Finding Potential Targets by Scanning
What is PORT?
When a device connects to another device over a network, it specifies a TCP or UDP port
number from 0 to 65535. Some ports are used more frequently, however. TCP ports 0 through
1023 are “well-known ports” that provide system services. For example, port 20 is FTP file
transfers, port 22 is Secure Shell (SSH) terminal connections, port 80 is standard HTTP web
traffic, and port 443 is encrypted HTTPS. So, when you connect to a secure website, your web
browser is talking to the web server that’s listening on port 443 of that server.
Services don’t always have to run on these specific ports. For example, you could run an HTTPS
web server on port 32342 or a Secure Shell server on port 65001, if you liked. These are just the
What is a Port Scan?
A port scan is the process of checking all the ports on an IP address to see if they are open or
closed. The port-scanning software would check port 0, port 1, port 2, and all the way through
to port 65535. It does this by simply sending a request to each port and asking for a response.
In its simplest form, the port-scanning software asks about each port, one at a time. The
remote system will respond and say whether a port is open or closed. The person running the
port scan would then know which ports are open.
Any network firewalls in the way may block or otherwise drop traffic, so a port scan is also a
method of finding which ports are reachable, or exposed to the network, on that remote
The nmap tool is a common network utility used for port scanning, but there are many other
Attackers can use a port scan to find a weak point to attack and break into a computer system.
However, it is just the first step. Just because you’ve found an open port doesn’t mean you can
attack it. But, once you’ve found an open port running a listening service, you can scan it for
TYPES OF PORTS
Now that the network scan has been completed and a list of available hosts has been compiled,
a port scan can be used to identify the ones in use on specific ports by the available hosts. Port
scanning will typically classify ports into one of three categories:
Open: The target host responds with a packet indicating it is listening on that port. It also shows
that the service that was used for the scan (typically TCP or UDP) is in use as well.
Closed: The target host received the request packet but responds with a reply indicating that
there is no service listening on that port.
Filtered: A port scan will categorize a port as filtered when a request packet is sent but no reply
is received. Usually, this indicates that the request packet has been filtered out and dropped by
TYPES OF SCANS
The basic techniques that port scanning software is capable of include:
Vanilla scan– It is the most basic scan. It attempts to connect to all 65,536 ports one at a time.
A vanilla scan is a full connect scan, meaning it sends a SYN flag (request to connect) and upon
receiving a SYN-ACK (acknowledgement of connection) response, sends back an ACK flag. This
SYN, SYN-ACK, ACK exchange comprises a TCP handshake. Although full connect scans are
accurate, they very easily detected as full connections are always logged by firewalls.
SYN Scan– Also referred to as a half-open scan, it only sends a SYN, and waits for a SYN-ACK
response from the target. If a response is received, the scanner never responds. The system
doesn’t log the interaction since the TCP connection was not completed, but the sender has
learned if the port is open or not.
XMAS and FIN Scans– It is an example of a suite of scans used to gather information without
being logged by the target system. In a FIN scan, an unsolicited FIN flag, used normally to end
an established session, will be sent to a port. The system’s response to this random flag can
reveal the state of the port or insight about the firewall. For example, if a closed port that
receives an unsolicited FIN packet it will respond with RST (an instantaneous abort) packet
however an open port will ignore it. An XMAS scan simply sends a set of all the flags, creating a
nonsensical interaction. The system’s response by can be interpreted to better understand the
system’s ports and firewall.
FTP Bounce Scan– It allows for the sender’s location to be disguised by bouncing the packet
through an FTP server. This is also designed for the sender to go undetected.
Sweep scan– It pings the same port across several computers to identify which computers on
the network are active. This does not reveal information about the port’s state, instead it tells
the sender which systems on a network are active. Thus, it can be used as a preliminary scan.
Nmap is short for Network Mapper. It is a free, open-source tool for vulnerability scanning and
network discovery. Nmap is used by network administrators to identify what devices are
running on their systems, discovering hosts that are available and the services they offer,
finding open ports and detecting security risks. Nmap can be used to monitor single hosts as
well as vast networks that encompass hundreds of thousands of devices and multitudes of
Although Nmap has evolved over the years and is extremely flexible, it is still essentially a port-
scan tool, gathering information by sending raw packets to system ports. It listens for responses
and determines whether ports are open, closed or filtered. Other terms used for port scanning
include port discovery or enumeration.
TYPES OF SCANS IN NMAP
1. TCP SYN scan -sS
SYN scan is the default and most popular scan option. It can be performed quickly by
scanning thousands of ports per second on a fast network not hampered by restrictive
firewalls. It is also relatively stealthy and unobtrusive it never completes TCP
connections. SYN scan works against any compliant TCP stack rather than depending on
kinks of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also
allows for a clear reliable distinction between the open, closed, and filtered states.
As a full TCP connection isn’t opened, this technique is often referred to as half-open
scanning. A SYN packet is sent as if you are going to open a real connection and then
wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset)
is indicative of a non-listener. The port is marked as filtered, if no response is received
after several retransmissions. The port is also marked filtered if an ICMP unreachable
error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is considered open if a
SYN packet (without the ACK flag) is received in response.
