Dark Mode
Capec-300 Detail
Port Scanning
Standard Communications Software Typical Severity: Low
Parents: 169
Children: 287 301 302 303 304 305 306 307 308
Threats: T60 T65 T80 T258 T273 T288 T291 T302 T334 T392 T407
Tools: 4
An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.
Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration. Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-300 | capec | https://capec.mitre.org/data/definitions/300.html | |
| CWE-200 | cwe | http://cwe.mitre.org/data/definitions/200.html | |
| T1046 | ATTACK | https://attack.mitre.org/wiki/Technique/T1046 | Network Service Scanning |
| REF-33 | reference_from_CAPEC | Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill | |
| REF-128 | reference_from_CAPEC | http://www.faqs.org/rfcs/rfc793.html | Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA) |
| REF-158 | reference_from_CAPEC | http://www.faqs.org/rfcs/rfc768.html | J. Postel, RFC768 - User Datagram Protocol, 1980--08---28 |
| REF-34 | reference_from_CAPEC | Gordon "Fyodor" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd "Zero Day" Edition,), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7 | |
| REF-130 | reference_from_CAPEC | http://phrack.org/issues/51/11.html | Gordon "Fyodor" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997 |
Not present
- The adversary requires logical access to the target's network in order to carry out this type of attack.
- The adversary requires a network mapping/scanning tool, or must conduct socket programming on the command line. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Not present
| Authorization | Access Control | Confidentiality |
|---|---|---|
| Bypass Protection Mechanism | Bypass Protection Mechanism | Other |
| Hide Activities | Hide Activities | Bypass Protection Mechanism |
| Hide Activities |
Not present