Ports can offer hackers a way into your computer or any network device. A port isn’t an actual physical connector; it is a logical addressing system. Sometimes a port number is used in conjunction with IP address to identify a computer, but mostly ports are reserved for services. A service is a well known program that supports other programs.
The port itself is not the weakness. The service that uses the port is what gives hackers a way in. The surest way to keep your network safe is to close ports that are not in use. That shuts down the dangers of a rogue malicious process from gaining access to user information by masquerading as a service.
It is common practice for hackers to scan ports, checking each of the port numbers used by services to see which ones accept connections. You can test for port vulnerability yourself by using a port checker.
A solution to port vulnerability is to protect them with your firewall. If a port is blocked by a firewall, outsiders can’t get access to it, so many useful port checkers are online tools. If a port checker or port scanner on a website isn’t able to see the ports on your computer, then the firewall is protecting them well.
Popular Free Port Scanners
Port Detective was a very popular free port checker. However, if you have searched for it, you will have discovered that the website that supports the product is no longer available.
If you are looking for an alternative to Port Detective, you will find some very good utilities in our list of the top ten port checkers.
Here is a list of ten free port checkers that you can try. Some of these are programs need to be downloaded and installed, whereas others can be accessed from any operating system through a browser because they are online services.
- Solarwinds Free Port Scanner (FREE DOWNLOAD)
- Paessler PRTG (FREE TRIAL)
- Open Port Scanner
- IP Fingerprints network port checker
- Free Port Scanner 3.5
- Port Checker 1.0
- What is my IP Port Scanner
- Spiceworks IP Scanner
The list below shows the operating system that each program can run on and which port checkers are online and so are not operating system dependent.
Here is our list of the best free port checkers:
|Port Checker||Linux||Windows||Mac OS||Online|
|Solarwinds Free Port Scanner (FREE DOWNLOAD)||No||Yes||No||No|
|Paessler PRTG (FREE TRIAL)||No||Yes||No||No|
|Open Port Scanner||No||No||No||Yes|
|IP Fingerprints Network Port Checker||No||No||No||Yes|
|Free Port Scanner 3.5||No||Yes||No||No|
|Port Checker 1.0||No||Yes||No||No|
|What is my IP Port Scanner||No||No||No||Yes|
|Spiceworks IP Scanner||Yes||Yes||Yes||Yes|
Solarwinds is a leader in the network software industry and this free tool from the company is a great find. The Port Scanner is aimed at businesses of all sizes. It can be run through a graphic interface or from the command line. However, the Solarwinds Free Port Scanner is only available for Windows.
When the application opens it will scan your network to detect all its IP address scope and you will see that range in the IP scanning range field. You can launch a scan on all of the devices on your network, or change the range setting to get a scan for just a section of the network or just one device. The search setting for port numbers is also given a default value. This default limits the search to well-known ports, but you can override this setting and enter your own range of port numbers. You can also enter a list of non-consecutive port numbers.
Advanced settings for a search enable you to focus on just TCP or UDP activity or get both of these protocols checked. You can also add in a Ping check and DNS resolution to a search. The scan can also have an OS identification result included.
Results from a scan will list all of the possible addresses within the scope. This will end up with a very long list, so you can specify to show only results for active hosts. This shorted list shows the number of open, closed, and filtered ports on each active device. A filtered port is one that is blocked by a firewall and cannot be examined by the scanner.
Clicking on a device record gets a port detail panel to open. This will list all of the ports in the scan range — most of them will be closed. You can shorten this very long list by filtering results to only show the ports that are open. Results can be exported to CSV, XML, or Excel format.
MORE INFORMATION ON THE OFFICIAL SOLARWINDS SITE:
Paessler PRTG is an infrastructure monitor that covers network devices, network links, servers, and applications. The PRTG system is implemented by sensors. A sensor detects a specific attribute of system performance, or covers a particular hardware attribute.
The monitor includes two types of port sensors that will keep an eye on port activity for you. These are the Port sensor and the Port Range sensor.
