Port scanning tool

Port scanning tools refer to tools used to detect open ports on servers or hosts. They are often used by computer administrators to confirm security policies and by attackers to identify operational network services on the target host. .

Port Scanner refers to a tool used to detect open ports on a server or host.

is often used by computer administrators to confirm security policies and by attackers to identify operational network services on the target host. (Recommended study: PHP video tutorial)

The definition of port scanning is that the client sends corresponding requests to a certain range of server ports to confirm the ports that can be used. Although it is not a malicious network activity in itself, it is also an important means for network attackers to detect the target host service and exploit the known vulnerabilities of the service. The main purpose of port scanning is still just to confirm the availability of a service on a remote machine.

Scanning multiple hosts to obtain a specific port is called port sweeping (Portsweep) to obtain specific services. For example, a computer worm based on SQL services will sweep the same port on a large number of hosts to establish a TCP connection on port 1433.

Type

##TCP Scan

The simplest port scanning tool uses the operating system's native network capabilities and is usually used as Alternative option to SYN scan. Nmap calls this mode a connection scan because it uses a Unix-like connect() command. If the port is open, the operating system can complete the TCP three-way handshake, and then the port scanning tool will immediately close the newly established connection to prevent denial of service attacks. The advantage of this scanning mode is that no special permissions are required by the user. However, low-level control cannot be achieved using the native network functions of the operating system, so this scanning method is not popular. And TCP scanning is easy to detect, especially as a means of port sweeping: these services log the sender's IP address, and intrusion detection systems may trigger alerts. [1]

SYN scan

SYN scan is another type of TCP scan. Port scanning tools do not use the native network functions of the operating system. Instead, they generate and send IP packets by themselves, and monitor their responses. This scanning mode is called "semi-open scanning" because it never establishes a full TCP connection. The port scanning tool generates a SYN packet, and if the target port is open, a SYN-ACK packet will be returned. The scanning end responds with an RST packet and then closes the connection before the handshake is completed. If the port is closed but no filtering is used, the target port should continue to return RST packets.

This crude method of network exploitation has several advantages: It gives the scanning tool full control over how long packets are sent and how long it waits for responses, allowing for more detailed analysis of responses. There is some debate as to which method of scanning a target host is less intrusive, but SYN scanning has the advantage of never establishing a full connection. However, RST packets can cause network congestion, especially for simple network devices such as printers.

UDP Scanning

UDP scanning is also possible, although there are some technical challenges. UDP is a connectionless protocol, so there is no packet equivalent to TCP SYN. However, if a UDP packet is sent to a port that is not open, the target system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method and use the missing response to infer whether the port is open. However, if the port is blocked by a firewall, this method will incorrectly report that the port is open. If port unreachable messages are blocked, all ports will appear open. This method is also subject to ICMP rate limiting.

Another approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, if a DNS server exists, sending a DNS query to port 53 will result in a response. This method is more reliable in identifying open ports. However, it is limited to port scanning when application-specific probe packets are available. Some tools (e.g., NMAP) typically have fewer than 20 probes for UDP services, while some commercial tools (e.g., NESUS) have as many as 70. In some cases, a service can be listening on a port but be configured not to respond to specific probe packets.

For more PHP related technical articles, please visit the

PHP Graphic Tutorial column to learn!

The above is the detailed content of Port scanning tool. For more information, please follow other related articles on the PHP Chinese website!