Network Port Scanning 101

If you have ever researched network scanning products, you've most likely heard about port scanning. Port scanning identifies "open doors" on a computer, and is very useful for understanding the nature of a network and the possible points of exploitation. When performing a port scan, there are many types of scans to choose from. Each type provides different information, and each has its strengths and weaknesses. You may have already heard the names of some types of scans (e.g. "SYN Scan" or "Connect Scan"), but how much do you really know about how these scans work? To help you gain a better understanding of port scanning in general, we've outlined the main types of scans here:

TCP SYN Scan
This is the typical "modern" way of scanning a host for open TCP ports. It sends a TCP SYN packet to a port. A SYN packet is the first packet sent in a TCP connection. The purpose of this is to see if the remote host responds on this port without the requirement of initiating a full connection. It yields the same information without the overhead of a full connection, and offers a higher degree of control over the scan rate and content. It also offers the ability to differentiate between filtered and closed ports.

TCP Connect Scan
This is the traditional way of looking for open ports. It involves using the native network API for a system to attempt to establish a connection with each port on the remote host. If the connection succeeds, the port is considered open. If it fails, the port is considered closed. This method is slower and more resource intensive than a SYN scan, but will work in diverse situations, and often is used as a fallback if no other type of scan is available.

TCP FIN Scan
This scan type uses specially crafted TCP packets with a FIN flag set, instead of a SYN flag. This type of packet normally occurs when closing a connection. Sending this type of packet to a machine (that you haven’t yet sent a corresponding SYN to) should result in a machine response of RST packet if the port is closed or nothing is the port is open. Unfortunately, many TCP/IP implementations are broken and do not follow standard RFC context. This means that this type of scan may not give correct results against certain types of hosts, such as Windows machines.

TCP XMAS Scan
This type of scan is similar to the FIN and SYN scan, but instead of a SYN flag or a FIN flag, it uses a sequence of flags known as a "Christmas tree packet". This is a combination of FIN, URG, and PUSH flags on a packet to attempt to achieve the same results as a FIN scan. This may bypass certain detection mechanisms and firewalls that a normal FIN scan may not. Unfortunately, this has the same problems as a regular FIN scan and may often not give the correct results.

TCP NULL Scan
Again, this type of scan is just a change in the flags on each packet sent to the remote host. In this case, all flags are dropped completely. This is not actually a legitimate packet as designed by the RFC, so some firewalls may drop this before it reaches the target machine. This is a somewhat ineffectual scan type, and is often used when no other type yields useful information.

UDP Scan
This type of scan focuses on the UDP protocol. Unlike the TCP protocol, UDP requires no connection overhead. This makes the protocol a more lightweight protocol, but causes issues with scanning as there is no required response to a particular packet being sent, as in the case of SYN scanning. Typically, there is an ICMP message in response to a UDP packet sent to a closed port. Again, RFC issues with some IP stacks can forego this. Currently, research is being done to achieve a better success rate for this type of scanning and to improve its reliability.

As discussed, there are numerous ways to scan a remote system to find out which ports have services listening on them. This is helpful in a security context, as it attempts to provide information that you may not otherwise be able to get. For more extensive information on the different methods of port scanning, see our link to "The Art of Port Scanning" in the Etcetera section of this newsletter.

Ryan Permeh
Senior Software Engineer

eWeek - Tracking Down Insecure WLANs
"Looking for something to do this weekend? Well, if you have a laptop and a wireless card, you can join dozens of other technophiles with time on their hands in searching out insecure WLANs." Full Article

CNN - Attack on Heart of Internet Fails to Bring it Down
"The attempt to bring down the heart of the Internet this week sounded ominous. But experts say the attack was neither the most efficient nor likely way to inflict pain on the average Web surfer." Full Article

Security News Portal - Vulnerability Scanning and Security Assessment Market Growing
"The Yankee Group expects this managed security market, worth $45 million in 2001, to swell to almost $190 million by 2006. This market includes services for vulnerability scanning, security assessments, forensics analysis, wireless access point security, Web services assessments, and mobile device scanning." Full Article

Wired News - Can a Hacker Outfox Microsoft?
"Microsoft only announced Palladium -- its initiative to build anti-copying technology into the hardware and operating system of a PC -- a few months ago. It's already causing a great deal of consternation among cypherpunks and hackers." Full Article

Q: Do you have any suggestions for creating smaller and more focused Retina policies that scan for just a few vulnerabilities?

A: Creating scanning policies that seek out one or two vulnerabilities can be of use for any organization trying to secure against a particularly nasty hole, worm, or virus. We suggest, however, that even when narrowing the vulnerability search you still do a basic port scan (leave all ports as "active") and not limit the scan to just one or two ports. The port scan takes a minimal amount of time, even over a large network, and even when focusing a scan on a particular item it is useful to still be able to report on anything odd or out of place on your network.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

New Product Versions: Retina 4.9 and Iris 4.0
Retina 4.9 - We've introduced eleven new reasons why Retina is the industry's best security scanner.

Iris 4.0 - A new decoder architecture, interface improvements, and numerous changes to the base product have made this version the most flexible, most stable, and fastest Iris ever. Full Article

Product Review: MCP Magazine - Thwarting Hackers [SecureIIS]
SecureIIS is an application firewall intended to remedy the lack of hacker protection that was assumed to be out-of-the-box on an IIS server. Because conventional IIS defenses are pitifully inadequate, IIS has been a sitting duck to hackers (novices and experts). Full Article

Product Review: Secure Computing Magazine - Iris 3.8
There is no point sitting in front of your admin console simply wondering what is going on across your network. You really do need to have a blow-by-blow account of network traffic and be able to anticipate potential problems prior to them causing any disruption. Full Article

Retina and Iris Win the 2002 W2K Target Awards
Retina® Network Security Scanner and Iris™ Network Traffic Analyzer won their respective categories as best-of-breed products, and SecureIIS™ Web Server Protection was a W2K Target Award finalist. Full Article

Clues, Vandalism, Litter Sendmail Trojan Trail
A precautionary tale: this article spotlights a company that was skeptical when they were informed that their system was the proxy for the Sendmail Trojan. Several days later they were fighting for system files and had lost gigabytes of financial records, personal items, and security logs. More

The Art of Port Scanning
If this newsletter's Tech Talk article made you crave more information on port scanning, the following is a straightforward and thorough resource about various scanning techniques. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.