Port Scanning is a testing
of a computer connected to a network for open TCP and/or UDP ports. This
means that the TCP/UDP socket is in the listening state. It
will allow any incoming TCP/UDP connections on that same port.
This can be useful for an attacker because most common programs are linked to a
specific TCP/UDP port. For example Telnet, Ftp, Http, all set up
listening services on registered ports. These ports are maintained through
the IANA. Here is the official listing of ports http://www.iana.org/assignments/port-numbers
Port Scanning is pretty much a general practice technique when you are gathering
information about a network. It gives you a good description about
the running network or computer (software OS).
AATools Windows Port Scanner has the following features:
-
supports wide range of addresses
- flexible port specification
- flexible target specification
- supports scanning from a list of ports
- supports both TCP
and UDP scanning
-
supports scanning for a full range of ports
-
detection of down hosts
-
resolves hostnames into IP addresses
-
provides adding/removing and selecting ports from a list
-
scans for ports which is/may be used by Trojan/backdoor programs
-
scans a list of hostnames contained in a text file
-
works on Windows 95, 98, Me, NT, 2000 and XP
Q: Upon running the AATools Port Scanner
against a variety of personally owned systems, I get the feeling that I am
seeing "false positives" in terms of Trojans. For example: Port
1050 - Minicommand, 1095 - RAT, 1090 - Extreme. Am I really seeing
trojans? Or, is it possible that my server has simply opened connections
on these ports for legitimate purposes? (User connections, etc.)
A: AATools Port scanner detects active ports on the target machine and
then it displays some kind of ad-hoc list of port assignments, some of
which are registered assignments, some of which are unregistered uses, and
some of which are just guesses about whether a port might be used by a
Trojan.
Port Description simply shows what trojans and programs are known to
commonly use a particular port. For example, a port description on port 25
shows this: SMTP - Simple Mail Transfer Protocol, RATs: Ajan, Antigen,
Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I
love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email
trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras,
Terminator, WinPC, WinSpy. That doesn't mean that you're infected with all
of those trojans! It just lets you know which trojans and programs have
been known to frequent that port.
If you are dealing with the port scan of a networked Windows machine, you
are more than likely to find active ports in the 1024 - 5000 range, and
this activity is nothing more than a Windows service or a Windows
application using the vacant port for some legitimate function or another.
(I think that most of these functions have to do with drive-mapping and
file sharing services, but I'm not sure.) Also it may be ICQ ports.
According to the official RFC, dynamic allocations are technically
supposed to be used only in the very high port ranges, but it seems that
Microsoft has decided instead to use the mid-range values of 1024 ... 5000
for this purpose. (The Microsoft dynamic allocation routine only allocates
a port if it is not already active, therefore it doesn't ever interfere
with, or clobber, any existing services that may be legitimately running
in that range). So if you run the Port Scanner against a Windows machine
and find activity on, say, "Port 1042 -- Bla 1.1 Trojan" do not
be so alarmed. Port 1042 often turns out to be one of the ports that a
Windows server will dynamically use to manage its resources. |
See also
Default
ports used by some well known Trojan programs.
TCP
and UDP port scanning examples
|
