Top online port scanners
In this article we'll explain what open ports are, why you need to check if they're secure, and list some of the most popular online port scanner tools to help you see what's open and identify the services running on them.
What are ports?
Just like people, computers need a common way to communicate with each other. Today most computers do this through TCP/IP, a set of standardized rules that let them talk to each other on a network like the internet.
Any connection made on a TCP/IP network has a combination of source and destination ‘port’, and an IP address, that together identify the sender and receiver of every message. Think of the port as a room number in an office or apartment building, and the IP address as the street address. This enables communication as if you were sending a letter from one apartment to another, just done electronically (and much faster).
What are open ports?
To enable this communication between computers, ports need to be “open”, which in our apartment analogy means there needs to be someone there to receive the message. In the computer world, when an application or service wants to be communicated to, it “opens” a port, which then allows another computer to connect to it.
When the internet was first invented, open ports were common; there was even a port for providing a fingerprint of other ports, which could reveal a lot about the system being investigated.
This isn’t so common today, as operating systems are more tightly locked down by default during installation, and usually only non-essential ports are opened as necessary.
However, without ports computers can’t talk to each other, so for the internet to work, they need to be there. Making sure that you don’t have open ports when you don’t need them to be is a fundamental part of staying cyber secure by reducing the attack surface where an attacker can send their exploits. In our apartment analogy, it’s like not being able to send a booby-trap to an apartment with nobody inside.
What is port scanning?
Put simply, port scanning automatically identifies any ports that are open on a network. Hackers use port scanning to discover where potential vulnerabilities lie before launching the next phase of their attack.
It’s important to note that open ports are not vulnerabilities in themselves, they are fundamentally how the internet works, but each open port is a gateway to your systems, so it’s important to understand how many gateways attackers might be looking at – and whether each one is secure, or supposed to be there at all. For example, these could lead to back-end admin systems that are insecurely configured and open the door to attackers.
For that reason, it’s important to assess your own network regularly – particularly your internet facing systems – for open ports and services. By knowing what you have exposed, and limiting your attack surface by removing any unused services, you reduce your exposure to a future attack. This is especially true for services which have no vulnerabilities today, but could be included in one of the over 50 new vulnerabilities discovered every day.
What are port scanner tools?
There are many port scanning tools that can scan a target IP address (or range of IP addresses) and report back on any ports that are open. Easy to use and readily available, the key information they look for includes:
- Whether ports are open, closed or filtered
- Whether there’s a firewall
- If the firewall settings are secure
Top online port scanners
Let’s look at some of the most widely used and popular online port scanning tools. Some like NMap and Advanced Port Scanner are dedicated port scanners, while others include port scanning in a dedicated, 360° vulnerability management solution.
Nmap is one of the most popular free tools for port scanning and network discovery. Run locally on Windows, Mac, or Linux, it helps IT admins and developers audit the security of their local and remote networks. Nmap is highly powerful and very configurable; however, its command line (text-based) interface can take time to learn for newbies. Nmap also combines an extensible “scripting engine” that scans for community-contributed vulnerabilities, but is more limited than most dedicated vulnerability scanners.
Best for: system administrators, network engineers and developers
Intruder is an online vulnerability scanner that finds cyber security weaknesses in your digital infrastructure, identifying open ports and services, as well as 11,000+ known vulnerabilities. It uncovers what’s exposed to the internet so you can restrict anything that doesn’t need to be there and reduce your attack surface. A simple UI makes it easy to search for open ports and services, with adaptive filters to identify technologies that an attacker can access. It also provides handy screenshots for web services so you can see directly what is hosted on any HTTP(S) services on your network.
Best for: SMEs, start-ups, SaaS businesses and developers
Price: Free 14-day trial, price on website
NetCat is a networking utility which reads and writes data across network connections, using the TCP/IP protocol. It’s designed to be a reliable ‘back-end’ tool that can be used directly or easily driven by other programs and scripts. At the same time, it’s a feature-rich network debugging and exploration tool.
Best for: system administrators and general users
4. Angry IP
Angry IP is a free, open-source network scanner offering a suite of network monitoring tools. It doesn’t need to be installed, is compatible with Windows, Mac and Linux, and can be integrated with Java through a plugin. It has a command-line interface but you can export results in any file format.
Best for: Network administrators in banks and government agencies
5. Advanced Port Scanner
Advanced Port Scanner is another free network scanner that helps you to quickly find open ports on network computers and retrieve versions of programs running on the detected ports. The program has a user-friendly interface and rich functionality but only supports Windows.
Best for: Enterprise-level system or network admins
SolarWinds provides a free port scanner as part of its Engineer Toolset or Network Topology Mapper. It automates network device mapping in your IT infrastructure, including network devices, servers, virtualization hosts and port usage, and will show any network changes.
Best for: security teams and MSPs
Price: Free 30-day trial. Engineer Toolset starts at £1,203.
While free port scanners are useful to help you see ports and services on your network, they’re limited when it comes to helping you keep a continuous eye on changes, or new ports and services that are exposed.
For maximum visibility, commercial attack surface management tools like Intruder provide invaluable scheduled daily or weekly scanning, highlighting changes and scanning for over 11,000 vulnerabilities, with integrations with your existing tools and tech stack. With cybercrime showing no signs of slowing down, you can try it for free today.
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.