Got any questions?

We do our best to respond within 2 business hours (GMT)

Written by: Aptive

What is Port Scanning? Port Scans Explained

Learn the basics of port scanning, a network security technique used to identify open ports, services, and potential vulnerabilities on a system. Discover different types of port scans, their uses in cybersecurity, and how they help assess and secure network infrastructures.

Port scanning is the process of systematically testing a computer network for open ports, which are communication endpoints used by applications to send and receive data. Each service running on a networked device, such as a web server or an email server, operates on a specific port number. For instance, web servers typically use port 80 for HTTP and port 443 for HTTPS.

During a penetration test a security professional or an attacker performs a port scan, they are sending packets to a range of port numbers on a target system and analysing the responses. This helps to determine which ports are open, closed, or filtered by a firewall. The results of a port scan can reveal valuable information about the services running on a device, and this knowledge can be used for both defensive and offensive purposes.

What is a Port

Before we explain what port scanning is, it is important to understand what a port is. A port is a virtual endpoint on a computer or network device that allows communication between different services and applications over a network. Each TCP port is associated with a specific number, typically ranging from 0 to 65535, and serves as a communication channel for data packets. For example, port 80 is commonly used for web traffic (HTTP), while port 22 is used for secure shell access (SSH). Ports help direct incoming and outgoing network traffic to the appropriate applications, facilitating efficient data exchange.

Key Types of Port Scans:

Port scanning involves various methods to discover open or closed ports on a system, which helps to identify services running on those ports. Each technique serves a different purpose, often balancing efficiency and stealth. Here’s an overview of the most common types of port scanning:

  1. Ping Scanning Ping scanning is used to determine whether a target machine is online or reachable. This is done by sending ICMP (Internet Control Message Protocol) echo requests (commonly called “ping” requests) to a system. If the system responds with an ICMP echo reply, it indicates the machine is active and reachable. However, many modern firewalls block ICMP traffic, reducing the reliability of this method for discovering live hosts.

  2. TCP XMAS Packet Scan The TCP XMAS scan gets its name from the fact that the packet it sends is “lit up like a Christmas tree,” meaning it has several flags set in the TCP header (FIN, URG, and PSH). This scan is designed to probe for open ports by sending packets with unusual flag configurations to a target. An open port typically ignores the packet, while a closed port responds with an RST (reset) packet. This scan is more stealthy because it does not complete a normal handshake, making it harder for some firewalls and intrusion detection systems (IDS) to detect.

  3. TCP FIN Packet Scan In a TCP FIN scan, the attacker sends a TCP packet with the FIN flag set, which usually signals the end of a connection in normal TCP communications. An open port should ignore the FIN packet, while a closed port will respond with an RST packet. Like the XMAS scan, the FIN scan is a stealth technique used to avoid detection, as it does not engage in the full TCP handshake process, making it less conspicuous to network defences.

  4. Stealth Scan (SYN Scan) The SYN scan, also known as a half-open scan or stealth scan, is one of the most commonly used port scanning techniques. It works by sending a TCP SYN (synchronise) packet to initiate a connection. If the target port is open, the system responds with a SYN-ACK (acknowledgement). Instead of completing the handshake by sending an ACK, the scanner sends an RST (reset) packet, aborting the connection. This scan is called “stealthy” because it doesn’t complete the full connection, making it harder for the target to log the scan as a regular connection attempt.

  5. UDP Scanning UDP scanning is used to determine whether a port using the UDP (User Datagram Protocol) is open. Unlike TCP, UDP is a connectionless protocol, meaning there is no handshake to establish a session. This makes UDP scanning more difficult, as it often relies on receiving an ICMP “port unreachable” message if a port is closed. If no response is received, the port is assumed to be open or filtered. Since many systems throttle or block ICMP responses, UDP scans can be slow and unreliable but are still important for identifying services like DNS, SNMP, or DHCP, which run over UDP.

