[Net-Sec] 포트 스캐닝이란?

포트 스캐닝(port scanning) 

 

대상의 포트가 열려 있는지 확인하는 작업으로 침입 전 취약점을 분석하기 위한 사전 작업

포트 스캐닝에도 여러 유형이 있는데 아래를 참고

 

https://itragdoll.tistory.com/59

포트 스캐닝 (Port Scanning)

 

 

 

What are the different port scanning techniques?

There are several techniques for port scanning, depending on the specific goal. It’s important to note that cybercriminals will also choose a specific port scanning technique based on their goal, or attack strategy.

Listed below are a few of the techniques and how they work:

• Ping scans: The simplest port scans are called ping scans. In a network, a ping is used to verify whether or not a network data packet can be distributed to an IP address without errors. Ping scans are internet control message protocol (ICMP) requests and send out an automated blast of several ICMP requests to different servers to bait responses. IT administrators may use this technique to troubleshoot, or disable the ping scan by using a firewall — which makes it impossible for attackers to find the network through pings.
• Half-open or SYN scans: A half-open scan, or SYN (short for synchronize) scan, is a tactic that attackers use to determine the status of a port without establishing a full connection. This scan only sends a SYN message and doesn’t complete the connection, leaving the target hanging. It’s a quick and sneaky technique aimed at finding potential open ports on target devices.
• XMAS scans: XMAS scans are even quieter and less noticeable by firewalls. For example, FIN packets are usually sent from server or client to terminate a connection after establishing a TCP 3-way handshake and successful transfer of data and this is indicated through a message “no more data is available from the sender.” FIN packets often go unnoticed by firewalls because SYN packets are primarily being looked for. For this reason, XMAS scans send packets with all of the flags — including FIN — expecting no response, which would mean the port is open. If the port is closed, a RST response would be received. The XMAS scan rarely shows up in monitoring logs and is simply a sneakier way to learn about a network’s protection and firewall.

What type of port scan results can you get from port scanning?

Port scan results reveal the status of the network or server and can be described in one of three categories: open, closed, or filtered.

• Open ports: Open ports indicate that the target server or network is actively accepting connections or datagrams and has responded with a packet that indicates it is listening. It also indicates that the service used for the scan (typically TCP or UDP) is in use as well.
  Finding open ports is typically the overall goal of port scanning and a victory for a cybercriminal looking for an attack avenue. The challenge for IT administrators is trying to barricade open ports by installing firewalls to protect them without limiting access for legitimate users.
• Closed ports: Closed ports indicate that the server or network received the request, but there is no service “listening” on that port. A closed port is still accessible and can be useful in showing that a host is on an IP address. IT administrators should still monitor closed ports as they could change to an open status and potentially create vulnerabilities. IT administrators should consider blocking closed ports with a firewall, where they would then become “filtered” ports.
• Filtered ports: Filtered ports indicate that a request packet was sent, but the host did not respond and is not listening. This usually means that a request packet was filtered out and/or blocked by a firewall. If packets do not reach their target location, attackers cannot find out more information. Filtered ports often respond with error messages reading “destination unreachable” or “communication prohibited.”

https://www.avast.com/business/resources/what-is-port-scanning#mac