[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2718
  • Last Modified:

Port Scan vs netstat -- Advantages & Disadvantages?

I need to identify and document the open ports on a Win2k server, but I am a server lightweight. Assuming a server has NOT been compromised, when deciding whether to do a full port scan or just a netstat -a -n, what are the relative merits of each? When & why would their results be different?

Thank you in advance,
2 Solutions
Regarding their merits, a port scan will let you see what open ports an external service/user/hacker can see given existing firewalls and running services on the scanned computer.  Netstat will let you see existing TCP connection as well as ports on which the computer is listening, among other things (http://technet.microsoft.com/en-us/library/bb490947.aspx).

The results between the two can differ due to firewall placement (on the host or somewhere between the scanner and scanned computer).  For example, your personal workstation may be listening on port 3389 for Remote Desktop connections on your LAN, but a perimeter firewall may have this port closed, with the result being than a port scan originating from outside your network will not show 3389 as open while netstat on your machine will show 3389 as open.
Rich RumbleSecurity SamuraiCommented:
As explained above, a netstat is local, and a port scan is typically used against a remote host, but can be used against ones self. A port scan, can go further, telling what version of a webserver, mail server, even what OS (see finger) is running. Nmap can do OS detection, looking at the responses and predicting the OS based on those "finger prints" aka responses.

Also, as hinted to above, netstat will tell you what port the machine your on listens for connections, but a firewall can do PAT or port forwarding, so if you changed the default port 80 for your webserver to listen to port 123, the firewall can still listen for port 80 and change the packets to go to your server on port 123, so a scanner will never know the difference technically. Essentially Netstat is local and passive, a port scan is typically against a remote host and active.
parkereaAuthor Commented:
Thank you. I had a general idea that was the fact, but the IT folks have been promoting port scans, and for our uses (documenting the server, not its environment such as the firewall) netstat is more appropriate.

Thanks again,

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now