FlagHack logoFlag{Hack} Coming Soon

Port Scanning

Port scanning is a technique used to identify open ports and services available on a target machine. It plays a crucial role in both cybersecurity defense and offense. Security professionals use port scanning to assess network security, while attackers use it to find vulnerabilities to exploit.

Each device connected to a network uses ports to communicate with other systems. These ports can be open, closed, or filtered. By scanning for open ports, one can determine which services are running and possibly identify the operating system and software versions in use. This information helps administrators secure their networks—and helps attackers craft exploits.

Variants

Different scanning techniques are used depending on the goals of the scan and the level of stealth desired:

  • TCP Connect Scan: Establishes a full TCP three-way handshake with each port. This is the most reliable but also the most detectable method.
  • SYN Scan (Half-open Scan): Sends SYN packets to ports without completing the handshake. If a SYN-ACK is received, the port is open. This method is faster and stealthier.
  • UDP Scan: Sends UDP packets to target ports. Responses (or lack thereof) help determine if the port is open or closed. These scans are slower and more difficult to analyze.
  • FIN, Xmas, and Null Scans: Use unconventional TCP flag combinations to bypass firewalls and intrusion detection systems. They rely on RFC-compliant behavior of TCP stacks.
  • Idle Scan: Uses a third-party "zombie" machine to perform the scan indirectly, making it extremely stealthy and hard to trace.

Impact

Although port scanning by itself does not cause damage, it is often the first step in a cyber attack. It allows attackers to identify potential targets and select appropriate attack methods. For organizations, unauthorized scanning can signal an impending intrusion and must be monitored closely. On the other hand, regular internal scans help strengthen cybersecurity posture.

Discoverability

The detectability of a port scan depends on the technique used. Full connection scans (like TCP Connect) are easily logged and flagged by firewalls and intrusion detection systems. Stealth scans (like SYN or Idle scans) are more difficult to detect, especially when spread over time or when using multiple source IPs. However, modern security tools are increasingly effective at identifying scanning behavior patterns.

Types

Based on Protocol

  • TCP Scanning: Focuses on TCP ports, which are more likely to run critical services like HTTP, SSH, or FTP. Tools like Nmap offer detailed TCP scan options.
  • UDP Scanning: Targets UDP ports, which are used for services like DNS, SNMP, and DHCP. These scans are harder to perform accurately due to lack of response from open ports.

Based on Intent

  • Aggressive Scanning: High-speed, all-port scans to gather maximum information quickly. Useful in red teaming and penetration tests, but highly detectable.
  • Stealth Scanning: Designed to evade detection by security tools. Often used by attackers in early reconnaissance phases.

Common Tools

  • Nmap: The most widely used port scanner. Supports a wide range of scan types and scripting capabilities.
  • Masscan: Known for high-speed scanning across large networks. Can scan the entire internet in minutes.
  • Unicornscan: Offers advanced TCP and UDP scanning capabilities, useful for detailed fingerprinting.