2. TCP connect scan –sT
When SYN scan is not an option, TCP connect scan is the default TCP scan type. This
happens when a user does not have raw packet privileges. Instead of writing raw
packets as most other scan types do, Nmap asks the underlying OS to establish a
connection with the target machine and port by issuing the connect system call. This is
the same high-level system call that P2P clients, web browsers, and most other
network-enabled applications use to establish a connection. It is part of a programming
interface known as the Berkeley Sockets API. Instead of reading raw packet responses
off the wire, Nmap uses this API to obtain status information on each connection
If a SYN scan is available, it is usually a better choice. Nmap has less control over the
high level connect call than with raw packets, making it less efficient. Rather than
performing the half-open reset that SYN scan does, the system call completes
connections to open target ports. Not only does this take more time and require more
packets to obtain the same information, but target machines are more likely to log the
connection. A decent IDS will catch either. However, most machines have no such alarm
system. Many services on an average Unix system will add a note to syslog, and
sometimes a cryptic error message, when Nmap connects and then closes the
connection without sending data. Though uncommon, weak services crash when this
happens. An administrator who sees a bunch of connection attempts in the logs from a
single system should know that they have been connect scanned.
3. UDP scans –sU
While most popular services on the Internet run over the TCP protocol, UDP services are
widely deployed. The three most common are DNS, SNMP, and DHCP (registered ports
53, 161/162, and 67/68). As UDP scanning is generally slower and more difficult than
TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP
services are quite common and attackers definately don't ignore the whole protocol.
However, Nmap can help inventory UDP ports.
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such
as SYN scan (-sS) to check both protocols during the same run.
UDP scan works by sending a UDP packet to every targeted port. For some common
ports such as 53 and 161, a protocol-specific payload is sent to increase response rate,
but for most ports the packet is empty unless the --data, --data-string, or --data-
length options are specified. The port is closed if an ICMP port unreachable error (type
3, code 3) is returned. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13)
mark the port as filtered. Sometimes, a service will respond with a UDP packet, proving
that it is open. If no response is received after retransmissions, the port is classified
as open|filtered. This means that the port could be open, or perhaps packet filters are
blocking the communication. Version detection (-sV) can be used to help differentiate
the actually open ports from the filtered ones.
4. IP protocol scan –sO
IP protocol scan determines which IP protocols (TCP, ICMP, IGMP, etc.) are supported by
target machines. It is technically not a port scan as it cycles through IP protocol numbers
rather than TCP or UDP port numbers. However, it still uses the -p option to select
scanned protocol numbers, reports its results within the normal port table format as
well as uses the same underlying scan engine as the true port scanning methods. Hence,
it is close enough to a port scan that it belongs here.
Besides being useful on its own, protocol scan demonstrates the power of open-source
software. Protocol scan works in a similar fashion to UDP scan. Instead of iterating
through the port number field of a UDP packet, it sends IP packet headers and iterates
through the eight-bit IP protocol field. The headers are usually empty, containing no
data and not even the proper header for the claimed protocol. The exceptions are TCP,
UDP, SCTP, ICMP, and IGMP. A proper protocol header for those is included since some
systems won't send them otherwise and because Nmap already has functions to create
them. Protocol scan is on the lookout for ICMP protocol unreachable messages instead
of watching for ICMP port unreachable messages. If Nmap receives any response in any
protocol from the target host, Nmap marks that protocol as open. An ICMP protocol
unreachable error (type 3, code 2) causes the protocol to be marked as closed while
port unreachable (type 3, code 3) marks the protocol open. Other ICMP unreachable
errors (type 3, code 0, 1, 9, 10, or 13) cause the protocol to be marked filtered even
though they prove that ICMP is open at the same time. The protocol is
marked open|filtered, if no response is received after retransmissions,
5. TCP ACK scan –sA
This scan is different than the others as it never determines open port or
even open|filtered ports. It is used to map out firewall rulesets, determining whether
they are stateful or not and which ports are filtered.
Unless you use –scanflags, the ACK scan probe packet has only the ACK flag set. When
scanning unfiltered systems, open and closed ports will both return an RST packet.
Nmap then labels them as unfiltered, meaning that they are reachable by the ACK
packet, but whether they are open or closed is undetermined. Ports are labeled filtered
if they don't respond or send certain ICMP error messages back (type 3, code 0, 1, 2, 3,
9, 10, or 13).
6. TCP Window scan –sW
Window scan is the same as ACK scan except that it exploits an implementation detail of
certain systems to differentiate open ports from closed ones, rather than always
printing unfiltered when an RST is returned. This is done by examining the TCP Window
field of the RST packets returned. On some systems, open ports use a positive window
size (even for RST packets) while closed ones have a zero window. Thus, instead of
always listing a port as unfiltered when it receives an RST back, Window scan lists the
port as open or closed if the TCP Window value in that reset is positive or zero,
You cannot always trust this scan as it relies on an implementation detail of a minority
of systems out on the Internet. Systems that don't support it will usually return all ports
closed. Of course, it is possible that the machine really has no open ports. If most
scanned ports are closed but a few common port numbers (such as 22, 25, 53)
are filtered, the system is most likely susceptible. Occasionally, systems will even show
the exact opposite behavior. For instance, if your scan shows 1,000 open ports and
three closed or filtered ports, then those three may very well be the truly open ones.
7. TCP NULL, FIN, and Xmas scans –sN, -sF, -sX
These three scan types exploit a subtle loophole in the TCP RFC to differentiate
between open and closed ports. Page 65 of RFC 793 says that “if the [destination] port
state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in
response.” Then the next page discusses packets sent to open ports without the SYN,
RST, or ACK bits set, stating that: “you are unlikely to get here, but if you do, drop the
segment, and return.”
When scanning systems compliant with this RFC text, any packet not containing SYN,
RST, or ACK bits will result in a returned RST if the port is closed and no response at all if
the port is open. As long as none of those three bits are included, any combination of
the other three (FIN, PSH, and URG) are okay.
Port Scanning Techniques