The open ports in your hardware could be critical points of vulnerability if the services exposed to them are misconfigured or unpatched.
Unfortunately, many organizations are currently exposing their sensitive resources through such malicious connections, heightening the risk of ransomware attacks, supply chain attacks, and data breaches.
Fortunately, there are free tools available that can detect all of the open ports in your ecosystem so that you can then assess the level of criticality of each exposure.
In this post, we discuss the 5 best free open port scanners you can start using today to check for open ports in your ecosystem.
Click here to skip ahead to the list of free open port scanners.
What is Open Port Scanning?
Port scanning is the process of analyzing the security of all ports in a network. It involves identifying open ports and also sending data packets to select ports on a host to identify any vulnerabilities in received data.
Such network reconnaissance should be completed regularly to identify and remediate vulnerabilities before they're discovered by cyberattackers.
Port scanners are also used by cybercriminals to garnish vulnerability intelligence about a potential victim before launching a cyberattack.
Because many of these tools are freely accessible, you must assume that cybercriminals are using them to study your open ports. So they cannot be the only security controls protecting your network.
This is why free open port scanners should only be used by network administrators to determine the level of network visibility available to potential cyber attackers. For maximum security, all free port scanners should be supported with additional security solutions.
TCP Port scanners can also help penetration testers determine which specific ports are accepting data so that they can be protected from compromise.
Should Ports Be Open or Closed?
When a port is open, data packets are permitted to flow in and out of your local network through that port. When a port is closed, all the traffic specific to that port is blocked, preventing it from entering the local network.
The status of a port (open or closed) can usually be controlled through a network firewall.
It might seem prudent, therefore, to close all network ports to prevent exploitation. But that would also prevent any devices essential to meeting business objectives from being networked.
For example, in order to facilitate the connection of remote computers to a business network, port 3389 needs to be open and forwarding to each remote device. Without this port in operation, the remote workforce model that's so essential in the world today would not be possible.
Also, emails are sent through the SMTP ports (ports 25, 465, and 587), so they need to be in operation.
Open ports aren't inherently dangerous. Security risks are introduced by the external services that communicate through them. So if a device or vendor linked to a network port has a poor security posture, that open port becomes dangerous and should be closed or filtered.
When the security of connected services can be trusted, their corresponding ports can remain open.
List of Common Network Port Numbers
Every port in a network transports a specific type of network traffic. Each of these ports is assigned a specific number so that they can be easily differentiated.
There are two types of network ports:
- TCP - Transmission Control Protocol
- UDP - User Diagram Protocol
What's the difference between UDP and TCP?
The TCP uses a handshake protocol. TCP also checks each data packet for errors. UDP doesn't include verification, error checking, nor any handshakes. Because of the extra processes, TCP is a slower protocol than UDP.
Port numbers range from 0 - 65,535 forming a total of 65,536 ports. These ports are either TCP, UDP, or a combination of both. Because of this large range, port numbers are ranked by relevance to shorten the list of network options.
Ports 0-1023 are primarily designed for internet connections.
Ports 1024-49151 are 'registered ports' which are designated for exclusive use by registered software corporations and applications.
Ports 49152-65,536 are private ports that can be used by anyone.
For more detailed descriptions of the most common network port numbers, refer to this post.
How Does Open Port Scanning Work?
Port scanners send either a TCP or UDP data packet to a targeted port to request a status report.
There are three possible response options:
- Open - The target responds with a packet indicating it is 'listening.' This means the port is open and actively accepting connections.
- Closed - The target responds with a message indicating that it's in use and unavailable.
- Filtered - The target does not respond. This usually means that the data request packet was filtered out or blocked by a firewall. For maximum security, closed ports should be blocked with a firewall.
There are 5 types of port scanning techniques.
Ping Scan
This is the simplest type of port scan. This type of scan sends a blast of Internet Control Messaging Protocol (ICMP) requests to multiple web servers.
An ICMP reply indicates that data packets can be sent to a targeted IP address without any errors, demonstrating that the target is 'alive.'
A ping scan is usually the first step before an official port scan because it indicates whether a computer is present on the other end.
To prevent external threats from discovering your assets through ping scans, ICMP should be disabled to external traffic through either a firewall or router settings.
ICMP should be left open to internal traffic so that it could still be used for network troubleshooting.
TCP half open scan
This is one of the most common types of port scanning techniques (sometimes referred to as a SYN scan).
A typical TCP transaction is accomplished with a three-step handshake:
- A connection request is made by sending a SYN packet
- The target responds with an ACK packet
- An ACK packet confirms the response has been received.
A TCP half open port scan doesn't send an ACK packet confirmation, and so doesn't complete the final stage of this handshake.
Without closing the loop, only a SYN-ACK data packet response is possible. This response indicates the presence of an open port.
No response is indicative of a filtered port.
Because this type of port scan does not complete a TCP handshake, it's very difficult to detect and rapidly scalable.
Users need a high level of access privilege to run TCP half open scans.
TCP connect scan
A TCP connect port scan, goes a step further than the TCP half open scan and actually completes the TCP connection.
