If you plan on taking the Security+ exam you should have a basic understanding of port scanners. Many blogs on this site include information on ports and port scanners determine what ports are open and in turn, what protocols or services are running on a system. If desired, you can review the following blogs on ports:
- Security+ Ports
- Ports for Network+, Security+, and SSCP Exams
- Protocol IDs for Security+ and SSCP Exams
Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.
A port scanner is a tool used to query a host to determine which ports are open. System administrators use port scanners as part of an overall vulnerability assessment. It is also used as part of an attack, where an attacker tries to learn as much about a server as possible.
A port scanner can help determine what services and protocols are running on a remote system by identifying open ports. Port scanners typically take further steps to verify the port is open.
The port scanner sends queries to ports of interest and analyzes the reply. If a server answers a query on a specific port, the associated service or protocol is likely running on the server. For example, if a server answers a query on port 25, it indicates that port 25 is open. More specifically, it indicates that the server is probably running SMTP. If port 80 is open, HTTP is probably running, and the server may be a web server such as Apache or Microsoft’s Internet Information Services (IIS).
Even though it’s not recommended for services to use ports other than the well-known ports for specific services, it is possible. Because of this, an open port doesn’t definitively say the related service or protocol is running.
The attacker will use other methods for verification. For example, a fingerprinting attack will send specific protocol queries to the server and analyze the responses. These responses can verify that the service is running and will often include other details about the operating system, since different operating systems often respond differently to specific queries.
A common TCP port scan will send a TCP SYN packet to a specific port of a server as part of the TCP three-way handshake. If the server responds with a SYN/ACK packet, the scanner knows the port is open. However, instead of completing the three-way handshake, the scanner sends a RST packet to reset the connection and then repeats the process with a different port.
Other Security+ Study Resources
- Security+ blogs organized by categories
- Security+ blogs with free practice test questions
- Security+ blogs on new performance based questions
- Mobile Apps: Apps for mobile devices running iOS or Android
- Audio Files: (Learn by listening with over 4 1/2 hours of audio on Security+ topics)
- Flashcards: 31 Security+ Topic flashcards and 17 Security+ acronyms flashcards (free samples)
- Quality Practice Test Questions: Over 475 quality Security+ practice test questions with full explanations
- Full Security+ Study Packages: Quality practice test questions, audio, and Flashcards)