Port scanning is the process of determining which TCP and UDP ports the target is listening on. It is the first step in enumerating services that are running on the target. Port scanning can use any number of techniques. The most straightforward is to simply make a connection to the service on its listening port, using a standard TCP three-way handshake. Once the connection is made, the scanner sends a TCP RST (reset) to the server to kill the connection. The scanner logs the connection and moves on to the next port, attempting to connect to the next service. If the scanned port is UDP-based, then the scanner attempts to elicit a reaction from the listening service, which may or may not respond. UDP services are much more difficult to fingerprint, as UDP does not have a handshake process.
Port scanners can try every single port (1 through 65535) or a select subset of common ports. Most port scanners allow you to choose which ports you wish to scan. The results of a port scan can give insights into the type of computer you are connecting to, including its operating system and available services. Some ports are specific to a particular operating system. For example, TCP 135 is only seen on Microsoft computers, whereas TCP 111 is usually only seen on Linux/Unix (*nix) computers. (A notable exception is when a Windows server is running Services for Unix.) This is because they are used by their respective operating systems to map incoming client requests to the desired remote-procedure-call-based service. If you see either of these running on the other operating system, you are likely looking at a decoy. Most of the other ports can appear on either operating system if the proper service or application is installed.
The following table lists some common ports and their services.
Port Number (TCP unless otherwise specified) | Service |
21 | FTP commands |
22 | SSH |
23 | Telnet |
25 | SMTP |
53 (can be TCP or UDP) | DNS |
80 | HTTP |
88 | Kerberos |
110 | POP3 |
111 (can be TCP or UDP) | *nix portmapper |
135 | Microsoft Remote Procedure Call (RPC) |
139 | SMB (legacy) |
143 | IMAP4 |
161 (can be TCP or UDP, but only UDP is currently used) | SNMP |
162 (can be TCP or UDP, but only UDP is currently used) | SNMP traps |
389 | LDAP |
443 | HTTPS |
445 | Microsoft-ds (authentication used by SMB) |
3389 | RDP |
The following port scan examples compare a Linux machine with a Windows machine. In the Linux scan, note the existence of TCP 111, 139, and 445, and the absence of TCP 135. In the Windows scan, note the existence of TCP 135 and the absence of 111.
Linux:
Windows:
