1.0 Introduction
Information security is very crucial especially for organizations whose information can be accessed through computer network. As network administrators try to set up security systems for data and information for such organizations, hackers and other cyber criminals also tries on how they can get the right of entry into the same systems illegally. Port scanning is used by both administrators as well as the hackers though for different intentions. Port scanning is thus one of the popular approaches used by administrators to examine or investigate information system security, penetration testing. It legally tries to break into the system by using tools and methods that are the same as those utilized by real hackers. The principle objective of such approaches is to call successfully to light potential susceptibilities that exist within the system. It helps the administrators to come up with practical solutions to tackle such weaknesses thereby increasing the security level of the system as a whole (Chiem, 2014).
2.0 Port Scanning and attacks
Scanning of ports on a computer takes place often on the internet. The attackers are carryout port scans of internet protocol (IP) address to find susceptible hosts to compromise. Nevertheless, it is also helpful for system administrators including other network defenders to detect port scans as probable preliminaries to extra serious attacks. It is extremely hard task to identify instances of malicious port scanning. In broad, a port scan may be an instance of a scan by the attackers or an instance of a scan by network defenders (Bhuyan, Bhattacharyya & Kalita, 2012).
Port scanning attack is one of the most well-liked investigation techniques that attackers use to find out service that permits them to break into a network. All machines linked to the network control services that employ Transfer control protocol or User Datagram Protocol ports. Usually, port scan does not make a straight harm but instead helps the attacker find which port(s) are accessible to launch a variety of attack. System administrators thus use it to diagnose system problems on their company network. It is therefore a philosophical uncertainty with the computer industry and it is frequently well thought-out as malicious.
The attackers considerably affect the security of the organization by introducing fresh messages. Because of these problems it is important to employ some approaches to safeguarding against the attacks. Port scanning is one the most dangerous attacks which of course do not have any harm effect on virtual machines. Nevertheless, port scanning gives the attacker various particular information concerning the port status which can be utilized to increase chances of attacks. In the general perspective, port scanning can be equated to theft (Akbarabadi et al., 2013, Sundararajan., 2011).
There are various methods of port scanning that are used in different network environment. Some of them can be used within cloud computing environment while others can be employed only in the normal computing network environment. The methods include time independent feature set(TIFS), packet counts and neutral network, and fuzzy logic. There are also stepwise policy, Classification of internet protocol(IP), capturing packets, network forensic systems, evolving TCT/IP packets, Term frequency-inverse document frequency (TF-IDF), and Embedded Port Scan Detector (EPSD) (Akbarabadi et al., 2013).
3.0 Types of scans
A port scan can be defined as the process of conveying packets to an exacting IP or port to obtain a reaction from an active host within the network representing services it offers. There are various types of port scans used to investigate weaknesses from the host that is networked. They include stealth scan, SOCKS port probe, Bounce scan, TCP scan and UDP scan (Bhuyan, Bhattacharyya, & Kalita, 2012).
UDP Scanning
The user datagram protocol tries to find out open ports associated with user datagram protocol (UDP). Nevertheless, user datagram protocol is a connectionless protocol and hence not frequently employed by the attackers because it can be blocked easily (Bhuyan, Bhattacharyya, & Kalita, 2012).
Stealth Scanning
This type of scan cannot be detected by the auditing tools due to their complex design architectural configuration. This kind of scan conveys transfer control protocol (TCP) packets to the destination host by means of stealth flags. Some of the flags include FIN, NULL and SYN (Bhuyan, Bhattacharyya, & Kalita, 2012).
Bounce scanning
The file transfer protocol bounce scan attack takes the advantage of the susceptibility of the FTP protocol itself. Email servers and hypertext transfer protocol (HTTP) proxies are the widespread applications that permit bounce scans (Bhuyan, Bhattacharyya, & Kalita, 2012).
SOCKS port Probe
Socks port investigation permits sharing of internet links on several hosts. The attackers scan these ports since a large portion of users does miss-configure SOCKS ports. It possibly allows arbitrarily selected sources and destinations to communicate. In addition, it permits the attackers to access other internet hosts while at the same time hiding their true locations to avoid being traced (Bhuyan, Bhattacharyya, & Kalita, 2012).
TCP scan
The TCT scan is another type of scanning employed by smart attackers given that it does not set up a link permanently. In this case, the attacker can launch an attack immediately in case a remote port is accepting the link request. In most cases, this type of link cannot be logged the logging system of the server because of its smart link effort. A number of transfer control protocol(TCP) scans include TCP connect(), internet protocol header dump scan, and reverse identification. Therea are also FIN, SYN, ACK, XMAS and others (Bhuyan, Bhattacharyya, & Kalita, 2012).
