22

So, whenever you hear of the mean little hackers who hack websites you hear of "port scanning". I understand what it is (looking for all open ports / services on a remote machine), however that begs the question:

Why would an attacker want to know what ports are open?

The only reason I see for this is looking for services that may or may not have the default username and password OR a vulnerability or something.

But seeing as the odds for this are quite low, why do hackers perform port scans? Is it purely for the reason above?

Community
  • 1
Joseph
  • 523
  • 1
  • 4
  • 14
  • 5
    Rattling door knobs to see what's there (identify services through fingerprinting) and if a lock has been applied (has it been secured) or if the lock is busted (is the service vulnerable). Why? It's easily scriptable, takes little effort. – Fiasco Labs Apr 17 '16 at 02:28
  • 9
    Because closed ports are kinda hard to work with... – David says Reinstate Monica Apr 17 '16 at 17:18

6 Answers6

54
  • To run an exploit, an attacker needs a vulnerability.
  • To find a vulnerability, the attacker needs to fingerprint all services which run on the machine (find out which protocol they use, which programs implement them and preferably the versions of those programs).
  • To fingerprint a service, the attacker needs to know that there is one running on a publicly accessible port.
  • To find out which publicly accessible ports run services, the attacker needs to run a port scan.

As you see, a port scan is the first reconnaissance step an attacker performs before attacking a system.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 7
    The first reconnaissance step is the passive information gathering , port scanning or port grabbing are active information gathering and they came after the passive stage.., just saying – Sarastro Apr 17 '16 at 00:18
  • 9
    @Sarastro that does not have to be true at all - one never *needs* to perform passive recon - it can be useful, but is not a required step – schroeder Apr 17 '16 at 00:57
  • @Schroeder following your logic .. active information gathering isn't the first step eider .., agree with you , the first move its up to the player ..., "The quieter you become, the more you can hear" – Sarastro Apr 17 '16 at 01:04
  • 2
    @Sarastro that's also true - there is no required "first step", which makes your initial comment moot. So, I'm completely confused as to what you are trying to say. – schroeder Apr 17 '16 at 03:11
  • @Schroeder In the first comment I really meant what I said about the passive information , in the second one, I just applied your logic in a socratic way to show the initial point , the port scan is not the first step in the penTest procedure as the answer says, as a matter of fact, i don't think it is right to start the road scanning port – Sarastro Apr 17 '16 at 03:33
  • 2
    @Sarastro How do you imagine it possible to passively learn something about a remote system without sending any packets to it? – kasperd Apr 17 '16 at 10:15
  • 1
    @Sarastro Indeed. That would only be possible if you had insider intel on the system, but since script kiddies running Nmap on random hosts don't usually know about your system, active information gathering is their first step. – A. Darwin Apr 17 '16 at 14:07
  • @A.Darwin first of all my first comment was trying to say as i agree with Schroeder there is no official first step , its up to the player .., the passive information gathering was an example to show this point, and i recognize there are other many way to do the first move. My argument is with The statement in the answer "As you see, a port scan is the first reconnaissance step an attacker performs before attacking a system." – Sarastro Apr 17 '16 at 14:36
  • 1
    @Sarastro I tried to point this out in my answer, but for *some* attackers/pen-testers port scan is the first step right after looking up IP addresses. Their logic is that port scans on the internet happen so unbelievably often that a port scan is low enough noise to *almost* be treated as a passive recon. Obviously there are plenty of situations where this is not true, and attackers will pick a different first step, but many hackers do indeed claim "a port scan from the internet is my first step," so there is some validity in the claim. – Cort Ammon Apr 18 '16 at 02:56
6

Consider that I wanna rob your home ... Then I would look up for a way to get into. But your home has door locks that allows only your local(family) to access it so I will search for some other like way(ports) windows(other open public ports) to get into.And try to get some data. If ports will be open for ssh/ftp they try to exploit them. Try uploading files or bruteforce.

Girish
  • 61
  • 2
  • 5
    It's actually more low level than that. A port scan is like finding a building with either doors or windows before you decide to see if you can unlock and open any of them. You see, in the weird world of the internet there are buildings (computers) that have no doors or windows (open ports). – slebetman Apr 18 '16 at 03:33
3

As Girish points out, a port scan is like casing a house. Its a a very low noise activity when done from the internet, because you'll see dozens of port scans a day. It also gleans a small amount of information about the state of your machine, and that lets them tailor the next layer of the attack even more.

