Open ports are a gateway to your systems. Find the right tools to check which ports are secure, and which ports attackers can exploit.
SHARE
back to BLOG

Top online port scanners and how they work [2024]

James Harrison

In this guide we explain what port scanning is, who uses it and why, and detail some of the most popular online port scanner tools to help you detect open ports and identify the services running on them.

What are ports?

Just like people, computers need a common way to communicate with each other. Today most computers do this through TCP/IP, a set of standardized rules that let them talk to each other on a network like the internet.

Any connection made on a TCP/IP network has a combination of source and destination ‘port’, and an IP address, that together identify the sender and receiver of every message. Think of the port as a room number in an office or apartment building, and the IP address as the street address. This enables communication as if you were sending a letter from one apartment to another, just done electronically (and much faster).  

What are open ports?

To enable this communication between computers, ports need to be “open”, which in our apartment analogy means there needs to be someone there to receive the message. In the computer world, when an application or service wants to be communicated to, it “opens” a port, which then allows another computer to connect to it.

When the internet was first invented, open ports were common; there was even a port for providing a fingerprint of other ports, which could reveal a lot about the system being investigated!

This isn’t so common today, as operating systems are much more tightly locked down by default during installation, and usually only non-essential ports are opened as necessary.  

However, without ports computers can’t talk to each other, so for the internet to work, they need to be there. Making sure that you don’t have open ports when you don’t need them to be is a fundamental part of staying cyber secure by reducing the attack surface where an attacker can send their exploits. In our apartment analogy, it’s like not being able to send a booby-trap to an apartment with nobody inside.  

What is port scanning?

Put simply, port scanning identifies any ports that are open on a network. Hackers use port scanning to discover where potential vulnerabilities lie before launching an attack, but it’s important to note that open ports are not vulnerabilities in themselves, they are fundamentally how the internet works, but each open port is a gateway to your systems, so it’s important to understand how many gateways attackers might be looking at – and whether each one is secure, or supposed to be there at all. For example, these could lead to back-end admin systems that are insecurely configured and open the door to attackers.

For that reason, it’s important to assess your own network regularly – particularly your internet facing systems – for open ports and services. By knowing what you have exposed, and limiting your attack surface by removing any unused services, you reduce your exposure to a future attack. This is especially true for services which have no vulnerabilities today, but may be included in one of the nearly 2,000 vulnerabilities which are discovered every day.

What do port scanner tools do?  

There are many port scanning tools that can scan a target IP address (or range of IP addresses) and report back on any ports that are open. Easy to use and readily available, the key information they look for includes:

As a result, port scanning is one of the most popular tactics bad actors use when looking for a vulnerable server, according to the SANS Institute. A port scan provides valuable information about a target environment, including the computers that are online, the applications that are running on them, and potentially details about the system in question and any defenses it may have such as firewalls.

This information can be useful when planning an attack. For example, knowing that an organization is running a particular web or DNS server can allow the attacker to identify potentially exploitable vulnerabilities in that software.  

But just as port scans can be used as key tools for attackers, the results of network and port scanning can provide important indications of network security levels for you and your security team to keep your networks and systems safe from attacks. Let’s look at the best port scanners to help you stay ahead of the attackers.  

Top online port scanners

Censys

Best for: anyone as it’s an easy-to-use search engine for users looking to check open ports quickly on their targets by manually using a search engine.

Originally built as an academic research project, Censys is a popular tool for its clean, intuitive UI and UX. It's easy for non-technical users to find open ports on their own targets by searching the target IP address. It’s very useful for asset discovery when looking for targets that belong to an organisation based on SSL certificate hostnames or content and other types of service response, continually scanning the entire public IPv4 address space on over 3,500 ports.

Nmap  

Best for: security analysts, engineers and pentesters comfortable with command line tools. Best option for checking if ports are exposed in real time by running your own scans.

Nmap is a dedicated port scanning tool and one of the most popular free tools for network discovery. Run locally on Windows, Mac, or Linux, it’s a favourite of system admins as it helps audit the security of local and remote networks. It’s powerful and configurable; however, its command line (text-based) interface can take time to learn for newbies. Nmap also combines an extensible scripting engine that scans for community-contributed vulnerabilities, but is more limited than dedicated vulnerability scanners.

RunZero

Best for: users looking for a commercial solution to monitor open ports and discover targets and what they are with a blend of easy-to-use features including asset discovery

runZero provides asset inventory and network visibility for security teams to discover their managed and unmanaged devices, on-premises and cloud assets, IT and OT infrastructure, endpoints at work and at home. You can augment the inventory with integrations for MDMs, EDRs, cloud service providers, and virtual environments. Big pros of the platform include its flexibility – you can deploy it on any platform or hardware.  

Shodan

Best for: pentesters, security researchers, and threat intelligence analysts.

Shodan was the original and de-facto choice for finding open ports and services on the internet for pentesters and security researchers. It has a relatively easy-to-use UI, and grabs screenshots from systems so you can quickly find exposed RDP/cameras/IoT devices.

It's important to note that Nmap is a dedicated port scanning tool, while the rest are port scanning search engines or services. Both Censys and Shodan are search engine products which use port scanners under the hood. They're not typically used to run your own scans. But to gather this information these services run port scans on a regular and continuous basis to keep results up to date.

Our approach to port scanning

While these port scanners are useful to see open ports and services on your network, they’re limited when it comes to helping you keep a continuous eye out for changes, or new ports and services being exposed. If a hacker finds an exploit for a vulnerability, they don't need to scan the whole internet to find vulnerable systems; they can run one query and have a list of targets to hammer.  

These port scanners have their uses, especially when used as part of a broader penetration test, but they create a database of open ports/services that a hacker can use to search for open services that match their requirements. This shows the importance of a vulnerability scanner like Intruder.

Intruder identifies open ports and services, as well as 140K+ known vulnerabilities. It uncovers what’s exposed to the internet so you can restrict anything that doesn’t need to be there and reduce your attack surface. With daily scanning, Intruder gives you a fighting chance to identify vulnerabilities before an open port scanner and an opportunist attacker.  

Intruder’s intuitive UI makes it easy to search for open ports and services, with adaptive filters to identify the technologies an attacker could access. It also provides screenshots for web services so you can see what’s hosted on any HTTP(S) services on your network.

Why not put Intruder through its paces today with a free 14-day trial?

Release Date
Level of Ideal
Comments
Before CVE details are published
🥳
Limited public information is available about the vulnerability.

Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.

Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Day of CVE publish
😊
Vulnerability information is publicly accessible.

Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.

Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
First week since CVE publish
😐
Vulnerability information has been publicly available for up to 1 week.

The likelihood that exploitation in the wild is going to be happening is steadily increasing.

Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
Between 1 week and 1 month since CVE publish
🥺
Vulnerability information has been publicly available for up to 1 month, and some very clever people have had time to craft an exploit.

We’re starting to lose some of the benefit of rapid, automated vulnerability detection.

Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
After 1 month since CVE publish
😨
Information has been publicly available for more than 31 days.

Any detection released a month after the details are publicly available is decreasing in value for me.

Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.

With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:

These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.

We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.

In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.

Figure 10: Absolute numbers of critical CVEs with a remote check release date from the date a CVE is published

While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.

Figure 11: Percentage chance of delay for critical vulnerabilities

So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.

I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.

What can we take away from Figure 12?

Figure 12: Release delay year-on-year (lower is better)

With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.

The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.

Written by

James Harrison

Recommended articles

Ready to get started with your 14-day trial?
try for free