Port Scanner

A port scanner is a tool for mapping TCP and UDP ports. In this test it identifies the status of the ports, whether they are closed, listening or open. You can specify the range of ports that the application will scan, for example: 25 to 80. Generally, port scanners are used by malicious people to identify open ports and plan intrusions. It can also be used by security companies for vulnerability analysis (pen test). One of the most popular port scanners is nmap.

Legitimate Port Scans

Port scanners are important tools for system administrators and computer security consultants because these scans provide an objective picture of the security of networks and individual computers. As a result, there are several companies and organizations that provide network and port scanners or offer scans as a service over the web. Online service providers, such as IRC providers, also use port scans to determine whether clients use open proxies.

Illegal port scans

Since the port scanner effectively rattles back doors to see if a door is open somewhere, the use of this software can in some cases also be seen as a punishable preparatory act. However, this only applies if there is also a punishable act such as computer intrusion (art. 138ab, paragraph 1 of the Criminal Code; art. 144a, paragraph 1 of the BES Criminal Code), because the port scan itself is not punishable.

However, many port scans do not come directly from malicious parties, but from worms and viruses on infected computers, which in this way try to identify targets for infections. In the latter form, only specific ports are usually scanned.

TCP scan

In a TCP scan, the services of the operating system are used to try to establish a connection with another computer. When the connection is established (after a three-way handshake), the scanner disconnects. The advantage is that the operator does not need to have system privileges and the software used is very simple. However, the use of operating system routines prevents the user from manipulating used TCP packets.

SYN scan

A SYN scan, also known as a semi-open scan, uses specific, often manipulated TCP packets. After the target responds with an ACK to the request to open a connection (with a SYN packet), an RST (reset) packet is sent. This will not complete the three-way handshake and never fully open the connection. Hence the name.

ACK scan

An ACK scan is a fairly specific tool that does not check the availability of a port, but the underlying firewall. This form of scanning is based on the fact that simple firewalls recognize incoming connections by the SYN packet and ignore connections already established. By simply omitting the SYN packet and pretending that there is already an existing connection, conclusions about the rules of the relevant firewall can be retrieved. However, this only works if the firewall software is not stateful, ie does not keep internal information about the state of connections. However, modern firewall software is generally stateful, so this way of scanning is no longer very useful.

TIN scanning

Since many firewalls use the SYN packet to detect incoming connections and block them if necessary, an alternative has been devised based on a different treatment of the FIN packet, which in normal use announces the end of a TCP connection. Closed ports respond to a FIN with an RST packet, while open ports ignore the packet. However, this technique doesn’t work with some operating systems that ignore the difference between open and closed ports and always send an RST packet (such as different versions of Microsoft Windows) and systems equipped with stateful packet filtering, such as Linux that can view packet-by-packet or is part of an already existing connection.

Leave a Reply