersecurity

Dive Into Port Scan Technique in Cybersecurity

Friday, 08 December 2023

Ports are an essential part of the Internet's communication model. When harmful services are added to a system through malware or social engineering, or when legitimate services are exploited through security vulnerabilities, open ports become dangerous as hackers can obtain unauthorized access to confidential information through them.


To prevent it, security experts do port scans as part of the company's cybersecurity. What's a port scan anyway?


Check out our Data Science training programs like Certified Network Defender (CND), Certified Secure Computer User (CSCU), EC-Council Certified Incident Handler (ECIH), and many more!


Port Scan Defined


Port scan can be defined as a process of scanning a device's port to provide information whether it is open, closed, or filtered. Its primary purpose is to determine whether a port is transmitting or receiving data so that any potential vulnerability can be identified. Port scan can be very beneficial for the organization in order to strengthen its cybersecurity and prevent any network attacks that can be harmful for the organization.


Port scan provides information such as:

  • Services that are running
  • Users who own services
  • Whether anonymous logins are allowed
  • Which network services require authentication


In general, this is how port scan work to find out potential vulnerabilities in the ports:

  1. The scanner operator selects IP address(es) to scan.
  2. The scanner sends crafted packets to each port number on the target IPs.
  3. The scanner analyzes the response from each port.
  4. The scanner records the results.
  5. The scanner identifies the running services and assesses their vulnerabilities.


4 Types of Port Scan Techniques


Here are 4 types of port scanning techniques you should know!


1. SYN Scan

A SYN scan, or TCP SYN scan, is a port scanning technique that involves sending TCP SYN packets to the target ports to determine if they are open or closed. The scanner sends a TCP SYN packet to the target port. If the port is open, the target responds with a SYN-ACK packet, indicating that the port is open. If the port is closed, the target responds with a RST packet.


2. XMAS and FIN Scan

XMAS and FIN scans are types of port scans where the scanner sends packets with specific flags set to probe target ports. In an XMAS scan, the scanner sends packets with the FIN, URG, and PSH flags set. In a FIN scan, the scanner sends packets with only the FIN flag set. The responses from the target help determine if the ports are open or closed.


3. Sweep Scan

A sweep scan involves scanning a range of IP addresses to identify live hosts within that range. The scanner sends probes to multiple IP addresses within a specified range, typically using ICMP Echo Requests (ping) or other methods. The goal is to identify which hosts are alive and potentially vulnerable to further scanning.


4. User Datagram Protocol (UDP) Scan

Unlike TCP, UDP (User Datagram Protocol) is connectionless, so port scanning is more challenging. In this scan, the scanner sends UDP packets to the target ports. If the port is open, there might be no response, but if it's closed, the target often responds with an ICMP (Internet Control Message Protocol) unreachable message. The scanner sends UDP packets to target ports and analyzes responses.


3 Port Scanning Results


The three common results of port scanning are "Open," "Closed," and "Filtered".


1. Open

An "Open" port means that the scanned port on the target system is actively accepting and responding to communication requests. It indicates that there is a service or application running on that port, and it is ready to receive data. Open ports can be vulnerabilities if they are not properly secured.


2. Closed

A "Closed" port indicates that there is no active service or application listening on the scanned port. The system received the scan request but replied with a message indicating that there is no service available on that port. Closed ports are generally considered more secure than open ports since there is no active service to exploit.


3. Filtered

A "Filtered" port means that the port scanning tool did not receive a response from the target system. This lack of response could be due to various reasons, such as firewalls, network filtering, or other security measures that prevent the scanner from reaching the target port. Filtered ports can be indicative of a well-protected system.


To Sum Up...


Port scan can provide a wealth of information about a system in an organization. Though it's usually used for malicious purposes, port scan is proved to be helpful for security assessments like vulnerability discovery and identifying potential threats which ultimately will give additional competitive advantages for the organization!





References


Fortinet. (n.d.) What is a port scan? How to prevent port scan attacks? https://www.fortinet.com/resources/cyberglossary/what-is-port-scan


Küçükkarakurt, F. (2023). What is port scanning and how does it work? MUO. https://www.makeuseof.com/what-is-port-scanning/


Palo Alto Network.s (n.d.) What is a Port Scan? https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan