The Art of Port Scanning

by Fyodor <fyodor@dhp.com>

(Last significant update: Sat Sep 6 03:24:53 GMT 1997)

Abstract

This paper details many of the techniques used to determine what ports (orsimilar protocol abstraction) of a host are listening for connections. These ports represent potential communication channels. Mapping their existencefacilitates the exchange of information with the host, and thus it is quite useful for anyone wishing to explore their networked environment, including hackers. Despite what you have heard from the media, the Internet is NOTall about TCP port 80. Anyone who relies exclusively on the WWW forinformation gathering is likely to gain the same level of proficiency as your average AOLer, who does the same. This paper is also meant to serve as anintroduction to and ancillary documentation for a coding project I have been working on. It is a full featured, robust port scanner which (I hope) solves some of the problems I have encountered when dealing with other scanners and when working to scan massive networks. The tool, nmap, supports the following:

Vanilla TCP connect() scanning,
TCP SYN (half open) scanning,
TCP FIN (stealth) scanning,
TCP ftp proxy (bounce attack) scanning,
SYN/FIN scanning using IP fragments (bypasses packet filters),
UDP recvfrom() scanning,
UDP raw ICMP port unreachable scanning,
ICMP scanning (ping-sweep), and
Reverse-ident scanning.

The freely distributable source code is appended to this paper.

Introduction

Scanning, as a method for discovering exploitable communication channels, hasbeen around for ages. The idea is to probe as many listeners as possible, andkeep track of the ones that are receptive or useful to your particular need.Much of the field of advertising is based on this paradigm, and the "to currentresident" brute force style of bulk mail is an almost perfect parallel to whatwe will discuss. Just stick a message in every mailbox and wait for theresponses to trickle back.

Scanning entered the h/p world along with the phone systems. Herewe have this tremendous global telecommunications network, allreachable through codes on our telephone. Millions of numbers arereachable locally, yet we may only be interested in 0.5% of thesenumbers, perhaps those that answer with a carrier.

The logical solution to finding those numbers that interest us isto try them all. Thus the field of "wardialing" arose. Excellentprograms like Toneloc were developed to facilitate the probing ofentire exchanges and more. The basic idea is simple. If you dial anumber and your modem gives you a CONNECT, you record it. Otherwisethe computer hangs up and tirelessly dials the next one.

While wardialing is still useful, we are now finding that many ofthe computers we wish to communicate with are connected throughnetworks such as the Internet rather than analog phone dialups.Scanning these machines involves the same brute force technique. Wesend a blizzard of packets for various protocols, and we deduce whichservices are listening from the responses we receive (or don'treceive).

Techniques

Over time, a number of techniques have been developed for surveying theprotocols and ports on which a target machine is listening. They all offerdifferent benefits and problems. Here is a line up of the most common:

TCP connect() scanning : This is the most basicform of TCP scanning. The connect() system call provided by youroperating system is used to open a connection to every interestingport on the machine. If the port is listening, connect() willsucceed, otherwise the port isn't reachable. One strong advantage tothis technique is that you don't need any special privileges. Anyuser on most UNIX boxes is free to use this call. Another advantageis speed. While making a separate connect() call for every targetedport in a linear fashion would take ages over a slow connection, youcan hasten the scan by using many sockets in parallel. Usingnon-blocking I/O allows you to set a low time-out period and watch allthe sockets at once. This is the fastest scanning method supported bynmap, and is available with the -t (TCP) option. The big downside isthat this sort of scan is easily detectable and filterable. Thetarget hosts logs will show a bunch of connection and error messagesfor the services which take the connection and then have itimmediately shutdown.
TCP SYN scanning : This technique is often referredto as "half-open" scanning, because you don't open a full TCPconnection. You send a SYN packet, as if you are going to open a realconnection and wait for a response. A SYN|ACK indicates the port islistening. A RST is indicative of a non- listener. If a SYN|ACK isreceived, you immediately send a RST to tear down the connection(actually the kernel does this for us). The primary advantage to thisscanning technique is that fewer sites will log it. Unfortunately youneed root privileges to build these custom SYN packets. SYN scanningis the -s option of nmap.
TCP FIN scanning : There are times when even SYNscanning isn't clandestine enough. Some firewalls and packet filterswatch for SYNs to restricted ports, and programs like synlogger andCourtney are available to detect these scans. FIN packets, on theother hand, may be able to pass through unmolested. This scanningtechnique was featured in detail by Uriel Maimon in Phrack 49, article15. The idea is that closed ports tend to reply to your FIN packetwith the proper RST. Open ports, on the other hand, tend to ignorethe packet in question. As Alan Cox has pointed out, this is requiredTCP behavior. However, some systems (notably Micro$oft boxes), arebroken in this regard. They send RST's regardless of the port state,and thus they aren't vulnerable to this type of scan. It works wellon most other systems I've tried. Actually, it is often useful todiscriminate between a *NIX and NT box, and this can be used to dothat. FIN scanning is the -U (Uriel) option of nmap.
Fragmentation scanning : This is not a new scanningmethod in and of itself, but a modification of other techniques.Instead of just sending the probe packet, you break it into a coupleof small IP fragments. You are splitting up the TCP header overseveral packets to make it harder for packet filters and so forth todetect what you are doing. Be careful with this! Some programs havetrouble handling these tiny packets. My favorite sniffer segmentationfaulted immediately upon receiving the first 36-byte fragment. Afterthat comes a 24 byte one! While this method won't get by packetfilters and firewalls that queue all IP fragments (like theCONFIG_IP_ALWAYS_DEFRAG option in Linux), a lot of networks can'tafford the performance hit this causes. This feature is rather uniqueto scanners (at least I haven't seen any others that do this). Thanksto daemon9 for suggesting it. The -f instructs the specified SYN orFIN scan to use tiny fragmented packets.
TCP reverse ident scanning : As noted by DaveGoldsmith in a 1996 Bugtraq post, the ident protocol (rfc1413) allowsfor the disclosure of the username of the owner of any processconnected via TCP, even if that process didn't initiate theconnection. So you can, for example, connect to the http port andthen use identd to find out whether the server is running as root.This can only be done with a full TCP connection to the target port(i.e. the -t option). nmap's -i option queries identd for the ownerof all listen()ing ports.
FTP bounce attack : An interesting "feature" ofthe ftp protocol (RFC 959) is support for "proxy" ftp connections. Inother words, I should be able to connect from evil.com to the FTPserver-PI (protocol interpreter) of target.com to establish thecontrol communication connection. Then I should be able to requestthat the server-PI initiate an active server-DTP (data transferprocess) to send a file ANYWHERE on the internet! Presumably to aUser-DTP, although the RFC specifically states that asking one serverto send a file to another is OK. Now this may have worked well in1985 when the RFC was just written. But nowadays, we can't havepeople hijacking ftp servers and requesting that data be spit out toarbitrary points on the internet. As *Hobbit* wrote back in 1995,this protocol flaw "can be used to post virtually untraceable mail andnews, hammer on servers at various sites, fill up disks, try to hopfirewalls, and generally be annoying and hard to track down at thesame time." What we will exploit this for is to (surprise, surprise)scan TCP ports from a "proxy" ftp server. Thus you could connect toan ftp server behind a firewall, and then scan ports that are morelikely to be blocked (139 is a good one). If the ftp server allowsreading from and writing to a directory (such as /incoming), you cansend arbitrary data to ports that you do find open.
