Looking At Port Scanning Techniques Information Technology Essay
This article gives you an in-depth knowledge on some of the commonly used TCP port scanning techniques along with the pros and cons associated with each of the port scanning technique. Apart from the TCP based port scanning, it also briefly explains the different port scanning techniques available to scan the non TCP ports.
Index Terms – three-way handshake, open port scanning, stealth scanning, half open port scanning, Ident scanning, FTP bounce scanning, Decoy scanning, UDP scanning.
In this paper firstly we will see an overview of port scanning, which includes what it is, why it is used, how it can be used and what are its effects.
The second section explains in details about the various port scanning methods. This section includes detailed description on each of the port scanning methods based on TCP and some of the other port scanning methods, including the advantages and disadvantages of each of the methods. This section also contains information on the TCP connection establishment, which would be helpful to have a better understanding on the various port scanning techniques.
Overview on Port Scanning
Before start discussing about the actual topic “port scanning”, first let’s see what a port is, how it is used and what its functions are. The Transmission Control Protocol and User Datagram protocol are used for communication over the internet. Each of this protocol contains 65536 ports (from 0 to 65535). Each port has an associated service running. The first 1024 ports are the reserved/privilege ports which runs the dedicated service defined by IANA (Internet Assigned Numbers Authority) (for example port 80 is reserved for HTTP service, port 21 for FTP, port 23 for telnet access and etc.) and these ports are known as well-known ports. The remaining are called registered ports (from 1024 to 49151) and dynamic and/or private ports (from 49152 to 65535). So, the applications in the computer use its specific port for communication with the server or with another computer.
Now let’s discuss about port scanning. Port scanning is a technique used to uncover the port details in a computer. Details like whether the port is open/listening or not, if it is open/listening which service is running on that port, etc can be obtained by scanning the ports. Port scanning is mainly used to find if there is any security risk involved in the computer and also to check for its weaknesses. Port scanning is done by sending messages to all the ports of the computer, and based on the response from each of the ports we can check whether the computer is prone to attacks. This technique is used by the network administrators to check for vulnerabilities in the network, like if a port is unused and it is open, then it should be closed immediately, because open ports will listen to the incoming messages which could me malicious. This could be a useful technique for the network administrators to secure their network. Also it would be good to port scan our own computers periodically, so that we will be able to find out what are the unwanted process and some of the malwares running in our own computer systems. Having said this, we should also be aware of the fact that, the port scanning methods will be known to the hackers too, who will try to break into the network/computer to steal the vital information. Using this technique the hackers will try to get a list of unused open/available ports. The hackers will then try to probe these ports for additional information and weakness. Using these results the hacker will try to exploit and will gain access to the computer. The operating system in the target computer will have the knowledge of logging the request that is used for port scanning activities. So the hacker will use an effective method to perform port scanning else the hacker can be easily identified.
Port Scanning Methods
The port scanning technique can be classified into three main types, they are
Open scanning – This type of scan opens a full TCP connection with the targeted host.
Half-open scanning – In this type of scan the client terminates the connection on receiving a response from the targeted host.
Stealth scanning – This type of scan prevents the connection request to the targeted host to be logged.
All the above mentioned scanning types are used by a hacker to get the list of open or closed ports in the server. Among the three the open scanning technique gives accurate information about the state of the port, but it is easily detectable. Stealth scan technique can fool some of the basic Intrusion detection systems and some of the basic firewall rule sets.
Before explaining in detail about each of the port scanning technique let’s look into the steps involved in establishing a full TCP connection and the usage of each of the flags in the TCP message [Marco, Eddy, Germinal, Gabriela, 1999]. This is because most of the port scanning methods are based on the TCP connection and the functionalities of each of the flags bits in the TCP message.
Following are the list of flags used in the TCP message and its functionalities.
SYN – This flag is used to initiate a TCP connection.
FIN – This flag specifies that the sender has finished sending the entire data.
RST – This flag is set to reset the connection.
ACK – This flag is set to acknowledge for the request.
URG – This flag is set to indicate that the urgent pointer is valid.
PSH – This flag is set to indicate that all the data should be pushed to receiver immediately without waiting for the additional information.
The TCP connection establishment consists of three steps hence it called as three-way handshake. First the client will send a TCP message with SYN flag set with an initial sequence number to the targeted host. The second step is that, if the respective port in the target host is open then the target host will acknowledge the client’s SYN by incrementing the client’s initial sequence number by 1 and sends back to the client along with its own initial sequence number with the SYN message. Third step, the client on receiving the target host’s TCP message with SYN flag set it will send an ACK message and the target host’s initial sequence number incremented by 1 to the target host. This is how the TCP connection will be established between two hosts. Shown below is the pictorial representation of three-way handshake TCP connection.
