Previous Section  < Day Day Up >  Next Section

Chapter 4. Port Scanners

A firewall helps protect your network from the most basic attacks and is a mandatory tool for any network attached to the Internet. Now that you have protected your network's front door, we will examine tools to help you check your locks and windows to make sure that the openings in your network are secure.

Looking at the OSI model of network communications again, you see that once a basic network connection has been established between two machines, an application uses that connection to perform whatever function the user requests. The application could be to download a Web page, send an e-mail, or log in interactively using Telnet or SSH.

Chapter Overview

Concepts you will learn:

  • TCP/UDP ports

  • TCP fingerprinting

  • How port scanning works

  • Port scanning configuration

  • Port scanning techniques

Tools you will use:

Nmap, Nmap for Windows, and Nlog

The Internet Assigned Numbers Authority (IANA) assigns TCP/UDP port numbers. This little known but important organization keeps track of the many different standards and systems that make the Internet run. Among its duties are handing out IP addresses and delegating who is responsible for top-level domain names. The IANA wields considerable power, albeit mostly behind the scenes. Few people outside the engineering departments of communications companies even know IANA exists, but it controls a big part of the Internet "real estate." The IANA is also responsible for keeping a list of which services can be found on what network ports, assuming the application or operating system is compliant with these standards. Of course, it behooves all companies making software to closely adhere to these standards; otherwise, their products may not work with other Internet-connected systems. Table 4.1 lists some of the most commonly used TCP ports for server applications.

Table 4.1. Common Server Ports

Common Port Number





File Transfer Protocol (control port)



Secure Shell






Mail service



Domain name resolution






Web service



Windows network communications



Secure Web service

OSI Layer Number

Layer Name

Sample Protocols

Layer 7



Layer 6



Layer 5


Named Pipes, RPC

Layer 4



Layer 3



Layer 2

Data Link

Arcnet, Ethernet, Token Ring

Layer 1


Coaxial, Fiber Optic, UTP

A full list of port numbers appears in Appendix C. You can also find the most current list at the IANA Web site ( Almost every major application has a port number assigned to it. Port numbers range from 1 to 65,535 for both TCP services and UDP services. Port numbers 0 to 1,023 are considered reserved for common applications. These services usually run as root or a privileged user and are called the well-known port numbers. Port numbers from 1,024 to 65,535 can be registered with the IANA for specific applications. These usually map to a specific service, but vendors don't abide as strictly by these registrations as they do the reserved numbers.

Finally there are ephemeral port numbers, which the operating system chooses at random from the numbers above 1,024, usually high up in the range. These are used for machines that connect on an ad-hoc basis to other machines. For example, your machine would connect on a Web server on port 80 to download a Web page. The server would see a connection coming in from a machine on some random port above 1,024. This way the server knows it is probably a user and not another application connecting to it. It also uses the ephemeral port number to track the specific user and session. For example, if you were to open two browsers at the same time, your computer would create two separate port numbers to connect on for each browser session, and the server would track them as separate connections.

Just because a packet is labeled for port 80, nothing is stopping it from having data other than Web traffic. The port number system depends on a certain "honesty" from the machines it is communicating with, and that's where the trouble can come in. In fact, many applications such as instant messaging and peer-to-peer software programs, which might normally be blocked at a company's firewall, will flout this convention and sneak through on port 80. Most firewalls will allow traffic on port 80 because they are configured to allow Web access for users behind the firewall.

When a port is exposed on a computer, it receives all traffic being sent to the port, legitimate nor not. By sending malformed packets or packets with too much or incorrectly formatted data, people can sometimes crash the underlying application, redirect the flow of code inside the application, and gain access to that machine illicitly. This is called a buffer overflow, and these make up a large percentage of the security holes that exist today.

Buffer overflows happen when application programmers don't properly code their programs to handle data that "overflows" the memory space allotted to input variables. When the program receives input that exceeds the allotted buffer, it can override internal program control and thereby give a hacker access to system-level resources.

This used to be a very technical task that only the most experienced code hackers could attempt. But you don't have to be a high-level programmer to perform this kind of break-in anymore. There are programs available that automatically perform these buffer overflows with point-and-click ease.

Almost all programs of any size usually have some of these errors inside them. Modern software that runs into the millions of lines of code is just too complex to keep this from happening. Maybe once whole generations of programmers have been retrained to automatically write secure code, this problem will lessen or go away. Until then, you have to keep a close eye on what applications or ports are showing on your network. These ports are potential "windows" into your servers and workstations through which hackers can launch their malicious code into your computers. Since this is where most security exploits happen, it is very important to understand what is going on at this level on your various servers and machines. You can do this easily and accurately with a type of software called a port scanner.

    Previous Section  < Day Day Up >  Next Section