Thoughts on ports

By Mark Gibbs
Network World, 11/06/00

In Dr. Intranet last week, the good doctor answered a question about checking for open TCP/IP ports. At Gearhead HQ, we thought it was a good opportunity to expound on some theory and tools related to ports.

To start, for a refresher on ports check out Gearhead's "Toward a better understanding of sockets,". We noted that, "By giving each service process running on a machine a 'port' - a numeric value used to identify the process - a client application can distinguish between, say, a file transfer service and a Web service."

While there are de facto standards for which port numbers are assigned to which services, the majority of servers allow you to select the port number to be used. There are many reasons for doing this, the chief of which is to run multiple servers on the same machine.

For example, on a Windows NT server you might be running Microsoft's Internet Information Server (IIS) and the FTGate mail server from Floosietek (www.floosietek.com - also reviewed in Gearhead's "The quest for the perfect mail server,". IIS will, by default, run on Port 80 so the Web interface for FTGate must run on a different port.

Dr. Intranet mentioned a favorite tool of his for testing whether ports are enabled - Netcat. Netcat is a telnet program originally written for Unix and now ported to Windows 9X/NT that has lots of options and capabilities. While Netcat works great, Gearhead would suggest that if you want to efficiently test whether ports are enabled on a remote machine, you need to use a tool built specifically for the task called a port scanner.

One of the most highly rated port scanners is an open source utility called Nmap (www.insecure.org/.nmap/), but as with most serious network diagnostic tools, there's no Windows implementation - you'll have to run Linux, Free/Net/OpenBSD or Solaris.

Nmap is powerful, and allows you to perform address and port scans in dozens of ways with many options.

Nmap can even identify the operating system in use on a remote machine by analyzing the way the machine responds to TCP/IP requests. This is a technique called "stack fingerprinting," and you can find out more than you wanted to know at www.insecure.org/nmap/nmap-fingerprinting-article.html.

A less powerful but easier-to-use Windows 9X/NT tool that Gearhead has found useful is WS_Ping ProPack from Ipswitch (www.ipswitch.com/Products/WS_Ping/). Not only does WS_Ping perform port scans, it also performs forward and reverse Domain Name System lookups; grabs raw HTML pages; handles SNMP; and performs traceroute, Lightweight Directory Access Protocol, Network Time Protocol, Whois and Finger queries. WS_Ping can also interrogate Windows networking and test connection throughput.

Before you go scanning other people's networks, beware. Most system administrators consider scanning ports to be an overtly hostile act that may presage a hack attempt. The response could be anything from reporting you to your ISP to mounting a counteroffensive such as a SYN flood attack.

Perhaps we'll open a port next week. . . . Send data to gearhead@.gibbs.com.