Key Points
In this guide we explain what port scanning is, who uses it and why, and detail some of the most popular online port scanner tools to help you detect open ports and identify the services running on them.
What are ports?
Just like people, computers need a common way to communicate with each other. Today most computers do this through TCP/IP, a set of standardized rules that let them talk to each other on a network like the internet.
Any connection made on a TCP/IP network has a combination of source and destination ‘port’, and an IP address, that together identify the sender and receiver of every message. Think of the port as a room number in an office or apartment building, and the IP address as the street address. This enables communication as if you were sending a letter from one apartment to another, just done electronically (and much faster).
What are open ports?
To enable this communication between computers, ports need to be “open”, which in our apartment analogy means there needs to be someone there to receive the message. In the computer world, when an application or service wants to be communicated to, it “opens” a port, which then allows another computer to connect to it.
When the internet was first invented, open ports were common; there was even a port for providing a fingerprint of other ports, which could reveal a lot about the system being investigated!
This isn’t so common today, as operating systems are much more tightly locked down by default during installation, and usually only non-essential ports are opened as necessary.
However, without ports computers can’t talk to each other, so for the internet to work, they need to be there. Making sure that you don’t have open ports when you don’t need them to be is a fundamental part of staying cyber secure by reducing the attack surface where an attacker can send their exploits. In our apartment analogy, it’s like not being able to send a booby-trap to an apartment with nobody inside.
What is port scanning?
Put simply, port scanning identifies any ports that are open on a network. Hackers use port scanning to discover where potential vulnerabilities lie before launching an attack, but it’s important to note that open ports are not vulnerabilities in themselves, they are fundamentally how the internet works, but each open port is a gateway to your systems, so it’s important to understand how many gateways attackers might be looking at – and whether each one is secure, or supposed to be there at all. For example, these could lead to back-end admin systems that are insecurely configured and open the door to attackers.
For that reason, it’s important to assess your own network regularly – particularly your internet facing systems – for open ports and services. By knowing what you have exposed, and limiting your attack surface by removing any unused services, you reduce your exposure to a future attack. This is especially true for services which have no vulnerabilities today, but may be included in one of the nearly 2,000 vulnerabilities which are discovered every day.
What do port scanner tools do?
There are many port scanning tools that can scan a target IP address (or range of IP addresses) and report back on any ports that are open. Easy to use and readily available, the key information they look for includes:
- Whether ports are open, closed or filtered
- Whether there’s a firewall
- If the firewall settings are secure
As a result, port scanning is one of the most popular tactics bad actors use when looking for a vulnerable server, according to the SANS Institute. A port scan provides valuable information about a target environment, including the computers that are online, the applications that are running on them, and potentially details about the system in question and any defenses it may have such as firewalls.
This information can be useful when planning an attack. For example, knowing that an organization is running a particular web or DNS server can allow the attacker to identify potentially exploitable vulnerabilities in that software.
But just as port scans can be used as key tools for attackers, the results of network and port scanning can provide important indications of network security levels for you and your security team to keep your networks and systems safe from attacks. Let’s look at the best port scanners to help you stay ahead of the attackers.
Top online port scanners
Censys
Best for: anyone as it’s an easy-to-use search engine for users looking to check open ports quickly on their targets by manually using a search engine.
Originally built as an academic research project, Censys is a popular tool for its clean, intuitive UI and UX. It's easy for non-technical users to find open ports on their own targets by searching the target IP address. It’s very useful for asset discovery when looking for targets that belong to an organisation based on SSL certificate hostnames or content and other types of service response, continually scanning the entire public IPv4 address space on over 3,500 ports.
Nmap
Best for: security analysts, engineers and pentesters comfortable with command line tools. Best option for checking if ports are exposed in real time by running your own scans.
Nmap is a dedicated port scanning tool and one of the most popular free tools for network discovery. Run locally on Windows, Mac, or Linux, it’s a favourite of system admins as it helps audit the security of local and remote networks. It’s powerful and configurable; however, its command line (text-based) interface can take time to learn for newbies. Nmap also combines an extensible scripting engine that scans for community-contributed vulnerabilities, but is more limited than dedicated vulnerability scanners.
RunZero
Best for: users looking for a commercial solution to monitor open ports and discover targets and what they are with a blend of easy-to-use features including asset discovery
runZero provides asset inventory and network visibility for security teams to discover their managed and unmanaged devices, on-premises and cloud assets, IT and OT infrastructure, endpoints at work and at home. You can augment the inventory with integrations for MDMs, EDRs, cloud service providers, and virtual environments. Big pros of the platform include its flexibility – you can deploy it on any platform or hardware.
Shodan
Best for: pentesters, security researchers, and threat intelligence analysts.
Shodan was the original and de-facto choice for finding open ports and services on the internet for pentesters and security researchers. It has a relatively easy-to-use UI, and grabs screenshots from systems so you can quickly find exposed RDP/cameras/IoT devices.
It's important to note that Nmap is a dedicated port scanning tool, while the rest are port scanning search engines or services. Both Censys and Shodan are search engine products which use port scanners under the hood. They're not typically used to run your own scans. But to gather this information these services run port scans on a regular and continuous basis to keep results up to date.
Our approach to port scanning
While these port scanners are useful to see open ports and services on your network, they’re limited when it comes to helping you keep a continuous eye out for changes, or new ports and services being exposed. If a hacker finds an exploit for a vulnerability, they don't need to scan the whole internet to find vulnerable systems; they can run one query and have a list of targets to hammer.
These port scanners have their uses, especially when used as part of a broader penetration test, but they create a database of open ports/services that a hacker can use to search for open services that match their requirements. This shows the importance of a vulnerability scanner like Intruder.
Intruder identifies open ports and services, as well as 140K+ known vulnerabilities. It uncovers what’s exposed to the internet so you can restrict anything that doesn’t need to be there and reduce your attack surface. With daily scanning, Intruder gives you a fighting chance to identify vulnerabilities before an open port scanner and an opportunist attacker.
Intruder’s intuitive UI makes it easy to search for open ports and services, with adaptive filters to identify the technologies an attacker could access. It also provides screenshots for web services so you can see what’s hosted on any HTTP(S) services on your network.
Why not put Intruder through its paces today with a free 14-day trial?
