Attack Technique

Port Scan

Port scans are an essential part of network maintenance, but can be used by attackers to find open doors. Here’s what you need to know to detect and stop port scans.

Definition

Definition

What is a port scan?

A port scan is a technique attackers use to identify vulnerabilities in your network. While port scanners have valuable applications for network security — to reveal open ports, vulnerabilities, or unnecessary devices connected to the network — malicious actors can use them to find weak points for entry. Attackers can also use them to see if you’re running firewalls, VPN, proxy servers and other security devices.

How it works

How the port scan technique work

Port scans work by sending packets to a range of network ports and analyzing the responses to determine which ports are open, closed, or filtered. These ports correspond to different services (such as HTTP, FTP, or SSH) that attackers could potentially exploit if they’re inadequately secured.

‍

Why attackers use it

Why attackers use port scan techniques

Attackers often use port scans in the reconnaissance phase to identify vulnerable services or misconfigured systems. For example, scanning for open ports like 22 (SSH) or 3389 (RDP) can reveal management services that may be accessible remotely and could become targets for exploitation.

Once an attacker knows which ports are open, they can narrow their focus to find vulnerabilities in services running on those ports. For example, if scanning tools reveal that a web server is running on port 80, attackers might probe it for misconfigurations, unpatched software, or weak credentials.

Types of port scan attacks

Attackers use several types of port scanning techniques, depending on the level of stealth required:

TCP connect scan: This scan attempts to complete a full three-way handshake to determine if a port is open. It's the easiest port scanning attack to detect, since it leaves logs in the system's connection records. This technique is used when SYNC scanning is not an option.
SYN scans: SYN scanning, or half-open scanning, is more stealthy than a TCP connect scan. The port scan tool sends a packet to initiate the connection but doesn’t complete the handshake, thereby reducing the chances of detection. This method reveals open ports without establishing a full TCP connection or signaling alarms.
FIN, Xmas, and NULL Scans: These are techniques used for evading firewalls or intrusion detection systems (IDS). They involve sending packets with unusual flag combinations to probe a specific port. Depending on the operating system, an open or closed port might react differently, allowing attackers to subtly map the network.
UDP Scan: Since UDP (User Datagram Protocol) is connectionless, scanning it involves sending a UDP packet to a port and analyzing the response or lack thereof. This type of scan is slower and harder to conduct than TCP scans because UDP responses are less predictable, and many services do not respond unless a request is properly formed.
FTP bounce scans: This tactic uses an FTP server to bounce a packet and disguise the sender’s location, enabling the attacker to go undetected.
‍Ping scans: In this type, attackers use a ping to test how easily a network data packet can reach an IP address.

Here is a table summarising the various port scan techniques and their level of stealth:

Scanning Technique	Purpose	Level of Stealth
TCP Connect Scan	Attempts to establish a full TCP connection with the target port to check if it's open.	Low (easily detectable)
TCP SYN Scan (Half-Open Scan)	Sends SYN packets to determine open ports without completing the TCP handshake.	Medium (less detectable)
UDP Scan	Sends UDP packets to find open UDP ports on the target system.	Low (can be unreliable and detectable)
FIN, Xmas, and Null Scans	Sends packets with unusual flag combinations to bypass firewalls and detect open ports.	High (stealthy)
Ping Sweep	Sends ICMP Echo requests to discover active hosts on a network.	Low (easily detectable)
Version Scanning	Probes services to determine software versions and identify vulnerabilities.	Low to Medium
Idle Scan	Uses a "zombie" host to perform scans, hiding the attacker's IP address.	Very High (extremely stealthy)

‍

Why Port Scanning is Attractive to Attackers

Non-Invasive and Stealthy: Some scanning techniques are designed to avoid detection by firewalls and IDS.
Low Barrier to Entry: Numerous free tools and scripts are available, making port scanning accessible to attackers with varying skill levels.
Essential for Planning Attacks: Provides critical information needed to craft effective attack strategies.
Anonymity: Techniques like the idle scan help attackers remain anonymous.

Platform Detections

How to detect port scans

One way for cyber security teams to prevent port scan attacks is to regularly run port scans themselves. This helps you identify potential target systems that are currently exposed, allowing you to close unnecessary ports and patch vulnerabilities. A strong firewall is also essential for preventing unauthorized access.

However, it’s important to not stop there. While reducing your exposure is critical, you need a way to detect when internal services are under attack. For example, Vectra AI’s suspicious port scan detection is designed specifically to alert defenders when an attacker is actively attempting port connections on one or more IP addresses.

Detection

Suspicious Port Scan