Trying to understand what ports are open and why or why not they are is clearly a vital requirement of any Penetration Tester or Network Engineer. We’ve updated our list for 2020.
Posted by Henry Dalziel | December 16, 2019 | Questions / Comments 2
- C|EH, Security+, MSc Marketing Management;
- Based in Hong Kong for the last five years;
- Cybersecurity Pro & Growth Hacker
Port Scanning is one of the initial steps that a Penetration Tester (‘Ethical Hacker’) will take to determine how secure a network or web application is from black hat hackers.
Port Scanning Software, of which there is plenty, is a ‘must-learn’ if you are serious about becoming a Cybersecurity Professional. We’ve tried to list as many useful and ‘user-friendly’ Port Scanning Tools that we have used in the past.
What is Network Scanning?
This concept refers to, somewhat obviously, scanning the network! ‘Ports’ on a network can be considered as being the entry points to a machine, or computer (box) that is connected to the Internet. An application or service that listens on port functions by receiving data (bytes) from a client application, processing that data and then sending it back. If a network is hacked into, or compromised, then a malicious client can be programmed to exploit vulnerabilities in the server code with the purpose of being able to gain access to sensitive data or execute malicious code remotely. The communication and commands would be administered through the implementation of a Remote Access Tool (RAT).
What is Port Scanning?
Network scanning and port scanning are often used interchangeably. Port scanners (of which there are several, such as Angry IP Scanner, NetScanTools, Unicornscan, and NetworkMiner) are used by the system and network administrators to verify security profiles of networks to prevent hackers from being able to identify services running on a host that have exploitable vulnerabilities. Of course, if a network admin (or any other IT professional) performing a scan discovers a vulnerability then their priority is to patch the hole without delay. Port scanning is a task performed in the initial phase of a penetration test (‘pentest’) in order to establish all network entry points into the target system.
Why are there so many ‘Network and Port Scanning’ tools?
At first, it might seem that there are a ton of ‘similar’ tools. However, most of these tools serve a particular need, or said in a more technical way, the tools have expertise with regards to certain protocol scanning, for example, some are better at TCP ports scanning rather than UDP ports scanning and vice versa.
Join Our Mailing List & Get Tool Updates / Tutorial Info
Please Share This Resource! [HINT: We'll LOVE YOU for it!]
Nmap is an abbreviation for ‘Network Mapper’ – ‘Network’ in an IT sense of the word. This is a classic hacking tool and perhaps the most famous one on our list. You can consider Nmap as being one of the best-known, and in fact, one of the most useful hacking tools out there. Period. If you are serious about pentesting, ethical hacking and IT Security in general, then learning Nmap is essential.
Is Nmap Free? You betcha!
In fact, a lot of other tools out there, Metasploit for example, pulls in Nmap for network discovery and security auditing. Many system admins will use Nmap along with other such tools as Wireshark (and perhaps even ‘Network Miner’) for a wide variety of port and network scanning. If you’re completely new to port and network scanning then we’d suggest this article here.
How does Nmap Work? Nmap tool works by inspecting raw IP packets in creative ways to understand what hosts (servers) are available on the network, what services (application name and version) those hosts are using, what operating systems (including Operating System versions and possible patches) and what type and version of packet filters/ firewalls are being used by the target. In summary, you’ve got to learn Nmap and if you want to work in Cyber Security as a practitioner.
Does Nmap Work on all Operating Systems? Yes, Nmap works on all major computer operating systems, and official binary packages are available for Linux, Windows, Mac OS X,
IRIX, and AmigaOS. Of course, there’s a much easier way to install Nmap – just use Kali Linux or use BackBox since it ships with Nmap and you’ll be able to update the progam with ease.
Brief word about ‘Zenmap’ Zenmap is the GUI version of Nmap. Here’s our advice: learn how to use Nmap, but when you’re out in the field performing a penetration test etc., then fire-up Zenmap. The awesome thing about Zenmap is that it pre-loads all the command lines in one go so you don’t have to start tapping ‘nmap’ into the command terminal to load the command help prompts.
Angry IP Scanner is another classic tool which could (and should be) used in tandem with nmap and other similar tools for hacking and monitoring networks. Angry IP Scanner is a cross-platform and, like nmap, is an open source network scanner created to for fast and efficient deployment.
From our experience, the Angry IP Scanner is very easy to use.
Angry IP Scanner is mostly used by network administrators but it can also be used for penetration testing.
Features of this particular hacking software include IP Range Scanning and being able to exports results in many formats and provide command-line interface.
Is Angry IP Scanner Free? Yes! This tool is completely free.
Does Angry IP Scanner Work on all Operating Systems? It runs on Linux, Windows and MAC OS X operating systems.
What are the Typical Uses for Angry IP Scanner? One of the uses of this tool is to scan IP addresses and ports to find out what is out there on the network.