The Port sensor is allocated to a given port number on a device. It will try to connect to that port and then report back on whether the port is open or closed and how long it took for the connection request to be served. This sensor only monitors TCP ports. You can choose whether or not to operate the sensor with Transport Layer Security. Including TLS will give you a more accurate report on the experience of secure connections when accessing that port.
As the name suggests, the Port Range sensor interacts with a given range of port numbers. This also deals only with TCP connections and doesn’t check on UDP operations to the ports on your devices. The port numbers that you want to check don’t have to be contiguous because you can choose to submit a list of port numbers instead of a range. The actions of this sensor are very similar to the Port sensor. It will access each port number in sequence and report on whether that port is open or closed and how long it took the device to accept a connection at that port. This sensor doesn’t give you the option of connecting with TLS.
Paessler PRTG is priced on the number of sensors that you want to monitor. The system is free for up to 100 sensors. If you use the Port sensor, you will need to create a new sensor instance for each IP address/port combination. So, you will use up your sensor allocation very quickly because each instance counts as a separate sensor for pricing purposes. You can get a 30-day free trial with unlimited sensors to assess the software. Paessler PRTG installs on Windows, or you can access it online as a cloud-based service.
Nmap is a free network testing and security auditing tool. Zenmap is a user-friendly interface for Nmap. You can check on a lot of different factors about your computer and other computers connected to the same network with Nmap, not just ports and services.
It can be installed on Windows, Linux, BSD Unix, and Mac OS.
The layout of the interface is not very sophisticated, but the system does its job well and offers you a range of tests to try. The utility will scan all of the ports on all of the computers connected to your network, or on your router. The follow up tests are only performed on the open ports that Nmap discovers.
The standard test uses ping and a preliminary system check before scanning for open ports. However, there is a Ping-less alternative. You can perform a complete scan, scan all TCP ports, or scan all UDP ports. An intense scan uses a SYN Stealth methodology. These types of scans don’t get logged as connection attempts because the port never completes a connection sequence. An intense scan can take a long time — more than an hour and a half for one device.
Zenmap gives you a lot of different information types to investigate and it works for a single router or computer, so it isn’t just for network administrators.
The Port Scanner page of the Port Checkers website gives you an online test of the ports on your computer. Not all of the ports are checked. The service will examine 36 of the well-known ports to see whether they are accessible from the internet and whether a service is running on each of them. A shorter scan will check just 13 of those ports.
The services that the port scanner checks include FTP data and control channel (ports 20 and 21) and also TFTP and SFTP ports. Ports for networking protocols SNMP, DHCP, and DNS are all checked as are communication and security services such as HTTPS, HTTP, SMTP, POP3, POP3 SSL, IMAP SSL, SSH and Telnet.
The results of the scan are shown in a table on the web page. In many instances, it is necessary to keep these essential ports open. However, in other cases, you will be able to close them down with your firewall. Examples of services that you might not use are the SMTP, POP3, and IMAP protocol. These are email protocols and only apply if you run an email agent on your computer. If you only use webmail, you don’t need to run these services.
There is no charge for using the Port Checkers Port Scanner.
The Open Port Scanner is available at the Web Tool Hub website. This free online port checker lets you choose which ports to scan. You need to enter your IP address and then list the ports that you want checked. Each run of the scanner can only cope with 10 ports at a time.
The results of the scan are shown in a table with the status of each port and its regular service listed alongside. Although it can be laborious typing in the port number, you can enter ranges, for example “21-29.” Results come back very quickly and you can export them to a CSV file.
Getting a full report on all of your computer’s ports would take a very long time, however, because the IANA port allocation list goes up to number 65,535.
The Web Tools Hub includes a long list of useful tools for online activities. These include an IP location checker, a backlinks checker, a WHOIS lookup facility, and a Ping test.
The IP Fingerprints website is another source for useful online tools and these include a Network Port Checker and Scanner. In this free online tool, you enter an IP address and a range of ports to check. This would be a lot more useful for getting through all of the ports on your computer because there is no limit on the number of ports you can scan in one go. However, the website text warns a port number range that exceeds 500 will take a very long time, and a large range will start a search that may never end. So, you will still need to run your full scan in segments.