SYN, Client’s ISN (initial seq. num)
Client Target host
SYN, Target host’s ISN (initial seq. num)
Client’s ISN + 1Client Target host
ACK, Target host’s ISN + 1
Client Target host
Having the basic knowledge of TCP connection and the functionalities of each of the flags in TCP message we will discuss in detail in each of the port scanning techniques.
Open Scanning Technique:
The open scanning technique will try to establish a full TCP connection with the target host. Based on the response from the target the client will decide whether the port in the target host is open or closed. This technique is slower when compared to other two techniques, since it involves in establishing a three way connection with the target. Also this technique is easily detectable and can be filtered easily. Described below is one of the open scanning methods.
TCP connect scan method:
The TCP connect scan method uses the connect() method in the operating system to establish a three-way connection between the target host [Dethy, 2001].
Client will send ƒ SYN
Server will respond with ƒ SYN, ACK
Client will respond with ƒ ACK
In the above three-way handshake the server responds with the SYN message which means that the listening port in the targeted host is in the open state.
Client will send ƒ SYN
Server will respond with ƒ RST, ACK
Client will respond with ƒ RST
In this case, the server responds with the RST message to the request. This shows that the listening port in the targeted host in the closed state. By this way a list of open or closed ports in the targeted host can be obtained. The advantages of this scanning method are that it is fast, accurate and does not require extra user privileges. The disadvantages are this method is easily detectable and could be logged.
Half Open Scanning Technique:
In the “half open” scanning technique the client will terminate the connection even before the three-way handshake is completed. Two types of scanning methods come under the half open scanning technique. They are 1) SYN scanning and 2) IP ID header or dumb scanning.
SYN scan method:
This method is similar to the full connection/TCP connect scan method. The difference is that when the client receives a SYN message from the target host it will close the connection by sending a RST message to the target machine. This is because the SYN message from the target host is enough to know that its listening port is in open state. If a RST message is received from the target host then it means that the listening port in the target host is in closed state. Thus a three-way handshake is restricted in this type of scan method. The pictorial representation of which is shown below [Dethy, 2001].
Pictorial representation if the port is in open state,
Client will send ƒ SYN
Target will respond with ƒ SYN, ACK
Client will respond with ƒ RST
Pictorial representation if the port is in closed state,
Client will send ƒ SYN
Target will respond with ƒ RST, ACK
The advantages of this method are it is fast, accurate and it is less frequently logged when compared to open scan method. The main disadvantage is that for this type of scanning the sender or client needs to customise the IP packet which requires special user privileges, and this is the case for almost all of the operating systems.
IP ID header or dumb scanning method:
The basis of this scan method is similar to the SYN scan method but the difference is that IP ID header or dumb scanning method uses a third host to scan the target host, and based on the “id” value in the IP header field this scan method will decide whether the listening port in the targeted host is in open or closed state. The third host should be identified in such a way that it should send very little amount of traffic or preferably no traffic, hence this type of host is said to be silent or dumb host. It requires lots of effort to identify this type of host.
In this scenario, there will three different host. One is the attacker host (A), second is the silent host (S) and third is the target host (T). First A will send consecutive ping packets to S, this is to analyse the id value in the IP header field. Each time the silent host will increment the id value by 1 in its response. An example of which is shown below,
60 bytes from AAA.BBB.CCC.DDD: seq=1 ttl=64 id=+1 win=0 time=96 ms
60 bytes from AAA.BBB.CCC.DDD: seq=2 ttl=64 id=+1 win=0 time=88 ms
60 bytes from AAA.BBB.CCC.DDD: seq=2 ttl=64 id=+1 win=0 time=88 ms
Now using the source address of host S, host A will send a spoofed SYN message to the host T. The host T will respond to host S with either SYN message or the RST message based on the listening port’s state. Now the host A will examine the ping responses from the host S to check the id value in the IP header. If the id value is more than 1 then it shows that the respective port in the host T is open, because only when the host S will respond back to host T and increments the id value. That is the host T would have responded to the host S with the SYN message for the spoofed SYN message from the host A. If the value of id is 1 then it indicates that the respective listening port in the host T is in closed state.
Stealth scanning technique:
The stealth scanning technique is a technique used to avoid the logging of port scan performing in a host and to break into the basic filters and firewalls implemented. This technique slows the scan due to which the ports are scanned over a long time period. Thus it restricts the target host to trigger an alert. In this section we will discuss about four types of stealth scanning techniques.
