Originally Published: Thursday, 7 June 2001 Author: Matt Michie
Published to: enchance_articles_security/Basic Security Articles Page: 1/1 - [Std View]

Linux.com Security: Introduction to Port Scanning

Unfortunately nobody can be told which path to take, you must see it for yourself, so choose wisely. Ripped from today's headlines, the writers and editors of Linux.com are proud to present this security-minded introduction to protecting your system. Read on, and know yourself.

"Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." -- Sun Tzu, The Art of War

What is Port Scanning?

Port scanning is a computer security technique that tests a system for open TCP/IP "ports". In layman's terms, if one compares an IP address to a telephone number, then a port would be the equivalent of a telephone extension.

For instance, if I wanted to speak to Linus Torvalds at his workplace, I would first dial the phone number to Transmeta, and then connect to his specific extension. In this way, more than one person can use the same phone number. Likewise, TCP/IP ports allow one IP address to have many different servers connect to it.

Standard TCP/IP stacks allow access to up to 65,535 different ports, 1 - 65535. In Linux, ports less than 1024 require root access for a program to bind to them.

Some of the more common ports are:

echo 7/tcp
discard 9/tcp
qotd 17/tcp #quote
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp #mail
time 37/tcp #timeserver
domain 53/tcp # name-domain server
gopher 70/tcp # Internet Gopher
finger 79/tcp
www 80/tcp # WorldWideWeb HTTP
www 80/udp # HyperText Transfer Protocol
pop3 110/tcp # POP version 3
sunrpc 111/tcp # RPC 4.0 portmapper TCP
auth 113/tcp #authentication tap ident
nntp 119/tcp # USENET News Transfer Protocol
ntp 123/udp # Network Time Protocol
imap2 143/tcp # Interim Mail Access Proto v2
snmp 161/udp # Simple Net Mgmt Proto
irc 194/tcp # Internet Relay Chat
irc 194/udp
ldap 389/tcp # Lightweight Directory Access Protocol
https 443/tcp # Secure HTTP
mysql 3306/tcp # MySQL
ircd 6667/udp # Internet Relay Chat
webcache 8080/tcp # WWW caching service

A more canonical list of standard ports can be found in /etc/services.

The command line telnet program can be used to connect to these ports. For instance, type:

telnet www.yahoo.com 80

After you see: Connected to www.yahoo.akadns.net.
Escape character is '^]'.

Type: GET / [return][return]

The web server will respond with a bunch of HTML. A normal web browser would then interpret this HTML and display the appropriate graphics and text on your screen.

A port scan program, on the other hand, will attempt to connect to various ports and determine which ones are "open" and have a service responding behind them, as the web server responded in our example above.

The simplest (albeit most time-consuming) way to do this is to telnet to every port on a host starting with 0 and ending with 65535, noting which ports allow a connection.

Continuing with the telephone number analogy, this would be as though one called up Transmeta and tried every possible extension, noting which ones were valid and which ones were not.

However, computers are exceedingly good at automating tasks like this, and as can be expected, clever programmers have written scripts and programs that take the drudgery out of this task.

So What Possible use is a Port Scan to Me?

Port scanning is an important tool to detect what services your computer is running. Although they are getting better, many default Linux installs still leave many unnecessary services on, which can open your machine to security compromises.

A sure way to see what you have running is to port scan your own system (IE localhost). Port scanning is also a good technique to test firewall rule sets.

Port scanning is an important initial step towards knowing yourself. If you don't know what services you have running, it will be impossible to secure them from malicious crackers. It is also important to familiarize yourself with port scanning programs so you will know your "enemy", system crackers, who will often employ a port scan to determine if you have an exploitable service running.

Advanced port scan tools will even do TCP/IP stack fingerprinting, allowing an attacker to determine what operating system you are running, often down to the kernel version!

What Port Scan Programs are Available?

The following is a small sampling of the port scan programs available under Linux culled from Freshmeat:

How Do I use these Programs?

First, be aware that it is possibly illegal and certainly impolite to scan computers that you do not own or admin. Never scan a remote system on the Internet without permission. This is the Internet equivalent of walking around your neighborhood and trying out every door to see which ones are unlocked. Depending on the scan, this may even be considered a Denial of Service attack. Don't do it.

At present, the fullest featured and most widely used port scan program is nmap (Network Mapper). Infoworld has this to say about nmap, "if your goal is to understand your network from a 40,000-foot view, then Windows port scanning tools will suffice. But if you're serious about your security and looking for the holes that crackers will find, then take the time to install a Linux box and use nmap."

