Port scanning is a network reconnaissance technique that sends probe packets to a range of TCP and UDP ports on one or more target hosts to determine which ports are open, closed, or filtered. The output reveals the services exposed by each host and is the starting point for deeper enumeration during a penetration test.
TCP scan techniques
TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK) on each port. It is reliable and works without raw socket privileges, but it is noisy and logged by the target service.
SYN scan (half-open) sends a SYN, waits for the response, and never completes the handshake. Open ports return SYN-ACK; closed ports return RST. Faster and less likely to appear in service logs, though network-level monitoring still sees it.
FIN, NULL, and Xmas scans send unusual flag combinations to probe TCP/IP stack behaviour. They are useful against some older operating systems but rarely add value on modern targets.
UDP scanning
UDP is connectionless, which makes scanning slower and less reliable. Closed UDP ports return ICMP unreachable; open ports either return a service response or stay silent. Distinguishing “open” from “filtered” often requires repeated probes and timing analysis. Most scanners run UDP only against a small set of common ports for this reason.
Service version detection
After identifying open ports, modern scanners connect to each one and attempt to identify the service and version through banners and protocol-specific probes. This is what allows a scanner to report not just “port 22 open” but “OpenSSH 8.4p1 Debian”, which can be matched directly against known vulnerabilities.
Common tools
Nmap is the standard. Masscan trades coverage for speed, scanning the entire IPv4 internet at multi-million-packets-per-second rates. Unicornscan and ZMap occupy similar niches. For internal engagements with limited time, Nmap with reasonable timing and service detection (-T4 -sV --top-ports 1000) covers most ground.
Use in penetration testing
Port scanning is part of the earliest reconnaissance phase. The output drives every subsequent decision: which services to investigate, which exploits might be relevant, and where to spend manual effort. It is also the most easily detected activity in an engagement, so testers either accept the noise (most cases) or run slowly and selectively (when stealth is part of the scenario).
Defences
Network segmentation so that only intended services are reachable. Firewall rules with default-deny. Egress as well as ingress filtering so compromised hosts cannot scan outwards undetected. Network monitoring that alerts on broad scanning behaviour. Reducing exposed attack surface is more valuable than trying to hide existing services from a scanner.
Related terms
See also: Nmap, ping sweep, ARP scan, and intrusion detection system (IDS).
Leave a Reply