Results 1 to 5 of 5

Thread: Introduction to Port Scanning

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002

    Introduction to Port Scanning

    This is my own work. It is an article I originally wrote for my site on Internet / Network Security. The article is included below as well as a link to the original at

    What is port scanning? It is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked.

    TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet.

    Each of these has ports 0 through 65535 available so essentially there are more than 65,000 doors to lock.

    The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP or DNS. Some of the addresses over 1023 also have commonly associated services, but the majority of these ports are not associated with any service and are available for a program or application to use to communicate on.

    Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing.

    If the port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. To get around this the intruder can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing the scan. By scanning the ports over a much longer period of time you reduce the chance that the target will trigger an alert.

    By setting different TCP flags or sending different types of TCP packets the port scan can generate different results or locate open ports in different ways. A SYN scan will tell the port scanner which ports are listening and which are not depending on the type of response generated. A FIN scan will generate a response from closed ports- but ports that are open and listening will not send a response, so the port scanner will be able to determine which ports are open and which are not.

    There are a number of different methods to perform the actual port scans as well as tricks to hide the true source of port scan. You can read more about some of these by visiting these web sites: Port Scanning or Network Probes Explained.

    It is possible to monitor your network for port scans. The trick, as with most things in information security, is to find the right balance between network performance and network safety. You could monitor for SYN scans by logging any attempt to send a SYN packet to a port that isn't open or listening. However, rather than being alerted every time a single attempt occurs- and possibly being awakened in the middle of the night for an otherwise innocent mistake- you should decide on thresholds to trigger the alert. For instance you might say that if there are more than 10 SYN packet attempts to non-listening ports in a given minute that an alert should be triggered. You could design filters and traps to detect a variety of port scan methods- watching for a spike in FIN packets or just an anomylous number of connection attempts to a variety of ports and / or IP addresses from a single IP source.

    To help ensure that your network is protected and secure you may wish to perform your own port scans. A MAJOR caveat here is to ensure you have the approval of all the powers that be before embarking on this project lest you find yourself on the wrong side of the law. To get accurate results it may be best to perform the port scan from a remote location using non-company equipment and a different ISP. Using software such as NMap you can scan a range of IP addresses and ports and find out what an attacker would see if they were to port scan your network. NMap in particular allows you to control almost every aspect of the scan and perform various types of port scans to fit your needs.

    Once you find out what ports respond as being open by port scanning your own network you can begin to work on determining whether its actually necessary for those ports to be accessible from outside your network. If they're not necessary you should shut them down or block them. If they are necessary, you can begin to research what sorts of vulnerabilities and exploits your network is open to by having these ports accessible and work to apply the appropriate patches or mitigation to protect your network as much as possible.

    Complete article: Introduction to Port Scanning

  2. #2
    Senior Member
    Join Date
    Dec 2002
    Again, good intro. I was wondering, if one buys a good firewall from Norton or McAfee, if the defult setting is enough?


  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Originally posted here by Fred Brown
    Again, good intro. I was wondering, if one buys a good firewall from Norton or McAfee, if the defult setting is enough?

    I'd say no. I like to deny everything and then allow/block when I need the service/application.

    Norton allows you to scan for internet enabled devices and tweak them all then. The problem I find with this, is: You may not know what the app is and if you run updates, you have to recreate the rule for it.

    I just allow/deny as I go.

    The log files for norton is pretty small by default. I like to make it as big as possible so I can go back and look over a longer period of time. Compare current activity to past activity and etc.

    There are quite a few little tweaks you can make to it. It just depends on your needs.

    If you have a router, and have the firewall included on that, then I wouldn't be so parinoid with my desktop firewalls... I'm parinoid with everything, so I make strict settings on all, and tweak as I need.

    I'm not sure about McAfee, as I've never used it.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    3rd Rock from Sun
    On the Norton fire wall, I also have got into the habiot of allow / deny as it ocours, but have tried to set SOME, it took a while, and as a first attempt I now spend too much time worrying about whether I have done enough / not enough !! I tried by scrolling through the Apps, and the ones I could see that wouldn't normally ?? require Net access ( Word, XL, etc ) these are the ones I set to deny, but to inform me if they do try. So far, so safe !!!!!
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  5. #5
    Senior Member
    Join Date
    Oct 2003
    good post
    worth a read
    learned a lot
    Sometimes realitys are dreams we cannot live in.... (as my bst fren says) [/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts