Given the massive spread of the Internet and Internet-related activities in recent times, there is an equal spread in silent activities behind the web too. These silent activities might relate to port scanning, vulnerability scanning, finding publicly available technical and non-technical information about target organizations, and so on. At any given point of time, there are many such scans being done on the Internet, and most of them are harmless, but some are done with a malicious intent. This paper seeks to give a soup to nuts version of port scanners by discussing the definition of port scanners, port scanning as part of security assessment, different types of scanners, Super Scan 4.1, and port scan detectors.
Definition of port scanning
As already stated, port scanning can be used for malicious purposes or for genuine purposes. It is a commonly known fact that there are 65,535 TCP ports and 65,535 UDP ports. Port numbers ranging from 0 to 1024 are well known ports. As an example, port number 80 is associated with HTTP, port number 21 is mapped to FTP, port 25 to SMTP, and so on.
Port scanning is a reconnaissance technique which involves scanning the host for open and active ports. It primarily involves sending a message to each of the individual ports and detecting which are open. These open ports offer vulnerabilities that can be exploited and sometimes even bring down production environments.
There are numerous port scanning tools, and popular examples are Nmap and Super Scan. We will discuss McAfee’s Super Scan 4.1, which is a Windows port scanning tool, later in this paper.
The “good way” of doing port scanning
The activity of port scanning can be done as part of security assessment of one’s own organization seeking to weed out security holes. It is more of a defensive approach to seek vulnerabilities and destroy them rather than reactive approach.
The malicious way of doing port scanning
Hackers or anyone with a malicious intent can do “port scanning” by systematically probing open ports which might lead hackers to gain entry into organizations and steal their private data.
Statistics relating to port scanning
Before we move onto the other specific details relating to port scanning, we’ll first discuss some statistics. The activity of port scanning itself deals with port numbers and IP addresses. Therefore, let us first get the bare facts about these two important concepts.
There are 2 32(4 billion) IP addresses in the world as of April 2012. (List of countries by IPv4 address allocation). Let us see the details regarding these 232 IP addresses…
According to this report from Internet Census 2012:
“165 million IPs had one or more of the top 150 ports open.
36 million of these IP addresses did not respond to ICMP ping.
141 Million IPs had only closed/reset ports and did not respond to ICMP ping.” (Port scanning /0 using insecure embedded devices)
Next we will discuss port scanning as part of the security assessment of an organization.
Security assessment and port scanning
Port scanning is the first step in vulnerability scanning, which is part of a security assessment. These are the steps when performing a security assessment:
The scope of security assessments should be planned and it should be approved by senior management.
Reconnaissance is a stage where public information about the organization is probed and retrieved.
Network service discovery
In this stage we discover the hosts and servers that can be accessed from outside. These can then be used for cyber attacks.
The servers and hosts that were visible outside are then probed for vulnerabilities. This where port scanning takes place and open ports are figured.
Verification of perimeter devices
Perimeter devices like firewalls, routers, IDS and IPS are evaluated and made sure that they function according to standards.
We make sure that remote access devices like VPN and wireless points are configured properly.
Result analysis and documentation
This is the last step in the security assessment and we finally document the results by determining if the vulnerabilities found will exploit the security controls placed. (Stephen Northcutt)
In this post we will only explore the steps relating to gathering public information and vulnerability discovery, which pertain more to “port scanning”.
Gathering public information
Before we find vulnerable ports to launch attacks, it is also important to gather as much information from public sources as possible. We will discuss two websites that there are good sources of public information:
- ‘Netcraft.com’ gives detailed information about “technologies that power a website”. (Netcraft.com) For example, we get the following information when we search for ‘Google.com’ on the ‘Netcraft’ website:
We see the information related to IP address, IPv6 address, hosting country, DNS admin, and other things.
To get the IP addresses associated with a particular organization, we next query the ARIN database. ARIN stands for ‘American Registry for Internet numbers’. When the ‘Google.com’ website is queried, it returns the following result:
Once enough public, technical and non-technical information has been gathered, the next step will be to do a vulnerability assessment. It is in the vulnerability phase that port scanning is done.
Different types of scanning
We will next discuss the different types of port scanning techniques. The list presented below gives a broad set of scanning techniques.
Vanilla connect() scanning
This is the simplest of all scanning techniques and it involves sending packets to each and every port and detecting whether they respond or not. If there is a response from a port, it indicates that the port is open and it can be used to launch an attack. However, since this is a very simple scan, it can be detected and logged by network perimeter devices.
Both ‘Nmap’ and ‘Super Scan’ can be used to perform vanilla scans.
Since the vanilla scanning technique can be detected by perimeter devices like firewalls and IDS, ‘stealth scanning’ can be used by hackers which will be undetected by auditing tools. This type of scanning involves sending the packets with stealth flags – “some of the flags are SYN, FIN and NULL”. (Surveying Port Scans and Their Detection Methodologies, 2010)
This type of scan is used to scan ports discreetly and indirectly. It is more prevalent with the FTP protocol making it to be called as the ‘FTP bounce attack’. The attacker uses the PORT command to gain access to ports on the target machine through a vulnerable middle FTP server. The vulnerable FTP server is the one that is used to bounce off the attacks.
This type of scanning involves finding open ports related to the UDP protocol.
Super Scan 4.1
Now that we have seen the concept of port scanning and how to gather public information, we will now actually do ‘port scanning’. We will discuss Super Scan 4.1 which is a powerful port scanner, pinger and resolver. While ‘Nmap’ is a free port scanning tool for different operating systems, Super Scan 4.1 is a Windows-only port scanner from McAfee. Super Scan 4.1 is expected to run only on Windows XP and 2000. Listed below are some of the features of Super Scan 4.1:
- It provides superior scanning speed for detecting both UDP and TCP open ports.
- TCP SYN scanning is possible.
- Different tools such as ping, ICMP trace route, Whois, and Zone transfer are available.
- We can read the IP addresses which need to be scanned from a file.
- The results of the scan can be read in a HTML file.
- TCP and UDP banner grabbing are available. (Super Scan 4.1)
Running Super Scan 4.1
Super Scan 4.1 might not as popular as its counterpart ‘Nmap’ – nevertheless, it is a good port scanner with good features. The minor drawback is that it works only with Windows systems. It can be downloaded from the following link:
The important point when trying to run Super Scan 4.1 is that it can only be ‘Run as Administrator’. In order to do this, it is necessary to right-click on the ‘Super Scan 4.1.exe’ and click ‘Run as administrator’ as shown in the picture below.
As an example, let us try and port scan our own computer for open ports. The most important tabs to work with in port scans are the ‘Host and Service Discovery’ tab and the ‘Scan’ tab.
Host and Service Discovery tab
- In order to scan all UDP and TCP ports between the ranges 0-65535 on one’s own computer, it is necessary click the ‘Host and Service Discovery’ tab and enter it in the fields as shown below.
Note: The ports to be scanned can also be read from a file.
- Next, the UDP port scan type needs to be selected as ‘Data+ICMP’ and TCP port scan type needs to be specified as ‘Connect’.
- Once the ‘Host and Service Discovery’ tab has been configured, we next configure the IP address of the target system or the range of IP addresses that need to be port scanned by means of the ‘Scan’ tab.
We begin this by entering the IP address or the host name of one’s own computer. The IP address of one’s own computer can be found by using the ‘ipconfig’ command at the DOS window. We locate the IPv4 address and enter it in the ‘Hostname/IP’ tab.
The above picture shows where the IP address needs to be entered. Once the ‘Start’ button is clicked, scanning is in progress and the results will be seen as shown.
These results can also be viewed in HTML format.
To ols tab
Next, we discuss the ‘Tools’ tab in Super Scan 4.1. Once the IP address or the host name or URL is stated, we can perform various actions with the tools provided. Super scan 4.1 allows you to do:
- Hostname/IP Lookup
- ICMP Traceroute
- Zone transfer
- HTTP HEAD request
- HTTP GET request
- HTTPS GET request
- CRSNIC Whois IP
- ARIN WhoisIP
- RIPE WhoisIP
- APNIC WhoisIP
We have seen the different features of Windows port scanning tool ‘Super Scan 4.1′.
The activity of port scanning itself can be reduced by deploying firewalls at critical locations.
While it is possible to port scan the entire set of IP addresses across the world (which might take several days), it is not a good idea, as port scan detectors might be employed by different websites, causing you to be blacklisted. (masscan)
In conclusion, we will just skim on the topic of port scan detector. If there is a tool to scan ports, then there will be a tool to “detect” port scanners. Obviously, every bad needs a good and in this aspect, a port scanner detector is the countermeasure to port scanning tools. Bitdefender’s Internet Security (2014) has features that put all ports on the defensive mode and makes them invisible from outside. (Bitdefender Internet Security (2014))
We have seen the entire life cycle of port scanners from the definition, types, port scanning as part of security assessment, Super Scan tool as well as port scanner detectors. More tools with improved and sophisticated features will be developed as the years go by.
Bitdefender Internet Security (2014). (n.d.). Retrieved July 9, 2014, from pcmag.com: http://www.pcmag.com/article2/0,2817,2421528,00.asp
List of countries by IPv4 address allocation. (n.d.). Retrieved July 4, 2014, from Wikipedia: http://en.wikipedia.org/wiki/List_of_countries_by_IPv4_address_allocation
masscan. (n.d.). Retrieved July 9, 2014, from http://www.tuicool.com/articles/A3qI7b
Netcraft.com. (n.d.). Retrieved June 24, 2014, from Netcraft.com: www.netcraft.com
Port scanning /0 using insecure embedded devices. (n.d.). Retrieved July 4, 2014, from Internet Census 2012: http://internetcensus2012.bitbucket.org/paper.html
Stephen Northcutt, L. Z. Inside Network Permieter Security.
Super Scan 4.1. (n.d.). Retrieved July 7, 2014, from McAfee.com: http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
Surveying Port Scans and Their Detection Methodologies. (2010, August 23). Retrieved July 1, 2014, from http://www.cs.uccs.edu/~jkalita/papers/2011/BhuyanMonowarComputerJournal.pdf