Thursday, March 28, 2013

Port Scan versus Port Sweep

If you're new to network security, you've no doubt heard the terms "port scan" and "port sweep" but may not be sure what the difference is.
A port scan is a scan of one host for one or more ports. For example, someone may scan a server for any of the privileged ports (server ports). Privileged ports are traditionally ports 1-1023 and are called that because under Linux you must have root privileges to bind a process to one of these ports. These days there a number of services that break this model, as the need for more ports has lead to services using high (also known as ephemeral) ports, 1024 and above. Ephemeral ports, also know as client side ports, are mostly used by the client as the source port to initiate a connection to the server on and are chosen by the operating system. The entire port range is 0-65535, though port 0 technically isn't supposed to be used.
A port sweep on the other hand is a scan of multiple hosts for one port. Scanning all the addresses in a 24 bit address space (what used to be called a class C netblock) for port 80 would be an example of a port sweep. In doing reconnaissance, an attacker (or a security admin testing his own systems) may sweep an address space for common open ports, then go back and do a port scan of each system that had an open port to see what all of the offered services are.
Nmap is the most well known of all port scanners and is under constant development and improvement by it's author, who goes by the screen name of Fyodor. His real name is Gordon Lyon (it's not a secret) and you can find nmap at his site, as well as at
Nmap has a large list of parameters and does more than just basic port scanning. It can do OS fingerprinting (trying to determine the operating system of a host by the way it responds to certain network stimuli) and has hundreds of scripts that it's scripting engine uses to do all sorts of discovery.
There is a Windows version of nmap, but if you're serious about getting started in network security you should really have at least one Linux box to do your testing and learning on. Most of the good NetSec tools were written natively for Linux and many of them have no Windows counterpart. (There are a few good Windows tools that don't run on Linux, but not nearly as many as the other way).
So read up on the documents and get started. Just make sure you ONLY scan devices you either own or have permission to scan. If you're scanning at work it's a really good idea to get that permission in writing, from someone who has the authority to grant it.

Blog Archive