It's also dirt cheap! Doing a port scan costs the attacker almost nothing, and sometimes you get lucky. In The Art of Intrusion, Kevin Mitnick gives examples of where such attacks do pay off in real life. In a simple system, its easy to simply lock down all of the ports. In a more complicated IT network, its harder to prove there is no business logic reason for an open port, and first rule of IT is "do not upset the business," so they may be left open. Mitnick's book gave the example of one case where there was a jury rigged serial connection accidentally exposed to the internet. The attacker presumes it was a one time cludge to solve an issue which was never dismantled after its use was no longer required. Years later, it was actually the attack vector found and exploited by the hackers.

There are situations where port scans are avoided. Advanced Persistent Threats (APT) tend to operate on the LAN. While port scans from the internet are a daily affair, port scans originating on the LAN are quite a lot "louder." Given that APTs value stealth, they will often avoid port scans that, in other circumstances, might just be random pot shots taken to see if one gets lucky.

Cort Ammon
  • 9,206
  • 3
  • 25
  • 26
2

Have you ever tried to perform network communications with a rock? How about a network router that has no electricity? It's pretty boring, because you get no response.

So attackers try to use the most common network protocols, like TCP and UDP, which use numbers that are called "port numbers", or "ports". (SCTP also uses ports.)

If a port is closed, then there's typically one of two results: a response that indicates "Connection refused", or no response whatsoever. Well, either of those results are far less interesting than an "open" port, which simply means that the attacker can get some other type of response when trying to interact with the targeted device.

Port scanning can refer to scanning the entire possible range of port numbers (0 through 65535), or simply scanning from a list of likely ports (e.g., 80, 443, 25, 22) to see what IP addresses respond. IP addresses that respond to a port number are likely targets for attackers to focus additional efforts to interact with, particularly if the port number which responds is the number of a commonly used standard (e.g., TCP port 80 is the most common port for HTTP).

(Although people can use a port for a different purpose than what is standard, that is quite uncommon to do, mostly because a lot of software doesn't handle alternate port numbers as easily. For instance, the standard for web browsers is to require adding a colon, and the port number, if a non-standard port is used. Using standard port numbers can eliminate the need for people to type that information.)

Scanning a port also has advantages over trying to perform more elaborate interactions, like many network attacks. The required time and bandwidth is much lower, so scanning can be done much more quickly than attacks that are more elaborate.

TOOGAM
  • 372
  • 1
  • 5
0

Hacking has a "discovery phase". During the discovery phase you discover as much information about your target as possible. Port scanning is just one aspect of discovery. Most software will run on their default port and thus knowing which ports are open gives you some information as to what the machine is running. If port 80 and 443 are open then you're likely dealing with some form of webserver. Then you discover what webserver is running and what software the webserver is running. An open port means that something is listening on that port and that you can communicate with whatever is running on that port which is a potential entry for a hacker. Trying default username & password combinations is just one part of hacking. Using vulnerabilities in software running on the traget is another part and to discover what software is running port scanning is a good first step. If you don't know which ports are open you don't know to which ports you can send malicous packets to.

mroman
  • 555
  • 3
  • 9
-1

Once an application has answered on a specific port, that application could then be targeted for exploits. For instance, nmap will fingerprint and report software and applications found running on a server, sometimes with version information. Outdated versions will have publicly-known vulnerabilities, which software such as metaspoit could target.

This guy explains it well. As an analogy, an open port is like an open door. Once one door is opened, the device in question can be used to target other devices in the same network. The linked document explains how the author got into the Hacking Team's internal network and leaked their data.

dotancohen
  • 3,698
  • 3
  • 24
  • 34
  • "An open port is an open door [and a device with such an open door] can be used to target other devices in the same network." is incorrect. Maybe you're mixing it up with port forwarding, where the router forwards a port to another device? What an open port (i.e. getting a response when trying to connect to a port on a given IP address) really means is that there is an application running there that an attacker can target. See other answers. – Luc Nov 02 '18 at 14:16
  • @Luc: I believe that the analogy is meant to assume that if there is a program that can receive input on a given port, then that program can be used (either via intended function or bugs) to escalate privilege. – dotancohen Nov 02 '18 at 14:46
  • I see the edit and that part is correct, but the old part about "open port == open door == can be used to target other devices in the same network" is still wrong. **If** that were true, then port forwarding would be a very dangerous thing, but it's not. Please don't spread myths. – Luc Nov 11 '18 at 12:27
  • @Luc: Thank you for your input. Though in a pedantic sense you are not wrong, **for purposes of answering the OP and others like him** I believe that the analogy is helpful to understand the situation. The audience of this answer is not security researchers, rather layman who've stumbled across terms and are looking to understand them. **All analogies break down, but good analogies get the point across.** – dotancohen Nov 11 '18 at 12:46