Port scan vs Ping sweep, why Ping is better than Port scan

First of all let us start to explain what port scan and ping sweep is but we decided to lift the explanation from  linuxjournal;  A port scan is a method used by intruders to discover the services running on a target machine. The intruder can then plan an attack on any vulnerable service that she finds. For example, if the intruder finds that port 143 (the IMAP port) is open, she may proceed to find out what version of IMAP is running on the target machine. If the version is vulnerable, she may be able to gain superuser access to the machine using an “exploit” (a program that exploits a security hole).

A port scan is actually very simple to perform. All we have to do is to connect to a series of ports on the machine and find out which ports respond and which don’t. A simple port scanner can be written in under 15 minutes by a good programmer in a language such as Java or Perl. However, this kind of port scan is easily detectable by the operating system of the target machine. Listing 1 shows the traces produced by such a port scan in a log file (usually /var/log/messages) on a Linux box. Notice that a series of connections to various services occurred in a short span of three seconds. Since it’s so easily detectable, most intruders will not run this kind of port scan against a machine these days.

A ping sweep is another kind of network probe. In a ping sweep, the intruder sends a set of ICMP ECHO packets to a network of machines (usually specified as a range of IP addresses) and sees which ones respond. The whole point of this is to determine which machines are alive and which aren’t. It’s a bit like knocking on your neighbors’ doors at 3 a.m. to see who’s asleep and who’s not (okay, don’t try that). Once the intruder knows which machines are alive, he can focus on which machines to attack and work from there. Note that there are legitimate reasons for performing ping sweeps on a network—a network administrator may be trying to find out which machines are alive on a network for diagnostic reasons.

Crackers Viewpoint: Using Port scanning triggers IDS (Intrusion detection system). The best way to go about it, is to use Ping sweep and ping range of IP addresses at different timing for instance using IP to location to locate the locations of the IP addresses and the type of timezone they use. Using Ping and pinging list of IP addresses at different times to identify which IP is always online, beside your main aim is to identify the companies server which suppose to be online 24 hours. The IP addresses that is always alive means its a server and IP addresses that is on at certain times is probably a workstation which is not our target.

Note: Sometimes some key servers will appear not active when you ping the IP, Its a way network administrators use to make amateur hackers think the system is down but in reality its up and running.  They disable the ICMP which in turn reduces there own ability to troubleshoot.

Leave a Comment

Your email address will not be published. Required fields are marked *