Imagine a long hallway with doors on either side. There are a total of 131,082 doors. The ones on the right of the hall are TCP, on the left UDP. Some of those doors are marked, but most of them aren’t. Some of them have locks or security cameras, but most of them don’t.
This is what a cybercriminal might see when they look at one of your computers, except they can look through many different hallways and all the doors at the same time. Are you watching all of the doors? Some of the doors, maybe? Are you using the same port scanning techniques the cybercriminals would use to see where you might be vulnerable to attacks? You should be.
What is a Port Scanner?
A port scanner is a simple computer program that checks all of those doors – which we will start calling ports – and responds with one of three possible responses: Open, Closed, or Filtered.
There are two kinds of ports on each computer – TCP, and UDP – and 65,536 of each.
The first 1024 TCP ports are the well-known ports like FTP(21), HTTP(80), or SSH(22). Anything above 1024 is available for use by services or applications.
Cybercriminals use a port scanner to find potential weak points they could exploit, with malware or a Trojan on that system, or to use that computer to connect to other systems in your network.
How Port Scanning Works?
Port scanning is quite simple: a port scanner sends a request to connect to a port on a computer and records the response.
There are three possible responses:
- Open, Accepted: The computer responds and asks if there is anything it can do for you.
- Closed, Not Listening: The computer responds that “This port is currently in use and unavailable at this time.”
- Filtered, Dropped, Blocked: The computer doesn’t even bother to respond, it has no time for shenanigans.
Cybercriminals are looking for open ports that they can use as communication relays or infiltration vectors into your network. Any open port they can find is a possible access point for further infiltration into your network.
Let’s check out some different port scanning techniques.
The simplest port scans are ping scans. A ping is an Internet Control Message Protocol (ICMP) echo request – you are looking for any ICMP replies, which indicates that the target is alive. A ping scan is an automated blast of many ICMP echo requests to different targets to see who responds.
Administrators usually disable ping either on the firewall or on the router. It’s quick and easy to turn off this functionality and make it impossible to scout the network this way. However, ping is a good troubleshooting tool, and turning it off makes tracking down network problems a little more difficult.
One of the more common and popular port scanning techniques is the TCP Half-Open port scan, sometimes referred to as SYN scan. It’s a fast and sneaky scan that tries to find potential open ports on the target computer. This scan is fast because it never completes the full TCP 3 way-handshake. The scanner sends a SYN message and just notes the SYN-ACK responses. The scanner doesn’t complete the connection by sending the final ACK: it leaves the target hanging.
Any SYN-ACK responses are possible connections: an RST(reset) response means the port is closed, but there is a live computer here. No responses indicate SYN is filtered on the network. Any SYN-ACK replies are a quick way cybercriminals can find the next potential target.
This port scanning technique is basically the same as the TCP Half-Open scan, but instead of leaving the target hanging, the port scanner completes the TCP connection.
It’s not as popular a technique as the TCP Half-Open. First, you have to send one more packet per scan, which increases the amount of noise you are making on the network.* Second, since you complete the connection with the target, you might trip an alarm that the Half-Open scan wouldn’t.
* Technical jargon: “Noisy” programs are programs that send large numbers of packets around the network. You might also hear them referred to as “chatty.”
UDP is the other half of our “hallway” and some standard services – DNS, SNMP, DHCP for example – use UDP ports instead of TCP ports. When you run a UDP port scan, you send either an empty packet or a packet that has a different payload per port, depending on your use case.
The trick with a UDP scan is that you will only get a response if the port is closed, which means you might know that there is a computer there. Depending on which port responded you might know that it has DNS or SNMP running, but that’s pretty much it. No response means that either the port is open or it’s filtered, and you might have to run the scan more than once before you figure anything out about the target. You could be waiting a while to get a response that might never come.
One more logical use of a UDP scan is to send a DNS request to UDP port 53 and see if you get a DNS reply. If you do get a reply, you know that there is a DNS server on that computer. A UDP scan can be useful to scout for active services that way, and the nmap port scanner is preconfigured to send requests for many standard services.
Difference Between TCP and UDP
TCP and UDP are the two most common protocols in use for Internet Protocol (IP) networks. Transmission Control Protocol (TCP) is a nice orderly transaction protocol: TCP sends each packet in order, complete with error checking, verification, and a 3-way handshake to confirm each packet is successful.
UDP doesn’t have any of the error checking, but gains on speed: live streaming and online video games often use UDP for this reason. Programs that use UDP just send the data – and if you miss a packet, you will never get it again.
In the TCP vs UDP discussion it depends on what you need – do you need complete data or do you need speed? If you need complete data use TCP, if you need more speed and can tolerate some data loss, use UDP.
Sometimes a hacker (whitehat or blackhat) wants to run a port scan that is even quieter and less obvious than the other kinds of scans. Thankfully, TCP includes some flags that allow you to do just that.
When you send a port scan with a packet and the FIN flag, you are sending the packet and not expecting a response. If you do get an RST you can assume that the port is closed. If you get nothing back that indicates the port is open. Firewalls are looking for SYN packets, so FIN packets slip through undetected.
The X-MAS scan sends a packet with the FIN, URG, and PUSH flags, and expects an RST or no response, just like the FIN scan. There isn’t much practical use for this scan, but it does make the packet resemble a Christmas tree, so there is that.
You can also send packets with no flags, called a NULL packet, and the response is either an RST or nothing.
The good thing – for the hacker – about these scans is that they don’t usually show up in logs. More recent Intrusion Detection Software (IDS) and of course WireShark will catch these scans. The bad news is that if the target is a Microsoft OS, you will only see closed ports – but if you do find an open port you can assume that it’s not a Windows machine. The biggest advantage of using these flags is that they can slip past the firewall, which makes the results more reliable.
Port scanning and penetration testing are important parts of the cyber kill-chain that can lead to intrusion, exploitation, privilege escalation, and more. Port scanning is often just one part of the bigger picture in a cyberattack.
When you’re investigating data security incidents, context is key: adding detailed location information to file activity, for example, can help you determine if files are being accessed from a known or unknown location. Varonis Edge adds context from perimeter devices to file server, email, and AD monitoring from Varonis DatAdvantage. It could mean the difference in identifying abnormal – but acceptable – user behaviors or catching a cyberattack in progress.
Get a 1:1 personalized demo to see how Varonis can add context to your data security investigations, and protect against every step of the kill chain.