In this article we will learn about Port scanning and super scan.
What is Port scanning and super scan?
Due to the massive expansion of the internet and internet-related activities in recent times, there has been an equal expansion of quiet activities beyond the web. These silent activities can involve port scanning, vulnerability scanning, searching for publicly available technical and non-technical information about target organizations, and so on. Many such scans are performed on the Internet at any given time, and most of them are harmless, but some are performed with malicious intent. This document tries to put the soup to the nuts of the port scanner version by discussing the definition of port scanners, port scanning as part of a security assessment, different types of scanners, Super Scan 4.1 and port scan detectors.
Port scan definition
As mentioned earlier, port scanning can be used for malicious purposes or for genuine purposes. It is common knowledge that there are 65,535 TCP ports and 65,535 UDP ports. Port numbers in the range 0 to 1024 are well-known ports. For example, port number 80 is associated with HTTP, port number 21 is mapped to FTP, port 25 to SMTP, and so on.
Port scanning is a survey technique that involves scanning a host for open and active ports. It primarily involves sending a message to each of the individual ports and finding out which are open. These open ports offer vulnerabilities that can be exploited and sometimes even destroy a production environment.
There are many port scanning tools, and popular examples are Nmap and Super Scan. Later in this document, we will discuss McAfee’s Super Scan 4.1, which is a Windows port scanning tool.
The “good way” to scan ports
A port scanning activity may be performed as part of an organization’s own security assessment to address security holes. It is a defensive approach to finding vulnerabilities and destroying them rather than a reactive approach.
A malicious way to perform port scans
Hackers or anyone with malicious intent can perform “port scanning” by systematically examining open ports, which could lead to hackers breaking into organizations and stealing their private data.
Port scan statistics
Before we get into more specific details about port scanning, let’s first discuss some statistics. The port scanning activity itself deals with port numbers and IP addresses. So let’s first find out the bare facts about these two important terms.
As of April 2012, there are 2 32 (4 billion) IP addresses in the world. (List of countries according to IPv4 address allocation). Let’s take a look at the details of these 232 IP addresses…
According to this report from the 2012 Internet Census:
- “165 million IPs had one or more of the top 150 ports open.
- 36 million of these IP addresses did not respond to ICMP pings.
- 141 million IP addresses only had closed/reset ports and did not respond to ICMP pings. (Scanning /0 ports using insecure embedded devices).
- Next, we’ll discuss port scanning as part of an organization’s security assessment.
Security assessment and port scanning
Port scanning is the first step in vulnerability scanning, which is part of a security assessment. These are the steps in performing a security assessment:
The scope of the safety assessment should be planned and approved by senior management.
Research is the stage where public information about the organization is ascertained and obtained.
- Detecting a network service
In this phase, we will discover hosts and servers that can be accessed from the outside. These can then be used for cyber attacks.
- Vulnerability detection
Servers and hosts that were visible from the outside are then tested for vulnerabilities. This is where port scanning takes place and open ports are counted.
- Verification of perimeter devices
Peripheral devices such as firewalls, routers, IDS and IPS are evaluated and ensured that they are working according to standards.
- Remote Access
We make sure that remote access devices like VPN and wireless hotspots are properly configured.
- Analysis and documentation of results
This is the last step in the security assessment and we will finally document the results by determining if the vulnerability found exploits the security controls in place. (Stephen Northcutt)
In this post, we will only explore the steps related to public information gathering and vulnerability discovery, which are more related to “port scanning”.
Collection of public information
It is also important to gather as much information as possible from public sources before we find vulnerable ports to launch attacks. We will discuss two websites that have good sources of public information:
- “Netcraft.com” provides detailed information on “the technologies that power websites”. (Netcraft.com) For example, when we search for “Google.com” on the “Netcraft” website, we get the following information:
We see the information related to IP address, IPv6 address, hosting country, DNS admin, and other things.
To get the IP addresses associated with a particular organization, we next query the ARIN database. ARIN stands for ‘American Registry for Internet numbers’. When the ‘Google.com’ website is queried, it returns the following result:
Once enough public, technical and non-technical information has been gathered, the next step will be to do a vulnerability assessment. It is in the vulnerability phase that port scanning is done.
Different types of scanning:
We will next discuss the different types of port scanning techniques. The list presented below gives a broad set of scanning techniques.
Vanilla connect() scanning
This is the simplest of all scanning techniques and it involves sending packets to each and every port and detecting whether they respond or not. If there is a response from a port, it indicates that the port is open and it can be used to launch an attack. However, since this is a very simple scan, it can be detected and logged by network perimeter devices.
Both ‘Nmap’ and ‘Super Scan’ can be used to perform vanilla scans.
