To understand port scanning we have to understand the protocols in use. Most network services use either TCP or UDP which are delivered end-to-end over IP. TCP is connection oriented, which means that it keeps track of sessions, and ensures reliability of order and delivery, by using retransmission and packet ordering before sending them up the stack to the application.
UDP however is connectionless. This means that there is no attempt made to retransmit or reorder the packets that are received. Any lost UDP packet has to be handled at the application layer. Less effort, but no checking. It is smaller, faster and the replay of packets is left to the application.
Scanning TCP Ports
TCP uses source a source port, destination port, sequence numbers, and control bits to ensure reliable session management. The control bits in particular are extremely important for tracking state. They are:
- SYN – Synchronize number used during session establishment
- ACK – Acknowledgement number used to acknowledge earlier packets were received
- RST – used to reset a connection because of errors or other interruptions
- FIN – Used to gracefully tear down a session
- PSH – Push, flush data through the TCP layer immediately
- URG – The Urgent Pointer, data should be handled quickly
Two newer control bits were added as defined in RFC3168 to deal with network congestion:
- CWR – Congestion Window Reduced, controls the queue of outstanding packets
- ECE – Explicit Congestion Notification Echo indicates the connection is experiencing congestion.
TCP Three-Way Handshake
It’s important to know how TCP sessions are established to understand all of the different methods of scanning TCP ports. TCP sessions are established using the three-way handshake:
- System A initiates a connection to system B by sending a TCP packet to a destination port with the SYN control bit set with an initial sequence number (ISNA).
- System B responds (provided that the port is listening) with a packet with both the SYN and ACK bits set and an initial sequence number (ISN-B) as well as an acknowledgement number of ISNA+1.
- System A completes the three-way handshake by responding with a packet that has the ACK bit set, a sequence number of ISNA+1, and an acknowledgement number of ISNB+1.
At this point the session is now established. All packets going from A to B will have increasing sequence numbers starting at ISNA+1 and incrementing by 1 for every byte of data in the payload. All responses back from B will have sequence numbers starting at ISNB+1 and incrementing by 1 for every byte of data sent in the payload back to A.
Now that we understand the basics of TCP connections and session management, we can now discuss scanning. RFC793 states that if a service is listening on a TCP port and a packet is sent to it with the SYN bit set, the response will be a packet with its SYN and ACK bits set. This response allows us to determine if a port is open or closed. There are four possible responses using this method of sending a SYN packet to scan for open ports (commonly called a SYN scan or TCP half-open scan):
- Response 1: SYN-ACK – Port is open and listening.
- Response 2: RST-ACK – The port is closed.
- Response 3: ICMP Port Unreachable – The port is blocked by a router ACL or a firewall which sends the ICMP port unreachable message. Nmap will mark this port as “filtered”.
- Response 4: No Response – The port is blocked by either a router ACL or firewall, which is silently dropping the request. It’s also possible that the port is not listening and the port is not listening on the target host and is configured to be silently dropped. Nmap will mark this port as “filtered” as well.
Penetration testers will typically find many more closed ports than open ports. Large scale port scanning will typically go much faster if the scanner receives Reset or ICMP Port Unreachable packets instead of no response. When a scanner gets no response, it slows the scan down because the scanner typically has to wait for a timeout in order to move on to the next port, which adds significant time in a large scale port scan.
Because UDP is a connectionless protocol, there are fewer options for scanning. This is because there are no control bits that can be varied to discern open and closed ports, which makes UDP port scanning much less reliable and are often slower to perform.
There are three possible responses in a UDP scan:
Response 1: UDP Packet response – Port is open. If a UDP packet is sent in response to the UDP request packet, the port is open.
Response 2: ICMP Port Unreachable (Type 3, Code 3) – Port is closed. Some versions of UNIX and Linux rat limit the number of Port Unreachable messages, which will make the scan unreliable and/or slower to complete. Nmap will list this response as closed. It’s possible that other ICMP unreachable errors will be sent (Type 3, Codes 1,2,9,10,13). Nmap will mark the port as “filtered” for these responses.
Response 3: No Response – Port is “open/filtered”. This is common in UDP scanning and can be the result of the following:
- The port is closed.
- A firewall is blocking the probe packet inbound to the target and silently drops it.
- A firewall is blocking the response packet
- The port is open, but the application listening is looking for a specific payload, and the probe is ignored. Nmap attempts to send specific payloads to the most common UDP services (DNS, NTP, SNMP, RPCBIND, etc.) in an attempt to address this issue. References:
- Sangita Pakala (2003), “Penetration Testing of a Secure Network”, SANS
- Timing and Performance (Chapter 15. Nmap Reference Guide)
- Avi Kak (2012) “Lecture 23: Port and Vulnerability Scanning, Packet Sniﬃng, Intrusion Detection, and Penetration Testing
Lecture Notes on “Computer and Network Security””,Purdue University (https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture23.pdf)