  6. SYN (Half-Open) Scan The SYN scan is a variation of the stealth scan, sending only the SYN packet to initiate the connection but not completing the handshake. This scan is faster than other methods and less likely to be logged by the target system because it does not establish a full TCP session. If the port is open, the target responds with a SYN-ACK packet, indicating readiness to complete the connection, but the scanner immediately responds with an RST packet to tear down the connection.

Summary of Key Differences:

  • Ping Scanning: Determines if a host is live using ICMP.
  • TCP XMAS Packet Scan: Uses packets with unusual flags to probe for open ports, relying on a lack of response from open ports.
  • TCP FIN Packet Scan: Similar to XMAS, but uses only the FIN flag, expecting no response from open ports.
  • Stealth Scan (SYN): Initiates but doesn’t complete the TCP handshake, making it harder to detect.
  • UDP Scanning: Probes for open UDP ports by sending packets and analysing responses, often involving ICMP.
  • SYN (Half-Open) Scan: Similar to stealth scans, focuses on SYN packets without completing a connection.

Each method offers different advantages and levels of stealth, helping researchers and attackers alike to assess network services or exploit vulnerabilities.

When performing a port scan, the results help determine the status of different ports on the target system. These results typically fall into a few key categories, each of which reveals something about the state of the port and the services running on it.

If your organisation requires an external scan to assess what ports are exposed consider checking out our vulnerability testing and penetration testing services.

Common Port Scan Results:

While the terminology differs depending on the port scanning tool that is being leveraged by the security tester, the typical output from tooling is as follows:

  1. Open An open port means that there is a service actively listening for connections on that port. This is significant because it indicates that a service, such as a web server (on port 80 or 443), an email server (on port 25), or an SSH service (on port 22), is accessible. Open ports are essential for communication between devices, but they can also be entry points for attacks if they are associated with vulnerable or misconfigured services. Discovering open ports helps security professionals identify which services are exposed and determine whether they are appropriately secured.

  2. Closed A closed port means that no service is listening on that port, but the port is accessible and responding to probes. This is useful information because it confirms that the host exists and can be reached, but it also indicates that no services are running on that specific port. Closed ports can still respond with an RST (reset) packet, which means they are not blocked by a firewall. While a closed port isn’t an immediate security risk, attackers could try to reopen or exploit it if conditions change.

  3. Filtered A filtered port result indicates that the port is being protected by a firewall or other security mechanism, and the scanning tool cannot determine whether the port is open or closed. Instead of getting a direct response, the scanner receives no response or an ICMP error (such as “destination unreachable”). This suggests that the traffic is being dropped or blocked by a firewall, intrusion prevention system (IPS), or some other security filter. Filtered ports are usually harder to exploit, but they can also conceal useful services from an attacker.

  4. Unfiltered An unfiltered port is one that is reachable, but the scanner cannot determine whether it is open or closed. This result is often associated with scanning techniques that lack a clear response, such as a UDP scan, where the lack of response may be due to packet filtering or timeouts. While not as definitive as other results, unfiltered ports suggest that traffic is allowed to reach the port but more analysis is required to know its status.

  5. Open|Filtered When a port is marked as open|filtered, it means the scan is unable to definitively conclude whether the port is open or being filtered. This result is often seen in UDP scans and some types of stealth scans (like SYN scans). Since UDP is connectionless, the lack of a response could mean that the port is either open or silently filtered by a firewall. Similarly, certain TCP scans may trigger no response, leading to ambiguity.

  6. Closed|Filtered A closed|filtered port result is rare, but it occurs when the scanner cannot distinguish between a port that is closed and one that is being filtered. This can happen in situations where a firewall or security system behaves in a way that prevents clear detection, for instance, by dropping packets but not sending reset responses.