For port scanning, our technique is to use the PORT command to declare thatour passive "User-DTP" is listening on the target box at a certain port number. Then we try to LIST the current directory, and the result is sent over theServer-DTP channel. If our target host is listening on the specified port, thetransfer will be successful (generating a 150 and a 226 response). Otherwisewe will get "425 Can't build data connection: Connection refused." Then weissue another PORT command to try the next port on the target host. Theadvantages to this approach are obvious (harder to trace, potential to bypassfirewalls). The main disadvantages are that it is slow, and that some FTPservers have finally got a clue and disabled the proxy "feature". For what itis worth, here is a list of banners from sites where it does/doesn't work:
*Bounce attacks worked:*
```
220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.220 xxx.xxx.xxx.edu FTP server ready.220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.220 lem FTP server (SunOS 4.1) ready.220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.220 elios FTP server (SunOS 4.1) ready
```
*Bounce attack failed:*
```
220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7220 ftp Microsoft FTP Service (Version 3.0).220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
```
The 'x's are partly there to protect those guilty of running a flawed server,but mostly just to make the lines fit in 80 columns. Same thing with theellipse points. The bounce attack is available with the -b option of nmap. proxy_server can be specified in standard URL format,username:password@server:port , with everything but server being optional.
UDP ICMP port unreachable scanning : Thisscanning method varies from the above in that we are using the UDPprotocol instead of TCP. While this protocol is simpler, scanning itis actually significantly more difficult. This is because open portsdon't have to send an acknowledgement in response to our probe, andclosed ports aren't even required to send an error packet.Fortunately, most hosts do send an ICMP_PORT_UNREACH error when yousend a packet to a closed UDP port. Thus you can find out if a portis NOT open, and by exclusion determine which ports which are.Neither UDP packets, nor the ICMP errors are guaranteed to arrive, soUDP scanners of this sort must also implement retransmission ofpackets that appear to be lost (or you will get a bunch of falsepositives). Also, this scanning technique is slow because ofcompensation for machines that took RFC 1812 section 4.3.2.8 to heartand limit ICMP error message rate. For example, the Linux kernel (innet/ipv4/icmp.h) limits destination unreachable message generation to80 per 4 seconds, with a 1/4 second penalty if that is exceeded. Atsome point I will add a better algorithm to nmap for detecting this.Also, you will need to be root for access to the raw ICMP socketnecessary for reading the port unreachable. The -u (UDP) option ofnmap implements this scanning method for root users.
Some people think UDP scanning is lame and pointless. I usuallyremind them of the recent Solaris rcpbind hole. Rpcbind can be foundhiding on an undocumented UDP port somewhere above 32770. So itdoesn't matter that 111 is blocked by the firewall. But can you findwhich of the more than 30,000 high ports it is listening on? With aUDP scanner you can!
UDP recvfrom() and write() scanning : Whilenon-root users can't read port unreachable errors directly, Linux iscool enough to inform the user indirectly when they have beenreceived. For example a second write() call to a closed port willusually fail. A lot of scanners such as netcat and Pluvius' pscan.cdoes this. I have also noticed that recvfrom() on non-blocking UDPsockets usually return EAGAIN ("Try Again", errno 13) if the ICMPerror hasn't been received, and ECONNREFUSED ("Connection refused",errno 111) if it has. This is the technique used for determining openports when non-root users use -u (UDP). Root users can also use the-l (lamer UDP scan) options to force this, but it is a really dumbidea.
ICMP echo scanning : This isn't really portscanning, since ICMP doesn't have a port abstraction. But it issometimes useful to determine what hosts in a network are up bypinging them all. the -P option does this. ICMP scanning is now inparallel, so it can be quite fast. To speed things up even more, youcan increase the number of pings in parallel with the '-L 'option. It can also be helpful to tweek the ping timeout value with'-T '. nmap supports a host/bitmask notation to makethis sort of thing easier. For example 'nmap -P cert.org/24152.148.0.0/16' would scan CERT's class C network and whatever class Bentity 152.148.* represents. Host/26 is useful for 6-bit subnetswithin an organization. Nmap now also offers a more powerful form.You can now do things like '150.12,17,71-79.7.*' and it will do whatyou expect. For each of the four values, you can either put a singlenumber, a range (with '-'), a comma-separated list of numbers andranges, or a '*' which is just a short cut for 0-255. By default,likely network/broadcast addresses like .0 and .255 are not scanned,but the '-A' option allows you to do this if you wish.

