I was asked this question in an interview: "What is a port sweep?"
When I replied with port scan he said that my answer was not a scan, it was a port sweep. I googled and found "tcp sweep: but not "port sweep".
Can anybody help me with this?
Asked
Active
Viewed 9,450 times
1
-
4Can you explain on what you actually said? That might make it easier to answer. – schroeder Jul 20 '18 at 07:24
-
I replied to him by decribing vertical scan and horizontal scan. – sauravdante Jul 20 '18 at 08:22
-
3I'm sorry to be staying on this, but can you outline what you actually said? You are replying with using terms, but your whole question is about defining the terms. If your definition is different from ours, theirs, or standard definitions, then that might be the true answer to this. Right now, I would answer "port scan is the same as port sweep", but for that answer to mean anything to *you* we need to sync up what you think those terms to mean. – schroeder Jul 20 '18 at 08:32
-
I didn't realize there was a difference. If I had to draw a line though, I'd say a `port sweep` is just a quick scan that checks to see which ports are open and a `port scan` is actual banner grabbing, inferring OS version, probing a little for possible vulns. This question seems like it was designed more to see how you think than to get an exact correct answer as it's very opinion based. Once again, Idk if there's a difference. This is 100% my opinion., take with salt – DotNetRussell Jul 20 '18 at 15:10
3 Answers
6
This answer is 64.7% opinion.
TL;DR: A port sweep looks for specific port(s) across multiple hosts. A port scan enumerates any ports to be found on one or more hosts.
Some people use "port sweep" to describe a port scan that is focused on a specific port across a wide number of hosts, rather than on determining the open ports for some number of hosts.
An example: imagine a new PostgreSQL flaw is found which permits compromise via the network listener. You will quickly see scans, some of them Internet-wide, testing port 5432/tcp and nothing else. This is a port sweep - a broad "sweeping" scan, targeted tightly to finding a vulnerable service, anywhere it can be found.
A sweep is not limited to one port. Let's say that a flaw was exposed that impacted PostgreSQL and MySQL equally; you will see scans which hit both 3306/tcp and 5432/tcp, but nothing else. However, the fact that it's focused on finding a discrete number of specific issue-related ports makes it a sweep.
Finally, a "sweep" may be used as a host detection method. You can sweep for limited "likely" ports (80/tcp, 443/tcp) to see if anyone is there, and then go back to do full port scans against hosts that the sweep found to be alive. This is common for things like the Internet where smart people disable ICMP ping. It would take to long to do full port scans against a block with potential dead IPs, so the sweep is used to narrow the scope of the scan.
By this definition, the contrasting "port scan" is a full-spectrum attempt to enumerate all open ports (or at least a reasonably ambitions subset) on host(s).
gowenfawr
- 71,975
- 17
- 161
- 198
0
Unfortunately, you'll always run into interviewers with their own specific definitions, who ding you for not being psychic.
Port sweep and port scan can be interchangeable. Or they could be different. It all depends on context. These are colloquial terms, and don't have one single valid definition.
I would agree with @gowenfawr that a 'sweep' is commonly understood as being wide-but-shallow, and a scan as being deeper(could still be very wide), but then again, masscan was built for scanning a ton of machines very shallowly, and it's not "mass-sweep", so yeah; they're honestly interchangeable.
Angelo Schilling
- 681
- 3
- 11
-1
Part of the confusion lies in the definition of "scan". In more recent times, this word has become confused with "skim". To scan is to examine in minute detail - like a scanning electron microscope, not give a quick once-over.