Since the vanilla scanning technique can be detected by perimeter devices like firewalls and IDS, ‘stealth scanning’ can be used by hackers which will be undetected by auditing tools. This type of scanning involves sending the packets with stealth flags – “some of the flags are SYN, FIN and NULL”. (Surveying Port Scans and Their Detection Methodologies, 2010)
This type of scan is used to scan ports discreetly and indirectly. It is more prevalent with the FTP protocol making it to be called as the ‘FTP bounce attack’. The attacker uses the PORT command to gain access to ports on the target machine through a vulnerable middle FTP server. The vulnerable FTP server is the one that is used to bounce off the attacks.
This type of scanning involves finding open ports related to the UDP protocol.
Super Scan 4.1
Now that we have seen the concept of port scanning and how to gather public information, we will now actually do ‘port scanning’. We will discuss Super Scan 4.1 which is a powerful port scanner, pinger and resolver. While ‘Nmap’ is a free port scanning tool for different operating systems, Super Scan 4.1 is a Windows-only port scanner from McAfee. Super Scan 4.1 is expected to run only on Windows XP and 2000. Listed below are some of the features of Super Scan 4.1:
- It provides superior scanning speed for detecting both UDP and TCP open ports.
- TCP SYN scanning is possible.
- Different tools such as ping, ICMP trace route, Whois, and Zone transfer are available.
- We can read the IP addresses which need to be scanned from a file.
- The results of the scan can be read in a HTML file.
- TCP and UDP banner grabbing are available. (Super Scan 4.1)
Running super scan 4.1
Super Scan 4.1 might not as popular as its counterpart ‘Nmap’ – nevertheless, it is a good port scanner with good features. The minor drawback is that it works only with Windows systems. It can be downloaded from the following link:
The important point when trying to run Super Scan 4.1 is that it can only be ‘Run as Administrator’. In order to do this, it is necessary to right-click on the ‘Super Scan 4.1.exe’ and click ‘Run as administrator’.
As an example, let us try and port scan our own computer for open ports. The most important tabs to work with in port scans are the ‘Host and Service Discovery’ tab and the ‘Scan’ tab.
Host and service discovery tab
- In order to scan all UDP and TCP ports between the ranges 0-65535 on one’s own computer, it is necessary click the ‘Host and Service Discovery’ tab and enter it in the fields as shown below.
- Note: The ports to be scanned can also be read from a file.
- Next, the UDP port scan type needs to be selected as ‘Data+ICMP’ and TCP port scan type needs to be specified as ‘Connect’.
- Once the ‘Host and Service Discovery’ tab has been configured, we next configure the IP address of the target system or the range of IP addresses that need to be port scanned by means of the ‘Scan’ tab.
We begin this by entering the IP address or the host name of one’s own computer. The IP address of one’s own computer can be found by using the ‘ipconfig’ command at the DOS window. We locate the IPv4 address and enter it in the ‘Hostname/IP’ tab.
The above picture shows where the IP address needs to be entered. Once the ‘Start’ button is clicked, scanning is in progress and the results will be seen as shown.
These results can also be viewed in HTML format.
To ols tab
Next, we discuss the ‘Tools’ tab in Super Scan 4.1. Once the IP address or the host name or URL is stated, we can perform various actions with the tools provided. Super scan 4.1 allows you to do:
- Hostname/IP Lookup
- ICMP Traceroute
- Zone transfer
- HTTP HEAD request
- HTTP GET request
- HTTPS GET request
- CRSNIC Whois IP
- ARIN WhoisIP
- RIPE WhoisIP
- APNIC WhoisIP
We have seen the different features of Windows port scanning tool ‘Super Scan 4.1’.
The activity of port scanning itself can be reduced by deploying firewalls at critical locations.
While it is possible to port scan the entire set of IP addresses across the world (which might take several days), it is not a good idea, as port scan detectors might be employed by different websites, causing you to be blacklisted. (masscan).
Related article:ScanBox Framework 2023
In conclusion, we will just skim on the topic of port scan detector. If there is a tool to scan ports, then there will be a tool to “detect” port scanners. Obviously, every bad needs a good and in this aspect, a port scanner detector is the countermeasure to port scanning tools. Bitdefender’s Internet Security (2014) has features that put all ports on the defensive mode and makes them invisible from outside. (Bitdefender Internet Security (2014))
We have seen the entire life cycle of port scanners from the definition, types, port scanning as part of security assessment, Super Scan tool as well as port scanner detectors. More tools with improved and sophisticated features will be developed as the years go by.
- Bitdefender Internet Security (2014). (n.d.).
- List of countries by IPv4 address allocation –Wikipedia:
- Port scanning /0 using insecure embedded devices. – Internet Census 2012
- Stephen Northcutt, L. Z. Inside Network Permieter Security.
- Super Scan 4.1.- McAfee.com
- Surveying Port Scans and Their Detection Methodologies.