Despite this warning, I ran a search on ports 21 through 500. The results came back in less than a minute. Unfortunately, the system only reported on one of the four open ports that Nmap spotted. However, that may be because IP Fingerprints operates from the internet and Nmap works on the computer, behind the firewall.
This scanner claims to be able to see around firewalls. The Normal scan will check which ports are visible from the outside world and which are covered by the firewall. Advanced port scan options give you the choice of launching a connect() command test or a SYN Stealth test. SYN and connect() methods are particularly interesting because these are the avenues that hackers like to use in order to detect for services. The website claims that these can get around a firewall. The SYN method is a favorite strategy for DDoS attacks.
Other useful tools on the IP Fingerprints site include a geolocation tool and a WHOIS facility.
You need to download a program to run Free Port Scanner 3.5. It is available from Major Geeks and it runs on Windows. The creators of this program, Nsasoft, make no mention of the utility on their own website, so the only place you can get it is through third-party software download sites. The file that you download is an installer and it will also create an icon for the tool on your Desktop.
This utility allows you to scan ranges of ports, so you can get through the full list of port numbers in one run if you have time on your hands. The interface detects your IP address when it launches and a selected list of ports to look at is also provided by default. The scan takes a long time to perform if you request a wide range of port numbers. It is also very slow if you want to test the ports on another device, such as your wifi router. So, if you ever wanted to scan all of the ports on your router, you would probably have to leave the program running all day. If you connect to the internet through a wifi router, then you must enter your network IP address to scan your computer. You can scan the ports on your router by giving Free Port Scanner the public IP address that identifies you on the internet.
You can elect to show closed ports as well as open ones. There is no documentation with the tool and so there is no way of knowing which test method the utility uses. Free Port Scanner 3.5 only tests TCP ports.
The Port Checker 1.0 program can be downloaded from Softpedia. You need to be careful about downloading free utilities because they can sometimes be used as a front for a Trojan. Softpedia checks all of the code of the programs that it puts on its site, so you can have confidence that you are not downloading a virus.
This free tool runs on Windows. There is no installer file for this tool: you just download a zip file with the executable in it. Extract the program and double click on the file to run it. The program is very small and it can even be stored on and run from a USB stick.
The interface is very basic and easy to use. Just enter an IP address and select a port number from a drop-down list. A drawback is that you can’t scan for any port you like, just those in the list, and it isn’t possible to enter ranges of port numbers. If you have a wifi router, enter your network IP address to check ports on your computer and your internet IP address to get a report on a router port.
What is my IP? is a very popular web service for discovering your IP address. The website has a number of other tools, including a port scanner.
This free online port checker has a number of useful features. First of all, it is fast: results for multiple port numbers come back within seconds. You can enter ranges of port numbers and create custom lists, although those two features are only available to the site’s paying members.
What is My IP has come up with a very nice free utility that gives you the opportunity to check a single IP address, but it has a unique option that no one else in the market seems to have thought of. It offers scans on themes of ports and services. This is called a “package.” For example, you can choose the Games package and then the test will include ports used by the major online gaming platforms. Other package options include Basic, which checks ports for things like email and FTP; Web, which includes HTTP, HTTPS and FTP (again); and Malicious, which looks at ports known to have been used by malware and hackers.
TCPView is available as a free program to download onto Windows. This port scanner takes a different perspective from all the other programs in this list. Rather than looking at the ports and then checking whether a service is active on each, this system looks at all of the processes running on the computer, lists those associated with ports, and lists the port number. This approach gets you a lot more details than the external scan. For example, the other scanners didn’t notice ports above the “well-known” range even through some of the scanners claimed to be checking all ports.
TCPView includes processes listening at ports and the display is refreshed every second. You can slow down this snapshot rate and lengthen the interval to 2 seconds or 5 seconds. When new processes are encountered, they go into the list in a green-colored record. Processes that end stay in the list briefly with a red-colored record. Processes with changed statuses are colored yellow.
