What are ports and what is port scanning?
Before getting into the proverbial weeds, let’s explain the basic concepts.
Ports are nothing else but logical (not physical) communication gateways that allow the flow of information between two or more machines on a network.
Port scanning – also sometimes referred to as network scanning – is a type of active reconnaissance used mainly by cybersecurity professionals to determine the level of a vulnerability of a given network.
Port scanning is conducted by sending series of messages from one computer to another, one message at the time to each port at the time.
The primary objective of port scanning is to identify what ports are enabled for the purpose of external communication and which are closed. Normally this is done by information security specialists who might switch off undesired communication channels by closing off unused ports.
For instance, a web server will always want to use ports 80 and 443 for HTTP / HTTPS communication essential for content delivery. On the other hand, Remote Desktop Protocol allowing remote control and access to other computers on port 3389 is not essential and should be closed for security reasons.
At the same time when infosec professionals are working to secure their systems, hackers scan those systems for vulnerabilities. Any benign security tool used for network security configuration can be a dangerous weapon when used by hackers for the opposite reason – network intrusion.
Top 100 common ports
Credit to NetworkVerge for compiling this handy list of commonly used and known TCP and UDP ports, ready to be scanned:
Port scanning tools
- The most popular and recognised port scanners out there are Nmap and its GUI-friendly sibling Zenmap. Both of these are available in iterations compatible with every reasonably common operating system.
- Another reliable tool is Netcat, a command line tool for Linux and MacOS.
- If you prefer a nice, efficient and convenient GUI, you can try out Solarwinds’ Open Port Scanner on a fully functional free demo – 14 days trial.
- For rapid, web based light scans without the need to install anything or dabble in configuration, check out the TCP Port Scan from Pentest-Tools.
- There are many other custom built, less known but yet effective tools for port scanning – to mention some like GoScan, Masscan, RustScan, Naabu and many other repositories on Github.
The legality of port scanning
A port scan is not an attack on the scanned entity as it does not result in any detrimental effects. But from a legal standpoint it can be regarded as a malicious step in a whole sequence of events.
From a legal perspective (and retrospectively, for example during a trial) a port scan might signal an intention to commit a transgression that one can compare to ringing a doorbell at a house to see who is home, prior to committing a burglary.
Vulnerabilities can be detected as result of a port scan, which using our domestic crime analogy, might be similar to pulling at door handles to see are they locked or checking the windows for gaps where one can insert a prying implement.
Cases of criminal prosecution arising from port scanning are fairly rare, but I discovered a couple of interesting ones through open source research:
- 2000, US; Georgia District Court; Moulton v. VC3 – the defendant was an IT contractor tasked with installing an Internet connection between the 911 centre and a local police department. Moulton scanned the network on which the 911 system resided, and accidentally also scanned a Cherokee County web server owned by VC3, another IT company. He terminated the scan but VC3 reported the activity to the police stating that the scan was unauthorised and Moulton was arrested. The court ultimately ruled that no crime was committed.
- 2004, Israel; The State of Israel vs Avi Mizrahi – The defendant was accused of conducting port scans on the website belonging to Mossad, the Israeli state intelligence agency. Mizrahi was charged with hacking offences but argued that he acted in the interest of public safety and that no intrusion took place. He was found not guilty.
- 2005, UK; Horseferry Road Magistrates Court; R v Daniel Cuthbert – The defendant made an online donation to a tsunami relief charity website, but became concerned afterwards it may have been a phishing site (when he did not receive a confirmation email for his payment). He started off with port scanning and proceeded further, gaining access to the website. He was found guilty of unauthorised access and fined £400. Based on the available evidence it appears that the court did not take issue with port scanning as such, but with crossing the line between passive and active recoinnassance.
- 2015-2018, UK; The Halifax Scan – after his initial discovery in 2015, an English cybersecurity researcher Paul Moore attempted to sue the Halifax Bank for scanning ports on the computers of anybody who visited the bank’s website. He argued that port scans on website visitors’ machines without their consent was a violation of the UK’s Computer Misuse Act (CMA). The bank defended their actions stating they were standard security practices. No legal action took place as no malicious intent on behalf of the bank was established, despite the existence of conflicting legal opinions on the matter.
- 2020, worldwide; eBay user scans – a US based security researcher Charlie Belmer discovered that eBay conducts port scans on every user as part of their “security checks” called the activity “clearly malicious” and suggested it can be illicit. No legal action or an attempt of one has taken place so far.
Legal protections when conducting port scans
I assume that most people reading this post will engage in port scanning for educational / network security purposes and not for any potentially illegal deeds. This is fine and there is nothing to worry about, especially if you bear in mind the following tenets of port scanning etiquette:
- If you intend to scan ports on somebody’s network, ask for permission. Explaining what you are doing and why will help you avoid any misunderstandings.
- Contact the network administrator directly and inform them, especially if you intend to conduct lengthy or intense scans. If not notified, somebody whose day to day job is to secure and maintain a network might perceive your actions as an intrusion attempt.
- Narrow down your searches and focus on specific subjects of your scan. Aimlessly scanning all the 65.536 TCP ports on every machine on a network is not only counterproductive but also questionable.
- If scanning ports for any purpose other that a professional vulnerability scan while on a work or university network, remember that you might attract the attention of a local administrator. While no legal consequences might await you, you can still be sanctioned or even banned for breaching the acceptable use policy.
- Before running scans from your home network, get familiar with the ISPs policy of fair usage. Nothing hurts an infosec or a pentesting enthusiast like a sudden, unexplained shutdown of the Internet connection.
- And finally, if conducting any type of a professional assignment or assessment, make sure you have signed a contract that stipulates the dos and don’ts. As it is always the case, once you operate within contractual boundaries, there is no liability and no legal threat.