Why do hackers scan for open ports?

  • So, whenever you hear of the mean little hackers who hack websites you hear of "port scanning". I understand what it is (looking for all open ports / services on a remote machine), however that begs the question:

    Why would an attacker want to know what ports are open?

    The only reason I see for this is looking for services that may or may not have the default username and password OR a vulnerability or something.

    But seeing as the odds for this are quite low, why do hackers perform port scans? Is it purely for the reason above?

    Rattling door knobs to see what's there (identify services through fingerprinting) and if a lock has been applied (has it been secured) or if the lock is busted (is the service vulnerable). Why? It's easily scriptable, takes little effort.

    Because closed ports are kinda hard to work with...

  • Philipp

    Philipp Correct answer

    5 years ago
    • To run an exploit, an attacker needs a vulnerability.
    • To find a vulnerability, the attacker needs to fingerprint all services which run on the machine (find out which protocol they use, which programs implement them and preferably the versions of those programs).
    • To fingerprint a service, the attacker needs to know that there is one running on a publicly accessible port.
    • To find out which publicly accessible ports run services, the attacker needs to run a port scan.

    As you see, a port scan is the first reconnaissance step an attacker performs before attacking a system.

    The first reconnaissance step is the passive information gathering , port scanning or port grabbing are active information gathering and they came after the passive stage.., just saying

    @Sarastro that does not have to be true at all - one never *needs* to perform passive recon - it can be useful, but is not a required step

    @Schroeder following your logic .. active information gathering isn't the first step eider .., agree with you , the first move its up to the player ..., "The quieter you become, the more you can hear"

    @Sarastro that's also true - there is no required "first step", which makes your initial comment moot. So, I'm completely confused as to what you are trying to say.

    @Schroeder In the first comment I really meant what I said about the passive information , in the second one, I just applied your logic in a socratic way to show the initial point , the port scan is not the first step in the penTest procedure as the answer says, as a matter of fact, i don't think it is right to start the road scanning port

    @Sarastro How do you imagine it possible to passively learn something about a remote system without sending any packets to it?

    @Sarastro Indeed. That would only be possible if you had insider intel on the system, but since script kiddies running Nmap on random hosts don't usually know about your system, active information gathering is their first step.

    @A.Darwin first of all my first comment was trying to say as i agree with Schroeder there is no official first step , its up to the player .., the passive information gathering was an example to show this point, and i recognize there are other many way to do the first move. My argument is with The statement in the answer "As you see, a port scan is the first reconnaissance step an attacker performs before attacking a system."

    @Sarastro I tried to point this out in my answer, but for *some* attackers/pen-testers port scan is the first step right after looking up IP addresses. Their logic is that port scans on the internet happen so unbelievably often that a port scan is low enough noise to *almost* be treated as a passive recon. Obviously there are plenty of situations where this is not true, and attackers will pick a different first step, but many hackers do indeed claim "a port scan from the internet is my first step," so there is some validity in the claim.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM