Port scanner facts for kids

Kids Encyclopedia Facts

A port scanner is like a special tool or program that checks a computer or server to see which of its "doors" (called ports) are open. Think of a computer as a building with many doors. Each door leads to a different service, like a mailroom, a library, or a game room. A port scanner helps you find out which of these doors are open and ready for visitors.

People use port scanners for different reasons. Network administrators (the people who manage computer networks) use them to make sure their networks are safe and that only the right doors are open. But sometimes, people with bad intentions might also use them to find open doors that could have weaknesses, like a door that's unlocked or easy to pick.

A port scan is the process of sending requests to many different ports on a computer to see which ones respond. It's like knocking on many doors to see who answers. This isn't always a bad thing! Most of the time, port scans are just used to discover what services a computer is offering, like if it's running a website or a game server.

To portsweep means to look for a specific open door on many different computers. For example, a computer computer worm that spreads through SQL databases might "portsweep" to find many computers that have their SQL database door (port 1433) open.

Understanding Computer Ports
How Port Scanners Work
Internet Providers and Port Scanning
Security and Port Scanning
Legal Aspects of Port Scanning
See also

Understanding Computer Ports

The internet works using a system called TCP/IP. In this system, every service on a computer has a unique address and a port number. Imagine the address gets you to the right building, and the port number tells you which specific door to use inside that building.

There are over 65,000 possible port numbers, from 1 to 65535. Most common services use specific, well-known port numbers. For example, web browsing usually uses port 80 or 443, and email might use port 25.

Some port scanners only check the most common ports, or ports that are often linked to known weaknesses.

When a port scanner checks a port, it usually gets one of three results:

Open or Accepted: This means the computer replied, and a service is actively listening on that port. The door is open and someone is inside!
Closed or Denied: The computer replied, but it said that connections to that port are not allowed. The door is shut and locked.
Filtered, Dropped, or Blocked: There was no reply from the computer. This often means a firewall or security system is blocking the connection. It's like there's a guard who silently stops you from even knocking on the door.

Open ports can sometimes be a risk. Administrators need to be careful about:

Any security problems with the program running on the open port.
Any security problems with the computer's operating system itself, whether ports are open or closed.

Filtered ports usually don't pose a direct risk because they are blocked.

How Port Scanners Work

Port scanning works by sending special messages to a computer and watching how it responds. Different types of scans send different kinds of messages.

TCP Connect Scan

This is the simplest type of scan. It uses the computer's normal way of connecting to services. If a port is open, the scanner completes a basic connection, then quickly closes it. This method is easy to use because it doesn't need special permissions. However, it can be "noisy" because the services might record the scanner's IP address, and security systems might notice it.

SYN Scan (Half-Open Scan)

A SYN scan is a bit sneakier. Instead of fully connecting, the scanner sends a "SYN" message, which is the first step in making a connection.

If the port is open, the target computer sends back a "SYN-ACK" message (meaning "I got your SYN, and I acknowledge it").
The scanner then immediately sends an "RST" message to close the connection before it's fully established. This is why it's called "half-open."
If the port is closed, the target computer immediately sends an "RST" message.

This method gives the scanner more control and is often less noticeable to the services themselves, as a full connection is never made.

UDP Scan

UDP is a different way computers send data, and it doesn't have a "connection" like TCP. So, UDP scanning is a bit trickier.

If a UDP message is sent to a closed port, the computer usually sends back an "ICMP port unreachable" message. Scanners use this to guess that a port is open if they *don't* get this message back.
However, if a firewall blocks the "unreachable" message, all ports might look open, even if they're not.

A more reliable way is to send specific UDP messages that a service is expected to understand. For example, sending a DNS question to port 53 will get a reply if a DNS server is running there. This helps confirm the port is truly open.

ACK Scan

An ACK scan doesn't tell you if a port is open or closed. Instead, it helps figure out if a port is "filtered" (blocked by a firewall) or "unfiltered." This is useful for understanding how a firewall is set up.

FIN Scan

Some firewalls are designed to detect and block SYN scans. A FIN scan tries to get around this.

It sends a "FIN" message, which is normally used to end a connection.
Closed ports will usually reply with an "RST" message.
Open ports, however, often ignore the FIN message. This difference helps the scanner tell if a port is open without triggering some firewall alarms.

Other Scan Types

There are other, less common scan types, like:

X-mas and Null Scan: These are similar to FIN scans but send packets with different combinations of flags turned on or off.
Protocol Scan: This checks what types of network protocols (like TCP or UDP) are enabled on a computer.
ICMP Scan: This checks if a computer responds to basic network requests, like a "ping."

Internet Providers and Port Scanning

Many Internet service providers (ISPs) don't allow their customers to perform port scans on computers outside their own home networks. This is usually part of the rules you agree to when you sign up for internet service. Some ISPs even block certain types of outgoing requests to specific ports. For example, if your ISP uses a special system for web traffic, a port scan might make it look like port 80 (for websites) is open on every computer, even if it's not.

Security and Port Scanning

The information from a port scan can be used for good things, like checking what's on a network or making sure it's secure. But it can also be used for bad things. Many cyberattacks start with a port scan to find open ports that might have weaknesses. If a computer has a weakness, an attacker might try to send specific data to that open port to cause problems, like gaining unauthorized access or stealing information.

Even though a port scan itself isn't usually harmful, it's often seen as the first step an attacker takes. This is why network administrators take port scans seriously, as they can reveal important information about a computer's setup. While a port scan alone doesn't mean an attack is definitely coming, the risk is much higher if it's combined with a vulnerability scan, which looks for known weaknesses on open ports.

Legal Aspects of Port Scanning

Because the internet is so open, it can be tricky for laws to keep up with new technologies and activities like port scanning. In many places, simply performing a port scan isn't illegal. The legal issue often comes down to whether the person doing the scan had an "intent" to break into a system or gain unauthorized access.

For example, in 2003, a person in Israel was accused of trying to access computer material without permission because they port scanned a website. However, they were found not guilty because the judge ruled that these actions shouldn't be stopped if they are done in a positive way.

On the other hand, in Finland, a teenager was found guilty of attempted computer break-in after port scanning a bank's network in 1998, because they had tried to access a closed network. This shows that the intent behind the scan is very important in legal cases. Some countries, like the UK and Germany, have laws that make it illegal to create or supply tools that are known to be used for computer crimes.