Common TCP Ports

Below are some common ports along with their associated protocols and services:

Port NumberProtocolService NameDescription
20TCPFTP DataFile Transfer Protocol (Data transfer)
21TCPFTPFile Transfer Protocol (Control)
22TCPSSHSecure Shell (Secure remote access)
23TCPTelnetUnencrypted text communication
25TCPSMTPSimple Mail Transfer Protocol (Email)
53TCP/UDPDNSDomain Name System (Name resolution)
67UDPDHCPDynamic Host Configuration Protocol (Server)
68UDPDHCPDynamic Host Configuration Protocol (Client)
80TCPHTTPHypertext Transfer Protocol (Web traffic)
443TCPHTTPSHypertext Transfer Protocol Secure (Secure web traffic)
110TCPPOP3Post Office Protocol (Email retrieval)
143TCPIMAPInternet Message Access Protocol (Email retrieval)
3389TCPRDPRemote Desktop Protocol (Remote desktop access)
3306TCPMySQLMySQL Database Service
5432TCPPostgreSQLPostgreSQL Database Service

This table provides a concise overview of some of the most commonly used ports in networking, highlighting their respective protocols and services.

What These Results Mean in Practice:

  • Open Ports: These should be scrutinised for running services, especially if they are unexpected or unnecessary. Attackers focus on open ports as potential entry points, so organisations should ensure they are properly secured with up-to-date patches and strong configurations.

  • Closed Ports: While closed, they indicate a device is accessible, and network admins might consider using firewall rules to block traffic to these ports to make them less visible to attackers.

  • Filtered Ports: These suggest a well-configured firewall is in place, but it’s also possible that legitimate services may be hidden behind the filtering. Further analysis may be necessary to assess whether all filtering rules are correctly applied.

  • Open|Filtered Ports: These ambiguous results often require additional tools or techniques to gain more information. This result suggests that further probing might be needed to conclusively determine the status of the service.

Understanding port scan results is required for both attackers, who seek vulnerabilities, and defenders, who aim to lock down network services. The results give insights into the network architecture, potential weaknesses, and areas that need tighter security controls.

Port Scanning Tools

These tools vary in complexity, speed, and stealth capabilities, and many are essential for both network auditing and vulnerability assessment.

Here are some of the most common tools used for port scanning:

  1. Nmap (Network Mapper)

    • Overview: One of the most popular and versatile tools for port scanning, Nmap can perform a wide variety of scans, including TCP, UDP, SYN (half-open), and ping scans. It is highly configurable and supports additional features like OS detection, service version detection, and scriptable scanning using the Nmap Scripting Engine (NSE).
    • Use Case: Network discovery, security audits, and vulnerability assessments.
    • Key Features: Open-source, widely used, supports multiple scan types, stealth scanning, and detailed reporting.

  2. Zenmap

    • Overview: Zenmap is the graphical user interface (GUI) for Nmap. It provides the same functionality as Nmap but in a more user-friendly format, allowing users to visualise scan results more easily. It’s particularly helpful for those who prefer not to work from the command line.
    • Use Case: For users who want a GUI-based tool for Nmap’s capabilities.
    • Key Features: Visualisation of scan results, easy configuration of scan options, and supports all Nmap functionalities.

  3. Masscan

    • Overview: Masscan is designed for ultra-fast port scanning. It can scan the entire Internet in minutes, using a custom TCP/IP stack to send packets very quickly. It is highly efficient for large-scale scans, though it sacrifices detail and stealth compared to other tools.
    • Use Case: Large-scale network discovery and scanning massive ranges of IP addresses quickly.
    • Key Features: Extremely fast, open-source, but lacks the depth of information that tools like Nmap provide.

  4. Netcat (nc)

    • Overview: Netcat is a networking utility with many functions, one of which is basic port scanning. While it is primarily used as a “Swiss army knife” for reading and writing data across network connections, it can also be used for basic TCP/UDP port scanning and banner grabbing (typically when pivoting through a machine where it is not possible to install tooling).
    • Use Case: Lightweight network diagnostics and simple port scanning.
    • Key Features: Very versatile, supports both TCP and UDP scanning, can be used for banner grabbing and establishing reverse shells.

  5. Unicornscan

    • Overview: Unicornscan is a tool designed for large-scale, high-performance information gathering and correlation. It can perform asynchronous TCP and UDP scans and supports various port scanning techniques. Unicornscan is often used in cases where stealth and evasion are critical.
    • Use Case: Large-scale reconnaissance and stealth scanning.
    • Key Features: Fast scanning, supports both TCP and UDP, offers some stealth capabilities, and is useful for high-speed data collection.

  6. Project Discovery Naabu

  • Naabu is a fast and efficient port scanning tool developed as part of the Project Discovery suite. It is specifically designed for network reconnaissance and security testing, allowing users to identify open ports on target systems. Naabu focuses on speed and simplicity while providing a reliable means to gather information on exposed services across a network. It supports both TCP and UDP scanning and avoids duplicate host scanning out of the box.

  1. Hping

    • Overview: Hping is a network tool that can perform packet crafting and sending, and is often used for network reconnaissance, including port scanning. Hping allows users to send custom TCP, UDP, ICMP, and RAW-IP packets to network hosts and analyse the responses.
    • Use Case: Network testing, custom packet crafting, and stealth port scanning.
    • Key Features: Custom packet creation, supports various protocols, and can be used for testing firewall rules and performing advanced scans.

  2. ZMap

    • Overview: ZMap is a fast, open-source network scanner designed for Internet-wide network surveys. Like Masscan, ZMap focuses on speed and is able to scan the entire IPv4 address space in a short time.
    • Use Case: Internet-wide scanning and large-scale reconnaissance.
    • Key Features: Extremely fast, supports large-scale scanning, and commonly used for academic and research purposes.

  3. TCPing

    • Overview: TCPing is a tool that pings a port by establishing a TCP connection, much like how ICMP ping checks the availability of a host. It is commonly used for testing port reachability in cases where ICMP is blocked.
    • Use Case: Checking port availability, particularly when ICMP ping is blocked or not feasible.
    • Key Features: Simple, lightweight, and provides easy-to-read results.

  4. OpenVAS

    • Overview: OpenVAS is a full-featured vulnerability scanner that includes port scanning as part of its wider functionality. While it’s more focused on identifying vulnerabilities, it uses port scanning to map services on a network as part of the vulnerability assessment process.
    • Use Case: Full vulnerability assessment, network scanning with a focus on security weaknesses.
    • Key Features: Automated security scanning, vulnerability detection, and open-source.

Summary:

  • Nmap: The most versatile and widely used tool for port scanning, offering various scan types.
  • Masscan and ZMap: Tools designed for high-speed, large-scale scanning.
  • Netcat and Hping: Versatile tools for network diagnostics, with simple scanning capabilities.
  • OpenVAS: Combines port scanning with vulnerability assessment.
  • Project Discovery Naabu: A fast port scanning tool that avoids duplicate scanning of subdomains / domains which resolve to the same IP address.

Shodan: Port Scanning Search Engine

Online port scanning search engines like Shodan are specialised tools that allow users to search for internet-connected devices, services, and systems that are publicly exposed. Unlike traditional search engines (like Google), which index websites and their content, Shodan and similar tools index information about devices connected to the internet, such as servers, webcams, routers, industrial control systems, and other networked devices.

Tools like Shodan enable security researchers and organisations to discover exposed systems, assess vulnerabilities, and take proactive steps to secure their internet-facing infrastructure.

PC Flank

For those old enough to remember, PC Flank was a website that provided online security testing services, particularly focusing on helping users assess their systems’ vulnerability to various internet-based threats. It allowed users to perform basic security tests, such as port scans, firewall tests, and checks for browser privacy leaks, to determine how exposed their computers were to potential cyber attacks. While PC Flank was popular among everyday internet users and small businesses, it also catered to those who wanted to ensure their personal systems were secure without needing in-depth technical knowledge.

