We have previously discussed at length how TCP and UDP ports relate to different provided services. If a server is providing services over the network, it is necessary for a port to be left permanently available for inbound connections. This state is called listening. When a client wishes to establish a session, it generates a pseudo-random port on the client end and connects to the listening port. It is, therefore, not possible to entirely shut down all ports on a device if it is also to be functional.
An unauthorized active listening port is a good indicator of an intrusion, or poor network design and administration. If an unauthorized active listening port leads to an exploited system, a malicious entity could gain access to it from outside the network.
On the server itself, the netstat command can be used to review which connections are established. To check on those that are listening as well, the -a option can be used, which displays both established and listening ports.
The following screenshot shows an extract from netstat on a server that is providing DNS and HTTP services. Notice that port 53 (DNS) is in the listening state, whereas port 80 (HTTP) has a number of established connections. If each of these connections were to be ended, the port would re-enter the listening state:
On Cisco IOS devices, netstat does not work; the equivalent command is show control-plane host open-ports.
A port could be put into a listening state from the inside (via an internal network or physical access), literally opening a doorway into the server. Alternatively, an external actor may scan the ports to see which are open, which might lead to a service that they can compromise.
Common port scanning tools include Nmap, which can be used from the command line. Nmap can operate in a number of ways. The simplest scan technique is to attempt a connection (nmap -sT). This gives a lot of information, but does mean that the target logs the session. Imagine ringing random phone numbers, and asking for the name of whoever picks up the phone. If the call is picked up, you know that the number is live, and if they answer the question, you know who is by that phone.
A TCP SYN scan (nmap -sS) does not establish a connection. It resets the connection halfway through the three-way handshake, using the reply as an indication of the port status. For this type of scan, imagine ringing the random phone numbers again, but only allowing it to ring once. If the call rings, the number is live; if the number says unregistered, the number is not live; if the number gives an engaged tone or goes to voicemail, the caller is either on the phone or the phone may be switched off. Without revealing yourself, you have done some reconnaissance of the target.
It is often useful for a network administrator to scan the network themselves, both from the inside and from the outside, to have a good handle on the profile of the server during normal conditions. This should be repeated as and when new services are added.