Have you heard about Port Scan Attacks and their role in network intrusions?
They are one of the primary methods hackers use to identify vulnerabilities.
Without understanding these attacks, organizations risk having their systems exploited.
That’s why discovering evidence of port scanning activity is crucial for effective incident response.
In this blog post, we’ll look at a real-world example, using a PCAP file from a letsdefence website to answer 4 important questions about uncover signs of port scans.
Curious about the tools and methods used to respond to these four incidence respond challenges?
Check out our related guide: “Malicious Traffic: 9 Unbelievable Web Analysis Challenges
Join us as we explore step-by-step how to detect and analyze port scan activity using tools like Wireshark and Brim.
What Is A Port Scan Attack
Let me break down port scan attacks in a way that makes sense. Picture your computer like a house; the ports are all the doors and windows. Now imagine someone walking around, checking which doors and windows are unlocked—that’s basically what a port scan is.
Here’s the deal: Port scanning isn’t always a bad thing. Sometimes, it’s like double-checking your house to ensure everything’s secure. But when someone else does it without your permission? That’s when it starts to feel suspicious and not okay.
How Does a Port Scan Work?
Let’s simplify this for clarity. When a port scan attack occurs, the attacker sends tiny “probes” or “pings” to various ports on your computer. These pings determine whether a port is open, closed, or filtered.
Here’s something to remember: Open ports are like saying, “You, come on in,” closed ports are more like, “No, not today,” and filtered ones are saying, “I’m not even going to respond to you.”
I was testing my network once ago and mistakenly left a wide-open port. Yes, that was such a beginner’s mistake! After that incident, I made it a habit to check every port and every setting twice to ensure nothing like that ever happens again.
Types of Port Scanning Techniques
There are a few common ways these scans happen. The TCP Connect Scan is like fully opening a door to see what’s inside. On the other hand, the SYN Scan is less apparent—it sends a quick signal to check if a port is open but doesn’t wait for a complete response.
The UDP Scan looks at ports that use the User Datagram Protocol. It’s a slower and tricky process, but it still gets the job done.
Then, there are some scans with strange names like FIN, XMAS, and Null. They’re like prank calls—they can be confusing and tricky.
Here’s a tip: Learn about these scan types to spot them if they’re used on your network. They might be sneaky, but they’re not impossible to block.
Why Are Port Scan Attacks Dangerous?
Here’s the deal: port scan attacks are like someone sneaking around your house to see which doors are unlocked. They’re not breaking in yet but planning their next move. If an attacker spots an open port, they could figure out a way to use it to their advantage.
I remember feeling super annoyed when I noticed an unauthorized scan on my network. I thought, “Hey, what’s going on here? That’s my network!” But I quickly realized the best move was to stay calm and fix the problem instead of freaking out.
Here’s a simple tip: treat every open port like a potential risk. If you’re not using it, close it. Trust me, spending a few minutes now can save you a lot of trouble later.
Legitimate Uses of Port Scanning
Now, not all port scanning is terrible. Sometimes, you do it to make sure your “house” is locked up tight. Security pros and network admins use it for precisely this reason.
Once, I spent hours running scans to find out why a service wasn’t working. It turned out that a port was blocked. Scans are a handy tool when you’re responsible for keeping everything working correctly.
Pro tip: If you’re scanning your stuff, it’s all good. Just don’t go poking around in someone else’s network.
How to Protect Against Port Scan Attacks
Here’s where it gets practical. To stop port scan attacks, you must lock down your system. Use firewalls to block unauthorized scans and close any ports you’re not using.
I figured this out the hard way. I once thought my firewall was correctly configured, but accidentally left a huge gap. Ever since then, I always go back and double-check every setting.
Also, ensure your software is current. Outdated programs may have vulnerabilities that attackers exploit. Don’t provide them an opportunity, okay?
Port Scan Attacks Challenge
What is the IP address scanning the environment?
When I use Wireshark, I start by capturing packets on my network.
Then, I filter for SYN packets using tcp.flags.syn == 1 && tcp.flags.ack == 0 to find connection attempts. I am looking for an IP, like 10.42.42.253, and am sending these packets to many destinations.