The display also shows the number of packets and the quantity of bytes of data sent and received on each port. Despite its name, TCPView also covers UDP ports.
The Spiceworks IP Scanner has two elements. The dashboard for the tool is online, but you need to install a small monitoring program onto your computer to get it working.
The agent on your computer sends gathered data to the cloud server. All communications between the agent and the server are encrypted and you need to sign up and create a user account in order to log in and see your scan results.
The installed program will run on Ubuntu and Debian Linux and also on Windows and Mac OS. The free network tool gives you plenty of information about all of the computers in your network, or just your computer if you don’t have a network. All of Spiceworks’ tools are free of charge, but they are ad-supported.
Once you have installed the program and created your account, you log into the dashboard through a browser. The system cannot be accessed through a Safari browser. The IP scanner will search your network and discover all of the devices connected to it. For each device, it will report the MAC address, see the IP address, the hostname, the manufacturer, the operating system, and a list of open ports.
If you don’t have a network, you may prefer to use the Spiceworks Port Scanner and Tester. This is a free online tool and it can be accessed from any operating system without having to install software. The Port Scanner checks the status of a number of the ports on the computer for which you enter the IP address.
Online or installed?
As you can see from our list of recommended port scanners, half of them do not need to be installed on your computer because they are available on websites. This is a good strategy because the position of the scanner outside of your system gives you a proper view of what hackers and the outside world can see about your network, be it a home network or a business service.
Switching to a computer-based port scanner can help as well because it shows you the many processes listening on computer ports. As you can see from the examples of checker output shown above, the remote checks find fewer services on ports than the computer-based scanners can detect. This shows that your firewall is working to mask the security weaknesses of services running on your computer. So, it is probably better to use one of each of these types of systems — both online and installed.
More about ports
If you are new to networking technology, a little background on ports should help you out. Ports are addresses, and a large number of them have specific purposes that seasoned networking specialists can recall off the top of their heads.
The allocation of port numbers to specific services is a global standard operated by the Internet Assigned Numbers Authority, which is also known as IANA. This organization is also responsible for distributing IP addresses and preventing duplication. You can get a look at the IANA register of port numbers at their website.
The very long list of port numbers is divided into three sections. The first 1024 ports (numbers 0 to 1023) are called the “well-known ports” because the long running services that everybody uses, such as HTTP and IMAP, all have their port numbers within this range. Not all of the numbers in this section are in use. A service used by many different applications, such as FTP or the domain name service (DNS), will be in the well-known range of ports numbers.
The next range of port number goes from 1024 to 49151. These are the registered ports. Proprietary applications will be allocated a port number in the registered range. For example, the Steam online game platform is assigned port number 1725.
All of the port numbers from 49152 up to 65535 are available for any programmer to use. These are called “private” or “ephemeral” ports. Often, a service will listen on a well-known port, but then switch to a private port by agreement with the connecting client. This enables the daemon listening at that well-known port to be available for other connections while the first transaction is ongoing.
So, even though a particular service operates on one specific port, it can also arrange to run on another port high up in the ephemeral port number range.
The exchange of data over a network can either follow a connection-based system, called TCP (the Transmission Control Protocol) or a connectionless model, called UDP (the User Datagram Protocol). Most scans use the TCP system because UDP has no connection control and so expects no acknowledgements or error messages back. Those responses from the server make port scanning possible.
Open and closed and blocked and unblocked ports
An “open” port is not the same as an “unblocked” port, and a “closed” port is not the same as a “blocked” port. An open port simply has a process associated with it. These processes are part of a service. They are called “daemons” and they run continuously in a very small loop checking to see if a packet addressed to a specific port has arrived at the computer. This is why it is important that port numbers are universally known. The well-known ports mean that anyone writing their own version of a particular service, such as an FTP program, just has to check for packets arriving for that service’s port number.
The program will only break out of the loop and continue down the lines of code when a message arrives with the right port number. So, if a port is open, that means that there is a daemon checking for that port number over and over again. To close a port, you just stop that process. A “closed port” just means that there is no repetitive program looping around waiting for that port number to appear in a packet.
