Port scanning is the most common application primarily for the detection of security gaps and vulnerabilities. However, port scanning can also be necessary for an as-is analysis to record the computers and the services offered on them. Just like checking compliance with guidelines, availability tests and of course troubleshooting in the network.
Compared to ping scanning, we not only test whether and which hosts are active, but also which services and therefore applications are active and reachable. This is made visible through the respective status of the ports.
The simplest explanation is that of a postal address. If you can imagine the IP addresses of the computers in a network as a street in a city up to the exact house number, then the ports represent the respective apartment door in the corresponding house. Behind each door there was a different application, me the other Want to communicate applications behind other doors in other streets and houses.
Ports are primarily software abstractions to distinguish communication connections between applications. They are used equally at the communication level by the protocols TCP and UDP. They form the interface to the services and applications that run on a computer. And they provide the transition from packet-oriented transmission to the data stream that flows from and to the applications. The port number is used to signal the system exactly to which application the data packet must be transferred.
The port numbers range from 0 to 65,535. Of these, the ports from 1 to 1,023 are reserved as services specific to system ports, which are also known as well known ports or default ports. This can be, for example, certain system services, such as ports 22, 25 and 80, for the SSH (remote maintenance), SMTP (mail server) and HTTP (web server) services.
The port numbers from 1,024 to 49,151 are also reserved ports, which are referred to as registered ports. These ports are not used as often. While normal users are not authorized to use the default ports, user applications can connect to these ports and offer external services.
The port numbers from 49.152 to 65.535, on the other hand, are intended for applications and communication connections that take place briefly and dynamically. This is often the case with outgoing connections or proprietary services within a network. In these cases, these dynamic or private ports are used.
To understand the process of port scanning, it is important to know how the TCP connection is established. With the connection-oriented protocol TCP, the connection is established and then cleared again after the data exchange. This is also known as a three-way handshake:
SYN
SYN+ACK
ACK
To establish a connection, the client sends a TCP-SYN packet to the corresponding port to the destination (usually the server) during the three-way handshake. If an application is listening on this port, the client receives a combined TCP-SYN / ACK packet as confirmation of the connection establishment. So that the connection is finally established, the connection is also confirmed by the client with a TCP-ACK packet to the server. From this stage, the data exchange can take place.
For this purpose, the client must send the protocol provided for the application and some application-specific data to the remote site. For example, a browser will send an HTTP request and the web server will respond with an HTTP response.
In the context of a port scan, the application-specific data exchange cannot be realized due to the enormous variety and the enormous amount of time spent scanning. A port scan is therefore limited to a connection attempt at the TCP connection level, which is terminated immediately if successful.
Port scans are particularly interested in the state of the port being examined, which can be used to draw conclusions about the existence of an application.
From this point of view, there are three port states:
OPEN states that an application or a service is listening on this port and thus a connection can be established on this port.
CLOSED, on the other hand, means the opposite. Namely, that the host rejected a connection to this port. So the statement is correct that no application is listening behind it.
FILTERED / BLOCKED states that the host does not respond to requests on this port. This means that the connection is neither confirmed (OPEN) nor rejected (CLOSED). If the host is otherwise reachable, a firewall either filters (FILTERED) or blocks (BLOCKED). Here either an upstream firewall can be as active as a packet filter on the host itself.
In principle, the only interesting thing about the port scan is whether a port is open or closed. Rather, the filtered state means that it requires further investigations in the form of further port scans.