4.0 Port Scanning Tools
Port scanning tools are utilities for port scanning large networks although the tools works well for a single host. They can be used lawfully for both administrators and users for the purpose f learning network vulnerabilities. The tools include SAINT, nmap, and nessus as discussed bellow.
NESSUS
The output of NESSUS vulnerability scanner is used to generate network susceptibility model. This model calculates the distance of the shortest path amid every pair of exploits in the attack graph. The calculated distances are to the point measure of exploit relatedness that could be utilized for the succeeding online causal association of intrusion detection events. The individual paths of events have been established depending on reachability of attack graph from the online stream of intrusion events (Taha, 2011). Nessus together with Nmap are extra powerful as compared to others given that they have quick response time as well as fair coverage. The nessus scanner tool offers exploit rules that can be used to collect and correlate network vulnerability information in the phase of network discovery. Nessus is one of the penetrations of plenty of penetration tools that are worth regarding (Chiem, 2014).
Nessus is a vulnerable scanner tool which permits network security professional and administrators to audit their networks by scanning ranges of internet protocol addresses and recognizing susceptibilities with a series of plug-ins. It works efficiently on several operating systems which include windows, Linux, Free BSD, and Solaris among others. The system of Nessus is comprised of server and client. The server is responsible for carrying out the actual scanning where as the client is used for the configuration, running scans in addition to viewing scanning results. It is also a feature rich application capable of executing above 10000 check types through downloadable plug-ins. It offers the internet community a free, powerful, up to date, user-friendly and remote security scanner (Chiem, 2014).
Nmap
It is also a popular tool for penetration testers and common purpose network scanning. It is a network and host scanner which can show open, closed or filtered ports, tied with the capability of making operating system assumptions depending on packet signatures. Like nessus, Nmap is also compatible with a number of operating systems like windows, Linux, Muc OS X and many other platforms. In addition, it can be employed to scan open ports by means of wide range of standardized transfer control protocol (TCP) packet alternatives, and with a variety of command line alternatives. Nmap documentation and support on the internet is also important. Moreover, it performs much faster on Linux as compared to its performance on Windows, particularly in a large network having a huge number of hosts or ports (Chiem, 2014, Alder et al., n.d.)
SAINT
SAINT (Security Administrator’s Integrated Network) is a product of SAINT Corporation that is a worldwide leader in vulnerability assessment. SAINT is frequently updated and `. SAINT efficiently joins both vulnerability assessments with penetration testing. It centers on heterogeneous targets and technology that is not agent. SAINT also handles activities that occur in pre and post exploitation. As at present, it supports Linux. Up till now, it is assumed to be capable of running on MAC in the prospect. SAINT is a penetration tool that allows the administrators to simply and speedily examine the security of the network by running controlled exploits on machines of target. It is a complete automated product that exploits the vulnerabilities to confirm their existences with evidences that are undeniable (Chiem, 2014).
The SAINT exploits can illustrate the way real hackers might employ to in order to compromise a system. It can also be used to quantify dangers to the system and to permit administrators efficiently to administer resource for better defense of information. The features of SAINT comprises of seamless joining with the SAINT graphical user interface. It is a multi platform exploit library with continuous updates in addition to ease of use to administer in-house penetration testing (Chiem, 2014).
References
Akbarabadi, A., Zamani, M., Farahmandian, S., Zadeh, J. M., & Mirhosseini, S. M. (2013). An Overview on Methods to Detect Port Scanning Attacks in Cloud Computing. environment, 1, 22-25.
Alder, V., Burke, J., Keefer, C., Orebaugh, A., Pesce, L., & Seagren, E. S. (n. d.). How to cheat at configuring Open Source Security Tools.
Bhuyan, M. H., Bhattacharyya, D. K., & Kalita, J. K. (2012). AOCD: An Adaptive Outlier Based Coordinated Scan Detection Approach. IJ Network Security, 14(6), 339-351.
Chiem, T. P. (2014). A study of penetration testing tools and approaches (Doctoral dissertation, Auckland University of Technology).
Sundararajan, S., et al., Preventing Insider Attacks in the Cloud. Advances in Computing and Communications, 2011: p. 488-500.
Taha, A. E. E. (2011). Intrusion Detection Correlation in Computer Network Using Multi-Agent System (Doctoral dissertation, Ain Shams University.