One of the goals the author of nmap had was to eliminate the need to carry around multiple port scanners in his security toolbox. Therefore, nmap supports nearly every port scan and TCP/IP fingerprinting technique. It will scan multiple hosts as well as single systems. Malicious individuals sometimes use the advanced options in nmap to stealthily scan hosts on the Internet. As you advance, it is a good idea to try out some of these options on your own computer to see the effects and determine whether your defenses are up to detecting the scan.

First, download the nmap program from http://www.insecure.org/nmap/. The site has source, binary and package downloads, one of which will work on your particular Linux distribution. Nmap also compiles most standard UNIX flavors.

After you install nmap, run a port scan on all your ports with the following command:

$ nmap localhost -p 1-65535

Example output:

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on takauji (127.0.0.1):
(The 65531 ports scanned but not shown below are in state: closed)
Port State Service
111/tcp open sunrpc
113/tcp open auth
515/tcp open printer
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

The nmap scan shown above indicates four open ports, the port name and which service runs standard on that port. Even though these are standard ports, there is nothing preventing you from running any program you wish on any port. In fact, if this machine had been compromised, a back-door could have been placed on one of these ports to disguise its identify from a tool such as nmap. In other words the service column should only be used as a guide it is never absolute.

The state column can be one of three types: open, filtered or unfiltered. Open is printed when nmap can reach the service, filtered when the port is being fire-walled by the host, and unfiltered or closed when no service is reachable on that port. By default, closed ports are not printed.

If you are scanning a host over a slow network connection, it might be a good idea to do a "fast" scan that only connects to standard ports, such as those found in /etc/services. This cuts down the number of ports scanned by orders of magnitude.

For instance:

$ nmap -F localhost -vv

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host takauji (127.0.0.1) appears to be up ... good.
Initiating TCP connect() scan against takauji (127.0.0.1)
Adding TCP port 111 (state open).
Adding TCP port 6000 (state open).
Adding TCP port 113 (state open).
Adding TCP port 515 (state open).
The TCP connect scan took 0 seconds to scan 1062 ports.
Interesting ports on takauji (127.0.0.1):
(The 1058 ports scanned but not shown below are in state: closed)
Port State Service
111/tcp open sunrpc
113/tcp open auth
515/tcp open printer
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

The -vv flag tells nmap to output verbose, which is helpful for slower links. Verbose will give you a better status report as nmap moves through the various ports.

If you wish to determine what OS the host is running, use the -O option like so (you must be root to do fingerprinting):

# nmap -F -O localhost

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

[SNIP]

TCP Sequence Prediction: Class=random positive increments
Difficulty=1749463 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14

Another example:

# nmap -F -O godai

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on godai (192.168.22.22):
(The 1058 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
113/tcp open auth

TCP Sequence Prediction: Class=random positive increments
Difficulty=42674 (Worthy challenge)
Remote operating system guess: OpenBSD 2.6

The TCP/IP fingerprint will show the TCP sequence prediction class, and a best guess at the operating system. The TCP sequence class is an indicator at how difficult it would be to predict the sequence numbers and hence how easy it would be to spoof a connection on this stack. Kevin Mitnick used this technique in 1994 against a weak TCP/IP stack to break into Tsutomu Shimomura's computers. (http://www.tao.ca/fire/bos/0037.html).

The more random the sequence, the more difficult it will be to predict and hence the more secure it is.

Another option that you should be aware of is how fast nmap will scan ports. On certain older operating systems you could actually crash the machine if you scan too quickly.

Nmap has the following timings: -T [Paranoid|Sneaky|Polite|Normal|Aggressive|Insane]

Consult the man page to find out which of the above best suits the characteristics of the scan you wish to perform. The man page is well written, so take some time to familiarize yourself with some of the more advanced options. Experiment on localhost to get a feeling of nmap's capabilities.

What Tools can I use to Detect Port Scans?

There are several good tools available to combat and detect hostile port scans. Installation and configuration of these tools will be covered in a future article. Until then, here are some URLs:

http://www.psionic.com/abacus/portsentry/
http://www.openwall.com/scanlogd/
http://www.snort.org/

Conclusion

Port scanning is a basic computer security technique. It is not only important to know what services you are running, but also to know how a potential enemy can use this tool against you. In the majority of attacks a port scan is the first step in an intrusion. Having this knowledge gives Linux administrators a better chance at thwarting the attacker early on, and possibly preventing the intrusion completely.

Matt Michie writes for Linux.com when he isn't busy cleaning the New Mexican sand out of his computers.