Key Features of PC Flank:

  1. Online Port Scanning: PC Flank offered a port scanning tool to check whether a user’s computer had open ports that could be exploited by attackers. By scanning for open TCP and UDP ports, users could identify potential vulnerabilities and take steps to close or secure those ports.

  2. Stealth Test: This test checked whether the user’s system was “stealth” or invisible to external network probes. The goal was to see if a computer could effectively hide from port scans, reducing its exposure to attackers.

  3. Browser Privacy Test: PC Flank also included tests to see how much information a user’s browser was leaking to websites. This test identified whether data like IP address, browser version, operating system, and cookies could be easily accessed, which could impact privacy.

  4. Firewall Test: One of its more popular features was the firewall test. It examined how well a user’s firewall was configured to block unwanted incoming connections. If the firewall allowed too many open ports or failed to block common attack vectors, the test would flag this as a potential security issue.

  5. Trojan Test: This test aimed to detect whether the user’s computer was vulnerable to Trojan horse attacks, which could allow an attacker to take control of the system or steal sensitive data.

The Purpose of PC Flank:

PC Flank was intended to be a simple and accessible way for users to test their system’s exposure to common threats without having to install specialised security software. It provided basic but useful insights into how well a system was protected against unauthorised access and helped users take preventive action, such as improving their firewall settings or disabling vulnerable services.

Impact and Legacy:

Although PC Flank is no longer operational, it played an important role in raising awareness about the importance of personal security online. It provided a valuable educational resource for everyday users who may not have been familiar with network security principles. While the site may no longer be available, the types of tests it offered—port scanning, firewall checks, and privacy assessments—are still important aspects of maintaining a secure system. These functions are now often integrated into modern security software suites, but the core ideas behind PC Flank continue to be relevant today.

Firewall Port Scan Prevention

Firewalls use various mechanisms to prevent port scanning, primarily by controlling incoming and outgoing traffic based on predefined security rules. These mechanisms include:

  • Packet Filtering: Firewalls inspect packets and block those that do not meet specific criteria, such as originating from untrusted IP addresses or targeting unused ports.
  • Stealth Techniques: Some firewalls employ stealth techniques, such as dropping packets without response, making it difficult for attackers to detect open ports during scans.
  • Stateful Inspection: This mechanism tracks the state of active connections and only allows packets that are part of established sessions, thereby blocking unsolicited traffic.

Firewall Rules

Firewall rules define which types of traffic are allowed or denied based on parameters such as IP addresses, port numbers, and protocols. For example, a rule might allow traffic on port 80 (HTTP) while blocking traffic on port 23 (Telnet). Potential Defeats

Despite their effectiveness, firewall rules can potentially be defeated through various methods:

  • IP Spoofing: Attackers can forge the source IP address of packets to bypass filtering rules that restrict traffic from specific IPs.
  • Port Scanning Techniques: Advanced port scanning techniques, like SYN scans or FIN scans, can sometimes evade detection by exploiting how firewalls interpret incoming packets.
  • Misconfigured Rules: Improperly configured firewall rules may inadvertently expose services or allow traffic that should be blocked.
  • Tunnelling: Attackers can encapsulate malicious traffic within allowed protocols (like HTTP or DNS) to bypass firewall protections.

By understanding these mechanisms and potential weaknesses, organisations can better secure their networks against unauthorised access and attacks.

Leak Test

A firewall leak test was an essential component of network security, designed to evaluate a firewall’s ability to prevent unauthorised outbound traffic and protect against data breaches, thus ensuring the integrity and confidentiality of sensitive information. A leak test was used back when desktop personal firewalls (such as Zone Alarm) were popular, and a leak test would assess if any unpermitted traffic was “leaked” past the personal firewall.

Conclusion

In conclusion, port scanning is an essential technique in network security that enables professionals to identify open ports and services on systems, helping to uncover potential vulnerabilities. By understanding the various types of port scans and their applications, security researchers and administrators can better assess their network’s security posture and take proactive measures to safeguard their infrastructure.