The importance of port scanning cannot be undermined in any cyber risk assessment conducted under infrastructure security or network security domains. It helps to identify all the exposed services on a system or network. Open ports’ presence doesn’t indicate importance from an attack perspective only; they are equally vital from a defensive front.
Firewall risk assessment reports, penetration testing reports often cite port scanning results demonstrating closed ports. A closed port detected within the internal network indicates a security misconfiguration issue that certain specific attack scenarios leverage in the case of a firewall. This topic should help understand whether you need to close all the open ports and the context behind open/closed ports.
What is a port in networking? How does it work?
For instance, email data is sent in chunks, and the recipient computer assembles these packets into a specific format. This format is understood by the email program running on the target computer on a particular port number. It is also known as an email program client (or a service) listening on a specific port number.
A port is a communication endpoint.
Ports are virtual; a similar analogy would be a building with multiple flats (apartments). Each flat number is a port number, and the building is comparable to a computer system.
The second concept is related to hardware, for example, a network port at the back of the computer, a switch or hardware equipment.
What is an open port?
Open port means a TCP or a UDP port number actively accepting packets. If a service runs on a specific port, that port is utilised and can’t be used for other purposes (by another service). For example, you can run a website using an Apache web server on port 80/TCP. In contrast, a port that rejects or ignores the connection attempts is called a closed port.
A port can have three different port states. Open port scanners work on the same underlying concept to assess which ports are open, filtered or closed. The following are the different port states based on responses:
- Open Port: An application actively accepts connections on this port that serve port scans’ primary goal.
- Closed Port: A port is accessible, but no application is listening to it. Administrators should block such ports at the firewall level, which could be exploited in an already exploited situation where an attacker has compromised another system. This closed port can be used as an outbound port traversing the firewall.
- Filtered Port: This is no response situation where all requests are filtered, dropped or blocked. It is likely due to a filtering device.
Some open port scanners have also implemented their own versions with more options, such as Nmap has six port states based on responses to help to interpret port scan results.
Between TCP (Transmission) and UDP (User Datagram Protocol), there are 65,535 ports available for communication between devices. It means 65535 possible ports can be assigned to any service. These services are computer services running programs such as browser, email program, conference meeting software, etc. The IANA (Internet Assigned Numbers Authority) is responsible for assigning and maintaining the usage of specific port numbers.
Ports numbers 1-1024 are known as privileged ports as standard users (non-administrator or non-root users) cannot run any services on these ports. All other ports are known as standard ports.
Are open ports a security risk?
There are many myths on the internet around how an open port can get your computer hacked; viruses can take over and all that. Often, lack of understanding and spread of fear and concerns makes such sentiments travel faster than truth.
Open ports are a security risk if services running on these ports are misconfigured, vulnerable, or unpatched. Some ports are meant for internal exposure only; for example, SMB protocol is intended for internal file and print sharing use within an organisation. Exposing this service on the internet would be a security risk due to threat actors exploiting vulnerabilities and gaining access into an internal network. At the same time, an open port on a website accepting connections is not a security risk because it requires your browser to connect to it to browse content.
In the above example, we noticed that the service running on the port could pose security issues. In short, it is the context that matters, not the state of the port.
A threat actor would then attempt to find any security vulnerabilities in these services that can be successfully exploited to gain unauthorised remote access leading to a system compromise. A firewall is used as the front door for large organisations that stops all such ports from communicating to the outside world. This is why a firewall is necessary to maintain a minimal attack surface exposure for the internal networks. Wormable exploits often target open ports for services that have vulnerabilities or misconfigured.
Open ports are not dangerous by default. What makes these ports dangerous is the service listening on these ports that may be vulnerable to attacks. Therefore, it is often advised that internet-facing systems should have a minimal network footprint.
It explains why you would often hear from cybersecurity professionals that ‘Open ports should be closed if they are not deemed necessary‘.
Importance of port scanning
Port scanning techniques are used to check for open ports. These are performed using utilities known as port scanners that attempt connections to TCP/UDP ports. However, certain online open port scanner websites are available to check if a port is open/closed. It is important to port scan to find the exposed attack surface of an asset.
Open ports in windows differ from open ports in Linux due to the way operating systems function. This is also one indicator during port scans to identify what operating system is in use and likely guesses the underlying architecture. It is already known that the port is open by browsing a website address using HTTP or HTTPS prefixes for standard services such as web servers. HTTP and HTTPS (HTTP over SSL/TLS) services utilise standard ports 80 and 443; they can be configured on another port. Other standard port numbers include FTP service running on 21/TCP, SMTP server using 25/TCP, SSH running on 22/TCP, IMAP/POP3, SMB ports 139, 445 and other services utilising their standard ports. For example, the OpenVPN port used for VPN connection and traffic transfers is HTTPS Port 443. When it comes to protocols, OpenVPN uses UDP by default and TCP as the second choice.
