Port scanning is a method of detecting vulnerable nodes in a network by accessing different ports on a host (a device connected to the network) or the same port on different hosts. It can be used by cybercriminals in the preparatory phase of an attack to harvest information about the target host, as well as by information security experts as a tool for locating vulnerable nodes in IT infrastructure.
Types of port scanning
There are several types of port scanning:
- Horizontal scanning or network scanning sends requests to the same port on different hosts. Attackers use horizontal scanning to prepare for a mass attack.
- Vertical scanning sends requests to different ports on the same host. Attackers typically use vertical scanning to look for vulnerabilities in a preselected target.
Port scanning methods
There are various methods of checking which ports are open and accessible externally. The most common are:
- SYN scanning. SYN scanning involves the establishment of a half connection with the destined target. Is a tactic that a malicious hacker can use to determine the state of a communications port without establishing a full connection. This approach, one of the oldest in the repertoire of hackers, is sometimes used to perform a denial-of-service (DoS) attack. SYN scanning is also known as half-open scanning.
- TCP scanning. Commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. Compared to other types of scans, a TCP Connect scan is slow and methodical.
- UDP scanning.UDP scans, like TCP scans, send a UDP packet to various ports on the target host and evaluate the response packets to determine the availability of the service on the host. As with TCP scans, receiving a response packet indicates that the port is open.
- FIN scanning. In a FIN scan attack, a TCP packet is sent to the remote host with only the FIN flag set. If no response comes from the host, it means that the port is open. If a response is received, it contains the RST/ACK flag, which means that the port is closed.
- ACK scanning. The ACK scanning method is used to determine whether the host is protected by some kind of filtering system. In ACK scanning method, the attacker sends an ACK probe packet with a random sequence number where no response means that the port is filtered (a stateful inspection firewall is present in this case); if an RST response comes back, this means the port is closed.