To focus on specific ports, I use filters like tcp.port == 80 (websites) or tcp.port == 389 (directories). Sometimes, I combine filters like tcp.flags.syn == 1 && (tcp.port == 80 || tcp.port == 389). I check for patterns, such as repeated scans from the same IP, and save the filtered packets for later if needed.
A port scan is like checking which doors are open on a computer. One method is the TCP-Connect, where the laptop finishes a full handshake.
Another is the TCP-SYN scan, which starts the handshake but stops halfway to avoid detection—though modern tools can still catch it.
There’s also the ICMP sweep, where a computer sends a message to see who replies. By analyzing traffic, we can figure out which computer is scanning.
What is the IP address found as a result of the scan?
To be honest, I wasn’t entirely sure what the question was asking since there were three other IPs (10.42.42.25, .50, and .56).
I guessed it was looking for a successful connection from the scanning IP.
Digging into the logs, I found successful TCP connections on ports 135 (RPC) and 139 (NetBIOS) for 10.42.42.50.
To investigate further, I used the filter tcp.flag.ack==1 && tcp.flag.syn==0 to isolate packets with the ACK flag set.
After analyzing, 10.42.42.50 was the only IP to receive an ACK packet from the scanning IP 10.42.42.253, so I concluded this was the correct answer.
What is the MAC address of the Apple system it finds?
To find this in Wireshark, I started by capturing network packets and applying the filter nbss to isolate NetBIOS Session Service packets.
These packets were sent to the LAN’s broadcast address, making them easy to spot. I found the device’s NetBIOS name in the NetBIOS Session Service section by examining the packet details.
Then, in the Ethernet II protocol section, I located the source labeled as “Apple_92:6e:dc.”
Finally, I matched this source with the MAC address next to the NetBIOS name to confirm the answer.
What is the IP address of the detected Windows system?
To solve this using Wireshark, I started by capturing packets and identifying four IPs: 10.42.42.25, .50, .56, and .253.
I applied a filter like ip.src == 10.42.42.253 to focus on traffic from the scanning IP. IP .25 was identified as the Apple device through its MAC address and NetBIOS name, and .253 as the scanner by its repeated SYN packets.
Next, I applied the filter tcp.flags.ack==1 && ip.src==10.42.42.253 to locate successful TCP connections.
This revealed that .50 was the only device to complete a TCP-Connect handshake, leading me to identify it as the detected Windows system.
FAQs on Port Scan Attacks and Effective Incident Response
What is port scan and DoS protection?
Port scan and DoS protection refers to security measures that detect and block unauthorized port scans and prevent denial-of-service attacks from overwhelming systems.
What is the purpose of a port scanner?
A port scanner is a tool used to identify open, closed, or filtered ports on a network, helping attackers or security teams assess network vulnerabilities.
Is port scanning an active or passive attack?
Port scanning is considered an active attack because it involves sending packets to network ports to gather information, which can trigger alerts.
What does it mean when a port scan is blocked?
When a port scan is blocked, it indicates that a firewall or intrusion detection system has detected and prevented the scan, safeguarding the network.
Can firewalls block port scanning?
Yes, firewalls can block port scanning by filtering traffic, using intrusion detection systems, and enforcing strict access controls.
Why is port scanning attractive to attackers?
Port scanning helps attackers find vulnerable ports and services, making it easier to exploit weaknesses and gain unauthorized access.
How many types of port scanning are there?
There are several types of port scanning, including TCP connect scan, SYN scan, UDP scan, FIN scan, XMAS scan, and NULL scan, each serving different purposes.
What is the difference between port scan and port sweep?
A port scan targets multiple ports on a single host, while a port sweep scans the same port across multiple hosts to identify devices running a specific service.
Conclusion
Port Scan Attacks can seem tricky, but with the right tools and tips, you can find and stop them before they cause harm.
By learning how to analyze traffic and recognize scan patterns, you can keep your network safe and secure.
Don’t wait to take action—start using these tips to protect your system today.
Empower yourself with these simple strategies and make your network stronger right away.
I remember the first time I found a port scan on my network—it was frustrating, but taking quick action fixed everything.
Check out: “SOC Fundamentals: Mastering Tools, Roles, and Practices.