Open Port Scanning
To scan for open ports or ports or services, one can use reliable port scanners such as Nmap for network discovery and security assessments. Nmap stands for network mapper, is a free and open-source utility often known as the go-to tool for discovery and profiling networks. It uses raw IP packets to determine hosts, ports, services and further fingerprinting activities on the targets. Newer techniques computing search engines such as Shodan or censys that show all data gathered about internet-facing hosts. However, it is not a 100% accurate technique that any recent changes can be captured. This is best done technically by performing port scans.
The following shows an example of Nmap used to scan for open ports or ports:
Nmap scan report for 10.19.1.120 Host is up (0.056s latency). Scanned at 1970-07-05 13:49:47 GMT Daylight Time for 113s Not shown: 998 filtered ports PORT STATE SERVICE VERSION 23/tcp open telnet Microsoft Windows XP telnetd 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
The above map scan for open ports shows port numbers (23/TCP & 80/TCP), the state of the port – open/filtered/closed, service names – telnet and HTTP and the versions fingerprinted by a port scanner.
How to scan for open ports?
To scan another IP address using the command line is done in multiple ways. It includes using native Windows DOS commands or Linux OS commands, using a port scanner such as Nmap or attempting to connect at certain ports directly (if you want to check certain ports only).
How to exploit open ports?
A port scan result of a server with multiple open ports and services listening on various ports looks like this:
Further enumeration and exploitation of security vulnerabilities on the target server are performed by interacting with open services. In the following screenshot, the telnet utility connects with an SMTP service running on port 25/TCP on the host 10.99.99.1. The various commands after successful connection relate to user enumeration attempts to identify valid users registered with an email server. This technique is known as user enumeration. Once an attacker has a verified user list, a brute force attack to find a successful account can be performed on email accounts.
Therefore, every once in a while, it is good to scan your internet-facing assets to be aware of any new or misconfigured services.
Is port scanning legal?
Hacking is illegal almost everywhere on the planet. However, port scanning is not hacking and is also used for research purposes such as Project sonar, zmap, masscan and other projects. Therefore, these activities may or may not come under local legislation governing computer systems misuse. You must check local laws and their terms of Computer misuse.
In the UK, Computer Misuse Act covers the following three primary offences:
- Unauthorised access to computer material
- Unauthorised access with intent to commit or facilitate the commission of further offences
- Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer, etcetera.
If a computer is not well protected, someone could accidentally access its data without meaning to. Therefore, it needs to be shown that the intent was there to prove someone guilty of charges.
Why is port scanning useful for attackers?
Attackers perform port scanning to identify open ports further analysed by sending crafted packets to find out running services. For instance, a port scanner would find that port 80 is open on a target IP address. Fingerprinting is performed in addition to port scans to find out what service is listening on port 80/TCP. Fingerprinting results will check if it is a registered port which it is. Registered ports are designated for use with certain applications or protocols. Therefore, in this case, the port scanner would know that port 80 is most likely used by web servers. Based on different requests and responses, it would identify the webserver software in use. Further tests are performed to identify web server software versions, types, default content and any related vulnerabilities useful for attackers. Attackers exploit the identified weaknesses in an attempt to gain access.
Although search engines love the term ‘hackers’, we believe it means ‘attackers’, which is the correct term. Hackers and attackers are two very different animals.
Why is it essential to limit the number of open ports to essential ports only?
Opening a port makes sense if there is a functional requirement to run a new program. In that case, a program should be securely configured, checked for security vulnerabilities, secure hardening practices before exposing it to the internet. It is essential to limit the number of open ports because it adds to the internet-facing systems’ attack surface. It does not mean open ports can be hacked easily.
What ports do hackers use?
Hackers do not have any unique choice; they attempt port scans just like anyone else to identify open ports and query if any interesting services listen to help in their objectives. Commonly targeted ports by hackers include widely used programs by network teams for remote administration, file transfer services, web applications, common remote connectivity and conferencing software.
A list of service names and transport protocol port number registry can be found here:
How can you monitor open ports?
Best way to monitor your attack surface using continuous external scanning or security exercises such as vulnerability scanning or network pen testing as a service hosted outside your network.
Assets inventory and management are challenging at times, and new devices could be plugged into the networks. These devices may communicate outbound on the internet, or current assets could run new services, leading to increased open ports. Therefore, regular monitoring and managing open ports is a time-consuming task.
Internet-facing open ports and services can be assessed regularly using our managed security services. Cyphere provides continuous checks around external and internal networks followed by regular updates on the attack surface. If you already have this area covered, you may consider attack surface analysis to know more than open ports. It encompasses all assets under an organisation and acts as a reality check for our customers.
Do you want to assess your network footprint?
Cyphere’s network penetration testing service helps businesses to identify and exploit the vulnerabilities in internet-facing assets. In specific builds that are readied up for production release, a secure configuration review is the most effective and budget exercise to improve your internal secure hardening standards.
Get in touch to discuss your primary security concerns and get free advice.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.