Service scan

Last updated

On computer networks, a service scan identifies the available network services by attempting to initiate many sessions to different applications with each device in a target group of devices. This is done by sending session initiation packets for many different applications to open ports on all of the devices specified in the target group of devices. This scan is done across a wide range of TCP, UDP (and other transport layer protocols if desired such as SCTP). A service scanner will identify each device it finds along with the services that it finds on the ports that it scans. [1] [2]

Most user-based network services are intended to be found by users. [3] As an example, a web service may be made available on TCP port 80 on a device. TCP/80 is the standard port for HTTP and users would be able to access the content of that web server, the website, by directing their web browsers to that device where the user would be able to view the home page of the website. However, a web service may be opened on a different port, where different content may be shared. This may be in an attempt to hide some content from ordinary users and only to provide it to users who know how to access the web service on the nonstandard port. A port scan will be able to identify that a port is open on the device, but may not be able to determine what service is being offered on that port. A service scan of that device will be able to determine that the port is open and that it is a web service.

Service scanners can be set to target a single device, but they are more often set to target a large number of devices. For example, a service scanner may be configured to scan a subnet. A service scanner may also be configured to scan standardized, well-known, and otherwise unused ports and will attempt to initiate sessions to many known services for each port. This is different from a port sweep that will only identify open ports, which are assumed to be associated with the default service for that port. The difference is that a port scan and a port sweep will detect that a device has a port open and would assume that the port is associated with the service normally associated with that port. However, a service scanner would verify that the service is actually associated with that port, or would attempt to find and report the application actually associated with that port on the device.

Information security personnel may perform service scans to reduce risk. For example, a service scanner may be configured to only search for Microsoft SQL Servers on TCP ports from 1 to 50,000 on all of the devices in an enterprise private network. If the service scanner only finds the MSSQL service running on known and authorized servers at TCP/1433 (the assigned port) then they can be reasonably sure that there are no unauthorized SQL servers in their network. [4] [5] [6] [7] Tools such as nmap and nessus may be used for this purpose.

On the other hand, a network attacker may use a special type of service scanner, known as a vulnerability scanner, to find devices that have not been patched to find a known vulnerability. [8] An attacker may also use a service scanner to find open administrative ports such as Telnet on TCP/21 and SSH on TCP/22. Once an attacker finds those ports they may then attempt to gain access to those devices by guessing usernames and passwords. [9]

See also

Related Research Articles

<span class="mw-page-title-main">Exploit (computer security)</span> Compromising a computer system

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. In lay terms, some exploit is akin to a 'hack'.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. Telnet consists of two components: (1) the protocol itself which specifies how two parties to communicate and (2) the software application that provides the service. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP). Telnet was developed in 1969 beginning with RFC 15, extended in RFC 855, and standardized as Internet Engineering Task Force (IETF) Internet Standard STD 8, one of the first Internet standards. Telnet transmits all information including usernames and passwords in plaintext so it is not recommended for security-sensitive applications such as remote management of routers. Telnet's use for this purpose has waned significantly in favor of SSH. Some extensions to Telnet which would provide encryption have been proposed.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is protected behind a firewall. The DMZ functions as a small, isolated network positioned between the Internet and the private network.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

<span class="mw-page-title-main">Nmap</span> Network scanner

Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.

<span class="mw-page-title-main">Network security</span> Computer network access control

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

netcat Computer networking utility

netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built-in capabilities.

A penetration test, colloquially known as a pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

In security parlance, the term open port is used to mean a TCP or UDP port number that is configured to accept packets. In contrast, a port which rejects connections or ignores all packets directed at it is called a closed port.

<span class="mw-page-title-main">Idle scan</span>

The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer whose network traffic is very slow or nonexistent. This could be an idle computer, called a "zombie".

A dynamic application security testing (DAST) is a non functional testing process where one can assess an application using certain techniques and the end result of such testing process covers security weaknesses and vulnerabilities present in an application. This testing process can be carried out either in manual way or by using automated tools. Manual assessment of an application involves a more human intervention to identify the security flaws which might slip from an automated tool. Usually business logic errors, race condition checks, and certain zero day vulnerabilities can only be identified using manual assessments. On the other side, a DAST tool is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike static application security testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities by actually performing attacks.

SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.

Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system runs on them. Network enumeration is the discovery of hosts or devices on a network. Network enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the operating system of the remote host.

<span class="mw-page-title-main">Data center security</span> Practices to secure access to a data center

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

ZMap is a free and open-source security scanner that was developed as a faster alternative to Nmap. ZMap was designed for information security research and can be used for both white hat and black hat purposes. The tool is able to discover vulnerabilities and their impact, and detect affected IoT devices.

References

  1. "Network Service Discovery}". MITRE. 20 April 2022.
  2. Lyon, Gordon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project. ISBN   978-0979958717.
  3. "Service Name and Transport Protocol Port Number Registry". Internet Assigned Number Authority. 13 March 2023.
  4. "Configure a Server to Listen on a Specific TCP Port". Microsoft Corporation. 3 March 2023.
  5. "Vulnerability Management Standard". West Virginia University. 2 February 2022.
  6. "Non-Standard Ports Are Under Cyberattack". SonicWall. 16 May 2019.
  7. Scarfone, Karen; Souppaya, Murugiah; Cody, Amanda; Orebaugh, Angela. Technical Guide to Information Security Testing and Assessment (PDF) (Technical report). National Institute of Standards and Technology. 800-115.
  8. Souppaya, Murugiah; Scarfone, Karen. Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (PDF) (Technical report). National Institute of Standards and Technology. 800-40r4.
  9. "Scanning". National Institute of Standards and Technology COMPUTER SECURITY RESOURCE CENTER.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.