5. Getting started: Analyzing the security scan results : Detailed scan results: Analyzing open TCP ports
Detailed scan results: Analyzing open TCP ports
Open ports represent active services and applications that can be exploited by malicious users to gain access to a computer. It is very important to leave only the ports that you know are necessary for the central/core functions of your network services. All other ports should be closed.
Screenshot 41 - Open TCP ports node
During vulnerability scanning GFI LANguard N.S.S. 8 will enumerate all TCP ports found open on a target computer. The list of ports is then accessible through the scan results by clicking on the Open TCP Ports sub-node.
Important considerations
By default GFI LANguard N.S.S. is configured to use the 'Full Scan’. Via the use of this scanning profile, not all of the 65535 TCP and UDP ports are checked as this may take a long time to complete per target computer. When using the 'Default Scanning Profile', GFI LANguard N.S.S. performs checks on the ports most commonly exploited by hackers, Trojans, viruses, spyware and malware. Use the ' Full TCP & UDP Port Scan' scanning profile to run a full open port check on all targets.
For more information on how to run security audits using different scanning profiles refer to the ‘Scanning profiles in action’ section in the ‘Scanning Profiles’ chapter in this manual.
For more information on how to customize a scanning profile refer to the ‘Creating a new scanning profile’ section in the ‘Scanning Profiles’ chapter in this manual.
Service fingerprinting
Further to detecting if the port is open or not, GFI LANguard N.S.S. uses service fingerprint technology to analyze the service(s) that are running behind the detected open port(s). Through service fingerprinting you can ensure that no hijack operation has taken place on that port. For example, you can verify that behind port 21 of a particular target computer there is an FTP server running and not an HTTP server.
Dangerous port reporting
Screenshot 42 - Scan Results: Dangerous ports are marked in RED
When a commonly exploited port is found open, GFI LANguard N.S.S. will mark it in red. Care is to be taken, as even if a port shows up in red, it does not mean that it is 100% a backdoor program. Nowadays with the array of software being released it is becoming more common that a valid program uses the same ports as some known Trojans.