TCP connect scans require lower user privileges to run, making it more accessible to potential threat actors.
But because this scanning technique actually completes TCP connections, they are easily detected by Intrusion Detection Systems (IDS). Intelligent cybercriminals are likely to, therefore, avoid this reconnaissance technique.
UDP
UDP scans are used to identify active services.
For example, you can confirm if a DNS server is hosted on a computer by sending a DNS request packet to port 53 (which is a UDP port). A DNS reply confirms the presence of a DNS server.
XMAS scan
XMAS port scanning methods are used by cybercriminals because they are rarely included in network activity logs and less noticeable by firewalls.
After a TCP 3-way handshake is complete, the client sends a FIN packet to indicate that no more data is available for transfer.
An XMAS scan sends data packets with the FIN flags turned on. No response indicated the pressence of an open port.
An RST response indicated the presence of a closed port.
How Do Cybercriminals Use Port Scanning to Prepare Cyberattacks?
Port scanning is one of the most popular tools used by cyber attackers in reconnaissance campaigns.
Cybercriminals use port scanning to assess the state of security of a prospective victim prior to launching a cyberattack.
The key information they look for includes:
- Whether a firewall is in use.
- If firewall settings are secure.
- If there are any security vulnerabilities in the target network.
- The degree of difficulty required to exploit each vulnerability.
- Whether ports are opened, closed, or filtered.
Port scanning responses reveal whether specific sectors of your network are cooperating with a hacker's prompts. This information can then be used to determine the level of cybersecurity of the targeted region.
Unfortunately, it's not so easy to detect when you're being maliciously targeted with a port scanner. Advanced cybercriminals can use TCP protocol techniques to mask their activity with fake decoy traffic.
5 Free Open Port Checking Tools
Below is a list of the 5 free open port scanning tool. Each listed option is supported with an embedded Youtube tutorial to help you understand how to use the software.
1. Nmap
Nmap (short for Network Mapper) is one of the most popular free open-source port scanning tools available. It offers many different port scanning techniques including TCP half-open scans.
Key features:
- Multiple port scanning techniques.
- Identifies all open ports on targeted servers.
- Operating system detection.
- Discovers network services
- Scans remote ports
- TCP SYN Scanning
- UDP and TCP port scanning.
- Can scan comprehensive networks housing tens of thousands of network devices.
- Supports Mac, Linus, Windows Solaris, OpenBSD, Free BSD, and more.
Download Nmap
Nmap can be downloaded for free by clicking here.
Nmap tutorial
To learn how to scan for open ports with Nmap, refer to the following video tutorial
2. Wireshark
Wireshark is a free network sniffing tool that's used to detect malicious activity in network traffic. This tool can also be used to detect open ports.
Key features:
- Reveals request and reply streams in each port.
- Malicious network discovery.
- Troubleshoots high bandwidth usage.
- Offers multiple data packet filters.
- Allows users to follow and monitor data streams of interest.
Download Wireshark
Wireshark can be downloaded for free by clicking here.
Wireshark tutorial
To learn how to use Wireshark to scan for open ports, refer to the following video tutorial:
3. Angry IP Scanner
Angry IP scanner is a free network scanner offering a suite of network monitoring tools.
Key features:
- Does not need to be installed.
- Resolves hostnames.
- Includes a command-line interface.
- Compatible with Windows, Mac, and Linux.
- Exports scan results in CSV, TXT, XML, and IP-Port list file formats.
Download Angry IP Scanner
Angry IP Scanner can be downloaded for free by clicking here.
Angry IP scanner tutorial
To learn how to use Angry IP scanner to identify open ports, refer to the following video tutorial:
4. NetCat
NetCat is a free port scanning tool that uses the TCP/IP protocol across different connections.
Key features:
- IP address usage detection.
- Port scanning option.
- Tunneling modes for both UDP and TCP.
Download NetCat
NetCat can be downloaded for free by clicking here.
NetCat tutorial
To learn how to use NetCat to identify open ports, refer to the following video tutorial:
5. Advanced IP Scanner
Advanced IP scanner is a windows solution that can analyze IP addresses and ports.
Key features:
- Checks resource availability.
- Ideal for analyzing LAN.
- Auto-detects Mac addresses.
- Can export scan results as CSV files.
- Provides access to resources shared between discovered devices through HTTP, HTTPS, FTP or even shared folders.
- Runs as a portable edition.
Download Advanced IP Scanner
Advanced IP Scanner can be downloaded for free by clicking here.
Advanced IP Scanner tutorial
To learn how to use Advanced IP Scanner to identify open ports, refer to the following video tutorial:
How UpGuard Helps Scan for Open Ports
Though port scanners are capable of discovering security risks, it's a legacy security control. For the most reliable exposure detection, an attack surface management solution like UpGuard should be implemented.
UpGuard continuously scans both the internal and external threat landscape to discover and remediate vulnerabilities before they're exploited by cybercriminals. UpGuard can also detect and shut down data leaks linked to vendors to mitigate the chances of third-party data breaches.