FIN scan method:
As the name implies this method uses the FIN flag in the TCP message to identify the list of open or close ports in the target host. That is the attacker will send a TCP message with FIN flag set to target host. Based on the response from the target the attacker will determine whether the listening port in the target is open or closed. If the listening port in the target is closed then it will reply back with the RST message. The negotiation is shown below,
Attacker will send ƒ FIN
Target will respond with ƒ RST
If the listening port is open then the target will not send any response back. The negotiation is shown below,
Attacker will send ƒ FIN
Target response ƒ none
The advantages of this method are it can bypass many intrusion detection systems and these scans are not logged. The disadvantage is that at times it can produce false results.
NULL scanning method:
The null scanning method will send a TCP message to the target without setting any of the six flags in the TCP message. Based on the response from the target the attacker will generate a list of open ports. If the response from the target is RST then the listening port in the target host is said to be in closed state, else if a there is no response from the target then the port is open. The advantages of this method are it can bypass many intrusion detection systems and these scans are not logged. The disadvantage is that at times it can produce false results and it can be used only in UNIX systems.
XMAS scanning method:
The implementation of XMAS method is exactly opposite to the NULL scanning method. That is, the Xmas scanning method will send a TCP message with all the six flags set. If the response from the target is RST then the listening port in the target host is said to be in closed state, else if a there is no response from the target then the port is open. The advantages and disadvantages of this method are same as that of the NULL scanning method.
TCP fragmenting method:
The TCP fragmenting itself is not a port scanning method; instead it is used to improve the other stealth port scanning methods like FIN, NULL, and XMAS [Marco, Eddy, Germinal, Gabriela, 1999]. This method splits the TCP header into smaller fragments such that it is not easily detected by the firewalls and other intrusion detection systems implemented.
All the above discussed port scanning techniques are specific to the TCP ports. There are other port scanning techniques available for scanning non TCP ports, some of which are explained below.
UDP scanning technique:
The UDP scanning technique is used to get a list of available/open DUP ports in a target host. The method sends a UDP message to the target, and based on the response from the target the attacker will determine whether the port is open or closed. If the response from the target host is a UDP message then the port is open. If the response from the target is an “ICMP port unreachable” [Dethy, 2001] message then the port is closed. If the response is some other ICMP unreachable message then the port is filtered. If there is no response from the target host then the listening port is either open or filtered. The advantages are, it is used to scan non TCP ports and it is not restricted by TCP Intrusion detection system. Its disadvantages are it is easily detectable and requires root access.
Ident scanning technique:
The scanning methods that we have discussed so far is used to get a list of open/available ports, but the Ident scanning technique is used to get the information about the owner of the process running in those available/open ports. This method uses the insecure issue in the Identification protocol to uncover the owner details of the process running in the listening ports. This technique can be employed only when the target host is running the identd service in port 113.
FTP bounce scanning technique:
This technique uses an option in the FTP protocol to perform port scanning. That is, this method uses proxy ftp servers to communicate with the target host and to perform port scanning in each of its ports. For this the proxy functionality in the ftp server should be enabled. In this method, first the attacker establishes ftp connection with the proxy FTP server. Then using the “port” and “list” commands it tries to scan each of the ports in the target host. If the listening port is open then the server will send 150 and 226 response codes to the attacker, else if the port is closed the server will respond with the 425 reply code to the attacker.
Decoy scanning technique:
The decoy scanning technique sends several packets to the same port in the target host. All of these IP packets contain spoofed IP address except one of the packet. That is, one in a several packets hold’s the actual attackers IP address. Thus this method makes sure that at least one response from the target host is sent to the attacker. The advantages of this method are that it is extremely hard for the administrator to identify the exact scanner/attacker and the result obtained from this method is accurate. The disadvantage of this technique is that, since it sends several packets to the same port the flow of traffic will be high.
Conclusion
The different types of port scanning techniques are explained in detail along with their advantages and disadvantages. We have seen that most of the port scanning techniques are based on the TCP protocol, but other port scanning techniques are available to scan the non TCP ports. At present numerous software tools are available to perform an effective port scanning in the local host or the remote host to check for the existing vulnerabilities and ways to fix them. Some of the popular tools are SATAN and N-Map. Port scanning techniques are not only used by the attackers to break into the computer/network, it can also be used to check our own computers for vulnerabilities and to take preventive actions for those vulnerabilities.
Order Now