Port scanner facts for kids

Kids Encyclopedia Facts

A port scanner is like a special tool that checks computers or servers on a network. It looks for "open doors" called ports. Think of ports as different entrances to a building, where each entrance leads to a different service, like a mailroom or a library.

Computer experts called administrators use port scanners to make sure their network is safe. They check if any doors are open that shouldn't be. Sometimes, people with bad intentions might also use these tools to find open doors and try to get into a computer system.

A port scan is when this tool sends requests to many different ports on one computer to see which ones are active. It's not always a bad thing! Most of the time, people use port scans just to see what services are available on a computer.

To portsweep means to check many different computers for the same specific open door. For example, someone might portsweep to find all computers that have a certain service running, like a special database program.

How Computers Talk: TCP/IP Basics
Different Ways to Scan Ports
Internet Providers and Port Scanning
Why Security Matters
Legal Side of Port Scanning
- United States: Moulton v. VC3
See also

How Computers Talk: TCP/IP Basics

The internet works using a set of rules called the Internet Protocol Suite, often called TCP/IP. When computers talk to each other, they use a computer's address and a port number. There are many port numbers, from 1 to 65535. Most services, like sending emails or browsing websites, use specific port numbers.

Some port scanners only check the most common ports, or ports that are known to be used by services that might have security issues.

When a port scanner checks a port, it usually gets one of three answers:

Open or Accepted: This means a service is listening on that port, like a door that's open and someone is ready to greet you.
Closed or Denied: This means the computer says "no" to connections on that port, like a door that's locked.
Filtered or Blocked: This means there was no answer from the computer. It's like the door is there, but you can't tell if it's open or closed because something is blocking your view.

Open ports can sometimes be a concern for computer administrators. They need to make sure that the programs using these open ports are secure and stable.

Different Ways to Scan Ports

There are several ways port scanners work, like different ways to knock on a door to see if someone is home.

TCP Connect Scan

This is one of the simplest ways to scan. The scanner tries to fully connect to a port. If the port is open, the connection is made, and the scanner quickly closes it. This method is easy to use because it doesn't need special permissions. However, it can be "noisy," meaning the services might record that someone tried to connect, and security systems might notice it.

SYN Scan (Half-Open Scan)

A SYN scan is a bit sneakier. Instead of fully connecting, the scanner sends a special message called a SYN packet. If the port is open, the computer sends back a SYN-ACK message. But instead of completing the connection, the scanner immediately sends an RST message to close it. This is called "half-open" because the connection is never fully made. If the port is closed, the computer just sends an RST message right away. This method gives the scanner more control and is often less noticeable to the services themselves.

UDP Scan

UDP is another way computers send information, but it's like sending a postcard – you don't get a confirmation that it arrived. So, UDP scanning is a bit harder. If a UDP packet is sent to a port that's not open, the computer usually sends back a message saying the port is unreachable. If there's no message, it might mean the port is open. However, if a firewall is blocking messages, it can be tricky to tell if a port is truly open or just blocked.

Some UDP scanners try to send specific types of messages, like a request for a DNS server on port 53. If a DNS server is there, it will respond, which is a more reliable way to find open ports.

ACK Scan

An ACK scan doesn't tell you if a port is open or closed. Instead, it helps figure out if a port is "filtered" or "unfiltered." This is useful for understanding if a firewall is in place and how it's set up. A simple firewall might let certain types of messages through, while a smarter one might not.

FIN Scan

Firewalls often look for and block SYN packets (used in SYN scans). FIN scans try to get around this. When a FIN packet is sent to a closed port, the computer usually sends back an RST packet. But if the port is open, it often ignores the FIN packet. This behavior can sometimes help a scanner bypass firewalls.

Other Scan Types

There are other, less common ways to scan ports:

X-mas and Null Scan: These are similar to FIN scans. An X-mas scan sends packets with many flags turned on, like lights on a Christmas tree. A Null scan sends a packet with no flags at all.
Protocol Scan: This checks what types of communication rules (like TCP or UDP) are active on a computer.
Proxy Scan: This uses another computer (a proxy) to do the scanning. The target computer will see the proxy's address, not the scanner's.
Idle Scan: This is a very clever way to scan without revealing your own computer's address, by using another computer that isn't doing much.
ICMP Scan: This checks if a computer responds to basic network messages, like a "ping" to see if it's online.

Internet Providers and Port Scanning

Many Internet service providers (ISPs) have rules that stop their customers from scanning ports outside their own home networks. These rules are usually part of the agreement you make when you sign up for internet service. Some ISPs also use special filters that prevent certain types of requests from leaving your network. For example, if your ISP has a special setup for web browsing, it might look like port 80 (for websites) is always open, even if it's not on the target computer.

Why Security Matters

The information found by a port scan can be used for good things, like checking a network's safety or keeping track of what's on a network. However, it can also be used to try and break into computer systems. Many attacks start with a port scan to find open ports and then try to send specific data to cause problems. This could lead to important information being lost or stolen.

A port scan is often seen as the first step in a potential attack, so it's taken seriously because it can reveal a lot about a computer system. But just a port scan by itself usually doesn't cause harm. The risk is much higher when a port scan is combined with a vulnerability scan, which looks for known weaknesses in software.

Legal Side of Port Scanning

Because the internet is so open, it has been tricky for lawmakers to create clear rules about what is allowed and what is not. Cases involving port scanning are an example of these difficulties. When these cases go to court, the main question is usually whether the person doing the scan intended to break in or gain unauthorized access, not just that they performed a scan.

For example, in 2003, a person in Israel was accused of trying to get unauthorized access to a website by port scanning it. They were found not guilty because the judge said that these actions shouldn't be stopped if they are done in a positive way.

However, in Finland in 2003, a 17-year-old was found guilty of attempted computer break-in after port scanning a bank's network in 1998. They had tried to get into a closed network but failed. They had to pay a large amount for the bank's investigation costs.

Some countries, like the UK and Germany, have laws that make it illegal to create or provide tools that are designed to be used for computer crimes. However, experts sometimes criticize these laws for not being clear enough.

United States: Moulton v. VC3

In 1999, in the United States, a person named Scott Moulton was arrested after port scanning servers for Cherokee County, Georgia. His company had a contract to help with the county's security. He scanned the servers to check their safety. He also scanned a web server managed by another company, which led to a legal dispute. In 2000, he was found not guilty. The judge ruled that there was no damage to the network's safety or availability.