Scanning ports is very popular among cybercriminals. It’s often their first step of reconnaissance to discover services they can exploit and systems they can break into as they try to steal or destroy sensitive data. Two recent examples of major breaches illustrate just how handy port scanning is to threat actors:
- Cyber attackers breached more than 50,000 servers belonging to companies in the healthcare, telecommunications, media, and IT sectors. The machines were compromised as part of a campaign targeting Windows Microsoft SQL Server and PHPMyAdmin servers, and the attackers used a port scanner to detect MS-SQL servers by scanning IP addresses and checking whether typical MS-SQL ports were open.
- A cyberattack campaign targeted millions of Linux email servers with a crypto-mining malware payload that pushed out exploits from a command-and-control server. The highly-pervasive campaign installed cron jobs for persistence and downloaded several payloads for different stages of the attack. One of the payloads was a port scanner written with a Python script. It looked for vulnerable servers on the Internet and infected servers with the initial script.
Both of these stories demonstrate the importance of understanding the host vulnerabilities on your network—it’s exactly what cybercriminals are trying to do with port scanning!
Identify Active Hosts First
Running port scans against your own network essentially allows you to put yourself in the shoes of cybercriminals. The process arms you with information to improve your ability to defend against attackers and prevent potential network breaches.
Before conducting a port scan, first, develop a list of all active hosts and map those hosts to their IP addresses. This process is called host discovery, for which there are two primary protocols:
- The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses on a local subnet. You can send requests to all IP addresses to determine which hosts are up based on the ones that respond with an ARP reply. Because ARP requests only work within a LAN, this requires the potential attacker to be connected to your internal network.
- The Internet Control Message Protocol (ICMP) allows you to conduct network scans outside of LANs. There are a number of different packets that can be used such as echo, timestamp, and address mask requests. Echo and ping will detect if a host can be reached, while timestamp packets determine the latency between two hosts. You can use address mask requests to find out the subnet mask used on the network.
Discovering hosts on a network via ICMP messages depends on receiving a corresponding reply from the targeted hosts. If no response is received, it could mean there is no host at the target address, or the ICMP message type isn’t supported by the target host.
No response could also mean the original request was blocked by a firewall or packet filter. Generally, ICMP echo requests that do not originate from inside the network are blocked by firewalls, but timestamp and address mask requests are less likely to be blocked.
Classifying the Status of Your Ports
After completing the network scan and compiling the list of available hosts, you can run a port scan by sending packets to specific ports on a host. You can then analyze the responses to learn details about each port’s services and to identify vulnerabilities.
Port scanning classifies ports into one of three categories:
- Open: The target host responds with a packet indicating it is listening on that port. It also indicates the service that was used for the scan (typically TCP or UDP) is in use as well.
- Closed: The target host received the request packet but responds back with a reply indicating that there is no service listening on that port.
- Filtered: The port scan categorizes ports as filtered when a request packet is sent but no reply is received. This typically indicates that the request packet has been filtered out and dropped by a firewall.
Port Scanning Options
TCP and UDP are the most common protocols for port scanning, and there are several methods you can use to perform port scans. For TCP scanning, SYN scans are a favorite of many network administrators.
SYN cans create a partial connection to the host on a target port by sending a packet and then evaluating the response from the host. If the request packet is not filtered or blocked by a firewall, then the host replies by sending a SYN/ACK packet if the port is open, or an RST packet if the port is closed.
Another method of TCP scanning is the connect scan. This involves the scanner trying to connect to a port on the target host using the TCP connect system call and initiating the full handshake process. This creates a lot of packet overhead and is easier to detect, making it a less utilized method of port scanning by cybercriminals.
Other types of TCP port scans include NULL, FIN, and Xmas. These types of scans manipulate the TCP header flags. Here are some specific attributes of these types to be aware of:
- NULL scans send packets with no flags set in their headers.
- FIN scans only have the FIN bit set.
- Xmas scan packets have the FIN, PSH and URG flag bits turned on (lit up like a Christmas tree, hence the name!)
UDP scans, like TCP scans, send packets to various ports on target hosts and evaluate the response packets to determine the availability of services. As with TCP scans, receiving a response packet indicates that the port is open.
A Free Tool to Streamline Port Scanning
While your network intrusion detection systems and firewalls will detect malicious network scans, keep in mind that cybercriminals keep revising their tactics and can avoid common detection rules by altering the frequency of their scans. They may also try accessing ports out-of-order or spoofing their source address.
So it’s still important to regularly run port scans to protect yourself against malicious network scans by cybercriminals. To make sure there are no holes to exploit, you need to scan your own networks for vulnerabilities before the bad guys find them!