NetScanTools is really a collection of different pentesting tools that a system admin would find particularly useful. The range of network toolkits is designed for those who work in network engineering, network security, network administration, network training, or law enforcement internet crimes investigation. Like many other pentester tools in our series, the developers offer a free and commercial grade of their products.
Is NetScanTools Free? NetScanTools has a free and commercial product available.
Does NetScanTools Work on all Operating Systems? It is designed for Microsoft Windows operating systems.
What are the Typical Uses for NetScanTools? NetScanTool was created to help people in internet information gathering and network troubleshooting. With this tool, you can automatically research IPv4 and IPv6 addresses, domain names, hostnames, email address and URLs. Tools that are automated are started by the user and it means that several tools are being used to do the research and then the results will be presented in the users’ web browser.
Unicornscan is another tool that is similar to nmap, Angry IP Scanner and NetScanTools. This tool works by gathering and correlating datasets for anaylsis. This hacking software was created to provide an engine that is, according to the developers: “Scalable, Accurate, Flexible, and Efficient”.
It is released for the community to use under the terms of the GPL license.
Is Unicornscan Free? Yes sir! Using this tool is free.
Does Unicornscan Work on all Operating Systems? Unicornscan currently works on Linux operating systems but this could be wrong – please verify.
What are the Typical Uses for Unicornscan? Unicornscan is intended to give hackers and penetration testers a way to visualize TCP/IP packets.
Features of this tool includes “an Asynchronous stateless TCP banner grabbing, asynchronous stateless TCP scanning with all variations of TCP Flags, asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response), PCAP file logging and filtering, relational database output, active and Passive remote OS, application, and component identification by analyzing responses, custom module support and customized data-set views.”
There’s a good resource here if you’re interested.
You may also like...
We've interviewed over 25 Cybersecurity Professionals to ask them that exact question...
In the US there isn’t a Federal Law that outright bans port scanning using specific tools but you still need to be very careful because your actions would constitute a violation of privacy. Furthermore, performing an authorized port scan of a network using (for example) nmap or a similar hackers tool like that, could get you into a ton of issues within a civil lawsuit capacity. So, the short answer is no – but – it’s technically illegal because it’s a breach of privacy.
“A hacker or a Cybersecurity Professional such as an “Ethical Hacker” or a Penetration Tester (with explicit permission) would initiate a port scan to see what’s on the network. A “Port Scanning Attack” is a broad term that implies that an offensive attack has been executed to breach a system, but in reality, a port scan is only an important step within the penetration test.
The actual scan would be done using a port scanning tool like nmap whilst the “attack” would be done by something like Metasploit if a vulnerability is discovered on a specific port. They’d work together therefore: the scanning would discover what can be hacked and a tool like Metasploit with exploit the discovered vulnerability, assuming that it hadn’t been patched. So, in summary, you’d be using a bunch of tools available o both security professionals as well as hackers.”
TCP and UDP are generally the protocols used in port scanning, as previously mentioned and there are several methods of actually performing a port scan with these protocols. The most commonly used method of TCP scanning is SYN scans
The two most common protocols that a port scanning tool would search for would be the obvious (and most commonly found on HTTP), i.e. TCP and UDP. They are both different protocols of course: TCP/IP is really datasets (packets) which constitute the vast majority of internet traffic whilst UDP is generally more for media.
Hacking tools such as nmap is very good at scanning the ports that are associated with these protocols as well as executing the transit of packet formations typically associated with TCP and UDP.
Cybersecurity Professionals and “Criminal Hackers” would typically use a port scanning tool and software because it’s a simple way to audit or “discover” what’s on your target’s network. When you know what’s on the network then you can decide on what can (and could) be hacked. Think of port scanning in the same way as conducting an “audit”.
It’s impossible to calculate “how long” a port scan will take because there is a multitude of variables that dictate the speed and accuracy of a port scan. However, one thing is for certain: the noiser the scan is the more likely that a firewall and security alarms will be triggered. It’s typical for hackers to move slowly and scan even slower to avoid detection.
No, they’re not. An innocent scan performing expected pings or sending anticipated TCP/UDP packets will not bring down a network. However, a skillful hacker can manipulate packets (“craft packets”) to test for specific known vulnerabilities on a system.
While it’s virtually impossible to prevent your network from all types of port scans, there are best practices avaiable to all that will protect your network. A lot of these tools are provided by Cybersecurity vendors as well as there being open source options. A simple Firewall configured correctly will help prevent “script kiddie” attacks.
A hacker executes a port scan using a particular software tool to discover ports that shouldn’t be open. Once the hacker (or Security Professional) has discovered an open port then a decision can be made as to whether the service with the open port can be breached and to what outcome.
Hiding your tracks is vital for a skilled hacker and that’s why a lot of hackers and “Ethical Hackers” learn the importance of using proxies when using port scanning software.