Port scanning: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
imported>Justin C. Klein Keane
(Fixed typo, added a few senteces.)
Line 1: Line 1:
{{subpages}}
{{subpages}}
'''Port scanning''' involves multiple [[computer network]] activities involving sending a stimulus to the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) identifiers of specific services on specific computers. It may be a perfectly legitimat operational function, or it may be part of preparation for attacks on the network or its hosts.
'''Port scanning''' involves multiple [[computer network]] activities involving sending a stimulus to the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) identifiers of specific services on specific computers. It may be a perfectly legitimate operational function, or it may be part of preparation for attacks on the network or its hosts. Because most common internet services utilize [[well known ports]] port scanning is often used as a technique to identify the services available on the target. 


If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist. It is good when a security guard verifies that doors are properly locked, but when  
If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist. It is good when a security guard verifies that doors are properly locked, but when  
Line 6: Line 6:
There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages. In the case of TCP-based services, [[telnet]] is one way to script scans, but it is more common to see specific scan methods for specific application services that run over TCP.
There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages. In the case of TCP-based services, [[telnet]] is one way to script scans, but it is more common to see specific scan methods for specific application services that run over TCP.


Port scanning, in and of itself, is rarely considered a network attack, as it generates little traffic. It can find vulnerabilities against which specific attacks can be launched.
Port scanning can utilize various techniques to increase the 'stealth' of the scan, or evade detection.  The most straightforward port scan includes sending a single packet to the target and port and listening for a response.  By manipulating the packet headers a scan can be modified so as to avoid detection by various [[intrusion detection systems]].  [http://www.nmap.org| NMAP] is a common port scanning tool that offers several configurations for evading scan detection, such as SYN/Stealth scans, Christmas Tree scans, and more.
 
Port scanning, in and of itself, is rarely considered a network attack, as it generates little traffic. It can find services that might present vulnerabilities against which specific attacks can be launched.  Port scanning can also be used to identify the purpose of various targets (i.e. this machine is probably a web server, this one is a [[DNS]] server, etc.).  Port scan responses can also be used to identify operating systems.


==Simple Mail Transfer Protocol==
==Simple Mail Transfer Protocol==

Revision as of 17:35, 12 July 2010

This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Port scanning involves multiple computer network activities involving sending a stimulus to the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) identifiers of specific services on specific computers. It may be a perfectly legitimate operational function, or it may be part of preparation for attacks on the network or its hosts. Because most common internet services utilize well known ports port scanning is often used as a technique to identify the services available on the target.

If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist. It is good when a security guard verifies that doors are properly locked, but when

There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages. In the case of TCP-based services, telnet is one way to script scans, but it is more common to see specific scan methods for specific application services that run over TCP.

Port scanning can utilize various techniques to increase the 'stealth' of the scan, or evade detection. The most straightforward port scan includes sending a single packet to the target and port and listening for a response. By manipulating the packet headers a scan can be modified so as to avoid detection by various intrusion detection systems. NMAP is a common port scanning tool that offers several configurations for evading scan detection, such as SYN/Stealth scans, Christmas Tree scans, and more.

Port scanning, in and of itself, is rarely considered a network attack, as it generates little traffic. It can find services that might present vulnerabilities against which specific attacks can be launched. Port scanning can also be used to identify the purpose of various targets (i.e. this machine is probably a web server, this one is a DNS server, etc.). Port scan responses can also be used to identify operating systems.

Simple Mail Transfer Protocol

One scan, which can be done for reasons good or ill, is trying to access the Simple Mail Transfer Protocol (SMTP) on TCP port 25. A very large amount of spam comes from broadband-connected personal computers attacked by botnets that insert SMTP servers on the machines, and use the differently-addressed to send a few spam emails each.

Internet-wide spam defense considers it inappropriate for end user computers to contain SMTP servers. This does not mean that such computers cannot have, and usually should have, SMTP clients that send to an authorized SMTP server inside their network. Network operators, and anti-spam groups, often scan end user address space looking for SMTP servers. Finding such servers strongly suggests that the machine has been compromised; SMTP traffic coming from end user address space can get an ISP blacklisted as a potential spam source.

Hypertext Transfer Protocol

It is quite common to have scans for the Hypertext Transfer Protocol (HTTP), the basic World Wide Web server protocol on TCP port 80. Web indexing services need to find servers, although promiscuous searching for port 80 is not the best way of doing so.

Internet Service Providers with a small and home office market often have an acceptable use policy that forbids HTTP servers on end user machines. They may well offer individual web server hosting, but on computers they operate and onto which their users can install websites. There are a variety of reasons they do this, the most basic being that putting any Internet server on a dynamically assigned address, common in the small and home office (SOHO) market, is essentially futile; the outside world cannot find that address and even customers of the same ISP cannot assume the address will remain constant.

From an operational and commercial standpoint, ISPs may engineer their end user access networks on the assumption that the computers on them will generate amounts of traffic characteristic of clients. A Web server, which becomes popular, can cause the end user network to become overwhelmed with traffic to it, denying service to other users of the same access network.

Searching for HTTP clients, on random high-numbered ports, is likely to be the act of an attacker trying to hijack or disrupt HTTP sessions.

IPsec

There is a scanner specifically to locate and probe IPsec security gateways, called IKE-scan.