Features

Prior to writing nmap, I spent a lot of time with other scannersexploring the Internet and various private networks (note theavoidance of the "intranet" buzzword). I have used many of the topscanners available today, including strobe by Julian Assange, netcatby *Hobbit*, stcp by Uriel Maimon, pscan by Pluvius, ident-scan byDave Goldsmith, and the SATAN tcp/udp scanners by Wietse Venema.These are all excellent scanners! In fact, I ended up hacking most ofthem to support the best features of the others. Finally I decided towrite a whole new scanner, rather than rely on hacked versions of adozen different scanners in my /usr/local/sbin. While I wrote all thecode, nmap uses a lot of good ideas from its predecessors. I alsoincorporated some new stuff like fragmentation scanning and optionsthat were on my "wish list" for other scanners. Here are some of the(IMHO) useful features of nmap:

dynamic delay time calculations: Some scanners require that yousupply a delay time between sending packets. Well how should I knowwhat to use? Sure, I can ping them, but that is a pain, and plus theresponse time of many hosts changes dramatically when they are beingflooded with requests. nmap tries to determine the best delay timefor you. It also tries to keep track of packet retransmissions,etc. so that it can modify this delay time during the course of thescan. For root users, the primary technique for finding an initialdelay is to time the internal "ping" function. For non-root users, ittimes an attempted connect() to a closed port on the target. It canalso pick a reasonable default value. Again, people who want tospecify a delay themselves can do so with -w (wait), but you shouldn'thave to.
retransmission: Some scanners just send out all the query packets,and collect the responses. But this can lead to false positives ornegatives in the case where packets are dropped. This is especiallyimportant for "negative" style scans like UDP and FIN, where what youare looking for is a port that does NOT respond. In most cases, nmapimplements a configurable number of retransmissions for ports thatdon't respond.
parallel port scanning: Some scanners simply scan ports linearly,one at a time, until they do all 65535. This actually works for TCPon a very fast local network, but the speed of this is not at allacceptable on a wide area network like the Internet. nmap usesnon-blocking i/o and parallel scanning in all TCP and UDP modes. Thenumber of scans in parallel is configurable with the -M (Max sockets)option. On a very fast network you will actually decrease performanceif you do more than 18 or so. On slow networks, high values increaseperformance dramatically.
Flexible port specification: I don't always want to just scan all65535 ports. Also, the scanners which only allow you to scan ports 1- N sometimes fall short of my need. The -p option allows you tospecify an arbitrary number of ports and ranges for scanning. Forexample, '-p 21-25,80,113, 60000-' does what you would expect (atrailing hyphen means up to 65536, a leading hyphen means 1 through).You can also use the -F (fast) option, which scans all the portsregistered in your /etc/services (a la strobe).
Flexible target specification: I often want to scan more then onehost, and I certainly don't want to list every single host on a largenetwork to scan. Everything that isn't an option (or option argument)in nmap is treated as a target host. As mentioned before, you canoptionally append /mask to a hostname or IP address in order to scanall hosts with the same initial bits of the 32 bit IPaddress. You can use the same powerful syntax as the portspecifications to specify targets like '150.12.17.71-79.7.*'. '*' isjust a shortcut for 0-255, remember to escape it from your shell ifused.
detection of down hosts: Some scanners allow you to scan largenetworks, but they waste a huge amount of time scanning 65535 ports ofa dead host! By default, nmap pings each host to make sure it is upbefore wasting time on it. It also does thin in parallel, to speedthings up. You can change the parrallel ping lookahead with '-L' andthe ping timeout with '-T'. You can turn pinging off completely withthe '-D' command line option. This is useful for scanning networkslike microsoft.com where ICMP echo requests can't get through. Nmapis also capable of bailing on hosts that seem down based on strangeport scanning errors. It is also meant to be tolerant of people whoaccidentally scan network addresses, broadcast addresses, etc.
detection of your IP address: For some reason, a lot of scannersask you to type in your IP address as one of the parameters. Jeez, Idon't want to have to 'ifconfig' and figure out my current addressevery time I scan. Of course, this is better then the scanners I'veseen which require recompilation every time you change your address!nmap first tries to detect your address during the ping stage. Ituses the address that the echo response is received on, as that is theinterface it should almost always be routed through. If it can't dothis (like if you don't have host pinging enabled), nmap tries todetect your primary interface and uses that address. You can also use-S to specify it directly, but you shouldn't have to (unless you wantto make it look like someone ELSE is SYN or FIN scanning ahost.

Some other, more minor options:

 -v (verbose): This is highly recommended for interactive use.  Among otheruseful messages, you will see ports come up as they are found, rather thanhaving to wait for the sorted summary list. -r (randomize): This will randomize the order in which the target host'sports are scanned. -q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).It also eliminates all other arguments, so you won't look too suspicious in'w' or 'ps' listings. -h for an options summary. -R show and resolve all hosts, even down ones.

Also look for http://www.dhp.com/~fyodor/nmap/,which is the web site I plan to put future versions and moreinformation on. In fact, you would be well advised to check thereright now. (If that isn't where you are reading this).

ExampleUsage

To launch a stealth scan of the entire class 'B' networks 166.66.0.0 and166.67.0.0 for the popularly exploitable imapd daemon:

# nmap -Up 143 166.66.0.0/16 166.67.0.0/16

To do a standard tcp scan on the reserved ports of host<target>:

> nmap target

To check the class 'C' network on which warez.com sits for popularservices (via fragmented SIN scan):

# nmap -fsp 21,22,23,25,80,110 warez.com/24

To scan the same network for all the services in your /etc/servicesvia (very fast) tcp scan:

> nmap -F warez.com/24

To scan secret.pathetic.net using the ftp bounce attack off offtp.pathetic.net:

> nmap -Db ftp.pathetic.net secret.pathetic.net

To find hosts that are up in the the adjacent class C's 193.14.12,.13, .14, .15, ... , .30:

> nmap -P '193.14.[12-30].*'

If you don't want to have to quote it to avoid shell interpretation,this does the same thing:

> nmap -P 193.14.12-30.0-255