A “blocked port” may be open or may be closed. The block is performed by a firewall. If there is a daemon running and waiting for a particular port number, it will be waiting forever if the firewall refuses to allow through packets addressed to that particular port number. In that example, the port is open, but blocked. To unblock that port, you would have to adjust your firewall rules to allow through traffic addressed with that port number.
If the process that waits for a message with a specific port number is on a computer behind a router, you may have to instruct the router to direct the traffic for that port. This process is called “port forwarding.”
Types of port scans
Basic port checkers
A standard port scan sends out a connect() command to every port number in turn. This command only works with TCP ports. If an acknowledgment to a request to connect to one port number receives a reply, the scanner registers that the port is open, meaning there is a daemon listening.
If a hacker wants to try to get into your computer, there is no point sending his intrusion attempts to a port number that does not get a response from a daemon. It would just be a waste of time.
Hackers might favor particular port numbers. Some viruses have a specific port written into them, and antivirus companies have learned them. In those cases, firewall software gets updated and the success of the virus comes to an end. The hacker will then try to find a different port and rewrite the virus. Then the virus will probably earn a different name from the antivirus community.
Remember that with many services, the initial connection takes place on a well-known port and then gets transferred to an ephemeral port number. As viruses are automatic processes, each will have its favored ephemeral port. So, if you discover that one of the private ports is open, this could be an indication that your computer is already infected.
When a scan just focuses on a range of port numbers rather than all 65536, that search is called a “strobe.” Making regular scans of all ports can raise an alarm, so limiting the scan to a small number of ports can keep the scan under the radar. Each connection request gets logged, so a sudden burst of connection requests shows that something untoward is going on. Networks that run intrusion prevention systems will automatically lock out all activity from a particular IP address if port scanning is detected.
A stealth method that some hackers use to avoid getting blocked out is to perform the scan very slowly over a number of days. Stealth scans tend to be strobes because limiting the number of connection requests to just the ports that the hacker knows is a good bet that cuts down the time that a slow scan can take.
An incomplete connection request or connection requests spread over several packets are other stealth methods.
The connection process consists of three messages. The client sends a SYN message and the server sends back a SYN-ACK. The client replies to the SYN-ACK with an ACK. This three-phase process is very useful to hackers and a SYN flood is commonly used as a denial-of-service attack. This is because the server will wait for a short period of time for an ACK to come back. That short wait period, combined with a large number of SYNs, can create enough of a delay that genuine requests time out before being served.
A SYN flood would register an alarm on a computer. However, just one SYN on each port doesn’t even get logged. This is because most systems only log successful, but subsequently inactive connection request that are made up of the SYN/SYN-ACK/ACK process carried out by the TCP connect() command.
So, the SYN scan sends out a SYN message. If it receives back a SYN-ACK, it knows that port is open. If no SYN-ACK comes back, it knows that port is closed. In both instances, it never sends back an ACK message.
Fragmented packet scan
Some intrusion detection systems and firewalls can be duped by fragmented packet scans. This is because many of those systems operate on the transport layer, looking for “signatures”, or patterns of behavior in incoming packets. Working at the transport level means that the detection rules of a firewall or IDS would not recognize a fragmented request.
However, the split request is united by TCP when preparing messages to pass to the application. So the parts of the request get through because they don’t look to the firewall like a connection request. However, by the time the request reaches the daemon, it is a fully recognizable connection request.
Some firewalls on the market will examine the packets in their reconstituted form. In those instances, this packet fragmentation technique is trounced. However, buffering and ordering of packets by the firewall is rare because those actions slow down the network.
A NULL scan is a way to test for UDP ports. In fact, it is just about the only way to check UDP ports because the whole purpose of UDP is that there are never any responses sent back by the protocol. However, sending an empty UDP “datagram” may or may not get an error response from the listening process. It is much more likely to provoke a message from another protocol if that port is closed. This is the ICMP protocol, which has the capacity to send back a “port unreachable” message.
