Any Port In A Scanning Storm

The most basic tool in any cracker's arsenal is the port scanner, which is used toprobe systems for possible ways to exploit any security weakness. But scanners can also beused by system administrators to locate and fix weaknesses before their systems arecompromised.

In the dark ages, before everyone had an Internet connection, scanning was done via wardialers which dialed every phone number in a central office exchange looking for a modemtone. Once a modem was found, the attacker dialed the number and tried to break in.


Scanning today is done via the Internet. Using TCP/IP, processes communicate with eachother through ports. Common processes such as telnet and FTP (so called "well knownservices") are assigned standard ports that they always use. These "well knownports" will always be the same.

When a browser is pointed to HP Professional's Web site for instance, it knows tocommunicate with the computer node on port 80. The node"listens" to its port 80 and, when it gets a connection, starts serving up Webpages. So now, instead of looking for a modem connection, an attacker can scan the portsof a system, see which ports are listening and possibly use the port as an entry into yoursystem.

The reason port scanning may be an effective cracking tool is because operating systemshave known vulnerabilities and exploits. For instance, many Windows 95 systems are subjectto the "Land Attack," which uses fake IP packets with identical source anddestination IP addresses.

The Windows 95 machine tries to respond to itself over and over, slowing down andpossibly crashing. Microsoft has addressed this bug. The fix is available in article Q177539. This exploit only works on Windows 95 machineswithout the bug fix applied, so there's no point in trying the attack against a Windows 98machine.


How does a cracker go about finding an un-patched Windows 95 machine listening onTCP/IP ports? With a port scanner, the procedure is simple. It scans a set of networkaddresses to determine the operating system and open ports. Compare this list against alist of possible vulnerabilities. If a match is found, try to apply the exploits.

Because vulnerabilities are well publicized, it's pretty easy to find possible ways toattack systems. But it's also easy for administrators to close these holes before theirsecurity is compromised. The best way to do this is to get a port scanner and test yourown systems.

The best freeware scanner I've found is nmap. It's a great tool for testing your ownsystems. It runs very well on Linux and is available for other platforms as well. The nmapsite ( contains quite a bit of documentation about scanning techniquesand lists exploits for NT, Linux, Solaris and other platforms.

For Windows NT, there are several freeware and commercial scanners available, but noneoffers nmap's range of options. Aside from being very fast and offering flexible featuressuch as node discovery and the ability to scan ranges of IP addresses, nmap is very strongin stealth scanning.


Stealth scanning is difficult to trace and is the preferred method of the cracker. Themost basic port scan uses the connect call to a port. If the node is listening on theport, connect succeeds and the scanner closes the port. Connect scans are very easilytraced because log files will show the connections and errors as the scanner closes theports. If you show lots of log entries along lots of ports, you're being scanned.

Scan These Links

nmap the best!

Network Toolbox
Internet Maniac

Internet Security Systems
Network Associates

Stealth scanning uses other techniques such as the synchronize, or SYN scan. The SYNscan is a partial connect. Basically, a SYN packet is sent as if a real connect weretaking place. The answering node sends an acknowledgement (ACK) packet to say, "I'mlistening." The stealth scanner then ends the connection instead of proceeding with astandard connect. Fewer systems log SYN scans, so system administrators don't realizethey're being probed for vulnerabilities. Nmap supports other stealth scans such as FIN(in which a FINish TCP/IP packet signals the end of communication), fragmentation, reverseident, FTP bounce and User Datagram Protocol-Internet Control Message Protocol (UDP ICMP)scanning.

Given the wide variety of stealth scans available, it's possible to scan a systemwithout being detected. A good firewall, however, will deter most scans. But many systemson the Internet are without the benefits of firewall protection, notably, public Webservers.


Some commercial products are available to detect port scanning such as InternetSecurity Systems' (Atlanta, Ga.) Internet Scanner and Network Associates' (Santa Clara,Calif.) Ballista. Checking your own systems will show where your vulnerabilities lie. It'snot good enough to have a product report. If an exploit is discovered it's possible thatyour system will be compromised before you read your logs.

Because scanners are often used as the first probe in an attack, system administratorsshould familiarize themselves with scanning techniques. At the very least, secure yoursystem from the most basic scanning technique of all -- telnet. Sadly, many systems stillannounce the operating system and version before a user logs in. By just Telneting to port25 and watching for the prompt, it's possible to learn a lot about a system. For instance,by default, Red Hat Linux displays its release number, kernel version and processor type:

Red Hat Linux release 5.2 (Apollo)
Kernel 2.0.36 on an i686

Just by changing your system announcement to read "Unauthorized Use IsProhibited," you've taken the first step towards securing your system. By using aport scanner to probe your systems before the bad guys do, you should be able to securethem.

And don't forget to check your logs. You never know who's trying to sneak in throughyour ports.

Must Read Articles