Port Scanning
Attack Pattern ID: 300 (Standard Attack Pattern Completeness: Stub)Typical Severity: LowStatus: Draft
+ Description

Summary

An attacker uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the attacker information concerning the firewall configuration. Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four types of port status that a port scan usually attempts to discover:

1. Open Port: The port is open and a firewall does not block access to the port

2. Closed Port: The port is closed (i.e. no service resides there) and a firewall does not block access to the port

3. Filtered Port: A firewall or ACL rule is blocking access to the port in some manner, although the presence of a listening service on the port cannot be verified

4. Unfiltered Port: A firewall or ACL rule is not blocking access to the port, although the presence of a listening service on the port cannot be verified.

For strategic purposes it is useful for an attacker to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is impossible with certain scan types. A TCP connect scan, for instance, cannot distinguish a blocked port with a active service from a closed port that is not firewalled. Other scan types can only detect closed ports, while others cannot detect port state at all, only the presence or absence of filters. Collecting this type of information tells the attacker which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An attacker often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer Transport Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Network Host

+ Resources Required

The ability to craft arbitrary packets of various protocol types for use during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern310Scanning for Vulnerable Software 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern287TCP SYN Scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern301TCP Connect Scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern302TCP FIN scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern303TCP Xmas Scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern304TCP Null Scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern305TCP ACK Scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern306TCP Window Scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern307TCP RPC Scan 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern308UDP Scan 
Mechanism of Attack1000
+ References
Stuart McClure, Joel Scambray, George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Defense Advanced Research Projects Agency (DARPA). "RFC793 - Transmission Control Protocol". 1981. <http://www.faqs.org/rfcs/rfc793.html>.
J. Postel. "RFC768 - User Datagram Protocol". 1980. <http://www.faqs.org/rfcs/rfc768.html>.
Gordon "Fyordor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
Gordon "Fyordor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://nmap.org/p51-11.html>.
Back to top