The same technique can be used to test TCP ports with an empty TCP “segment.” So, any NULL message that doesn’t get a “port unreachable” response indicates that the port is open. However, network monitoring software and system administrators have got wise to this trick and most network systems now limit ICMP “port unreachable” messages to a certain number per day, or just send one out every nth response. So the lack of a response doesn’t always mean that a port is open, and this method of scanning has become unreliable.
A TCP segment contains a shorthand section of bits that are set to 1 to indicate certain conditions of the connection requests. In a TCP NULL scan, all of those bits are set to zero, which tells the server nothing. In an XMAS scan, all of those bits are sent to 1, which is gobbledygook because some bits are mutually exclusive.
The XMAS scan should provoke an error message from an open port and silence from a closed port. However, this type of scan doesn’t always produce correct results because an error message may have been sent but got lost on the way. Also, different operating systems have different policies in response to the XMAS scan, so such packets don’t always send back error messages even if the port is open.
A FIN scan is similar to the NULL scan and the XMAS scan because it is designed to be intentionally wrong and provoke an error message. A FIN TCP message closes a connection, so if it is sent to a port on which no connection exists, it is clearly an error.
A peculiarity of this message type is that it is dealt by the operating system and not by the daemon on the port. The convention is that if a FIN message is sent to an open port to which there is no connection, the daemon ignores it, and sends no response. However, if a FIN message is sent to a closed port, the operating system will send back a RST message. No response to a FIN means that the port is open and an RST means that the port is closed.
This is another malformed request technique that provokes an RST response from the operating system on behalf of closed ports and silence from open ports. You will recall that the ACK message is the last stage in the SYN/SYN-ACK/ACK process of establishing a connection under TCP rules. So, an ACK arriving before a SYN is just nonsense and an open port will ignore it.
Port scanning issues
You will come across a few other settings in port checkers that are additional features rather than scanning techniques. These include Ping, Traceroute, RPC checks, operating system fingerprinting, and DNS resolution checks.
These are nice features and they indicate that the producers of that port checker are trying to create a network traffic analyzer rather than just a straightforward port scanner.
Port mapping, port forwarding, port triggering
Port mapping is a function of routers that practice network address translation (NAT). NAT enables several computers on a network to use the same public IP address on the internet. The network gateway identifies each computer on the network by a port number, which it tacks onto the end of the IP addresses on outgoing messages. When a response comes in to that port number, the gateway knows which computer the message is meant for.
Port mapping is a form of NAT, which is called port address translation (PAT). This enables computers on the network to send out requests with a port number on the end of the source address. The gateway than replaces that port number with a substitute that represents the network address of the originating computer and the port number on the original request. Port mapping is also called port forwarding.
Port triggering enables a computer on a network to allocate an extra port number on the NAT gateway to itself. An example of this is the port triggering needed for the Internet Relay Chat (IRC). When a computer on the network contacts a remote host for an IRC session it has to send the request to a specific port number, the host will connect back on a different port number (113) for verification. So when the original request goes out, the sender notifies its gateway that it wants to receive traffic coming in on port 113. When the gateway gets a message to that port number it forwards it on to the network computer, preserving the 113 port number in the header. This access is only active for a short period.
Port checker options
Sometimes, it takes a thief to catch a thief, so thinking like a hacker and employing “white hat” hacking techniques will help you keep your computer and your network secure. Try out a free port checker to get an idea of services that could provide entry points for hackers. Remember to try both an installed program and an online service to get a complete overview of your port activities.
Comparitech networking guides
- Best network intrusion detection tools
- 8 best packet sniffers and network analyzers for 2018
- Best free bandwidth monitoring software and tools to analyze network traffic usage
- Top 10 LAN monitoring tools for 2018
- The definitive guide to DHCP
- The definitive guide to SNMP
- The ultimate guide to mobile device management (MDM) in 2018
- The ultimate guide to BYOD in 2018
- Top 10 server management & monitoring tools for 2018
- The best free NetFlow analyzers and collectors for Windows
- 6 of the best free network vulnerability scanners and how to use them
Other information on network monitoring