Port scanning can be done with malicious intent, the intruder would generally prefer to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. To get around this the intruder can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65,536 ports. Stealth scanning uses techniques such as slowing the scan.
There are a number of different methods to perform the actual port scans as well as tricks to hide the true source of port scan.
You must find the right balance between network performance and network safety. You could monitor for SYN scans by logging any attempt to send a SYN packet to a port tat isn't open or listening. A SYN scan is a type of TCP scanning that is also known as a "half-open scanning" because it does not open a full TCP connection.
You must ensure you have approval of all the necessary people before port scanning otherwise you may be on the wrong side of the law. Once you find out what ports respond as being open by port scanning your own network you can begin to work on determining whether it is necessary for those ports to be open to outside traffic.
Types of Port Scans Include
- Vanilla: An attempt to connect to all 65,536 ports
- Strobe: An attempt to connect to only selected ports (typically under 20)
- Stealth Scan: Several techniques for scanning that attemp to prevent the request for connection being logged; uses SYN scan FIN scans or other techniques to prevent logging of the scan.
- FTP Bounce: Scan attempts that are directed through an FTP server to disguise the cracker's location.
- Fragmented Packets: Scans by sending packet fragments that can get through simple packet filters in a firewall.
- UDP: Scans for open UDP ports.
- Sweep: Scans the same port on a number of computers.
Tool Used to Perform Port Scanning
NMap (Network Mapper) is a popular free open source software used to port scan. It is a utility for network exploration or security auditing. You can scan a range of IP addresses and ports and find out what an attacker would see if they were to port scan your network. NMap allows great flexibility and control of almost every aspect of the scan and perform various types of port scans to fit your needs.
NMap was designed to rapidly scan large networks, but works find against a single host NMap is:
- Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles.
- Powerful: Used to scan huge networks of literally hundreds of thousands of machines.
- Portable: Most operating systems are supported, including: Linux, Microsoft Windows, FreeBSD, Open BSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
- Easy: You can start out as simply as nmap-v-A targethost. Both traditional command line and graphical (GUI) versions are available to suit your preference.
- Free: It comes with full source code.
- Well Documented
- Supported
- Popular
