Posted July 21Jul 21 🔍 Understanding Port Scanning TechniquesPort scanning is one of the most widely used reconnaissance techniques in ethical hacking and cybersecurity. It is used to identify open ports and services on a target system, giving attackers or security professionals insights into potential vulnerabilities.When a computer or server is connected to the internet or a local network, it runs various services (like web servers, email servers, or file transfer tools). Each service typically listens for requests on a specific port—for example, HTTP on port 80, HTTPS on port 443, FTP on port 21, and so on.🧠Why Port Scanning MattersAttackers use port scanning to find weak points in a system that may be exploitable.Security professionals use it to audit their networks and close unnecessary or dangerous ports.A port scan gives visibility into what’s exposed and potentially vulnerable on a system.🧪 Types of Port Scanning TechniquesDifferent scanning methods reveal different levels of information and vary in how stealthy or aggressive they are:1. Vanilla Scan (Full Connect Scan)This is the most basic scan, where the scanner attempts to establish a full TCP connection (3-way handshake) with every open port.It is easy to detect because it completes the handshake, thus showing up in logs.Tools: Nmap -sTUse case: Beginners, simple scans, or when stealth is not a concern.2. Strobe ScanA strobe scan is a targeted scan, checking only a specific set of ports rather than scanning all 65,535.This makes it faster and slightly less noisy.Use case: Quick checks on known vulnerable services (e.g., SSH, RDP, HTTP).3. Stealth Scan (Half-Open Scan / SYN Scan)This method sends a SYN packet to initiate a connection but does not complete the handshake.If the port is open, the system responds with a SYN-ACK, and the scanner sends a RST to tear down the connection before it's fully established.Harder to detect in logs compared to full connect.Use case: Penetration tests where stealth is important.Tools: Nmap -sS4. FTP Bounce ScanUses a vulnerable FTP server to bounce scans to another system.The attacker can hide their real IP address by using the FTP server as a middleman.Rare today due to modern FTP servers closing this loophole.Use case: Bypassing firewalls or IDS that block direct scanning.5. Fragmented Packets ScanBreaks the TCP header into smaller packet fragments, making it harder for firewalls or intrusion detection systems to inspect.Obfuscates scan traffic, useful for bypassing basic packet filters.Use case: Advanced stealth scanning or evading firewalls.6. Sweep Scan (ICMP or TCP Sweep)Scans the same port across multiple IP addresses in a network to identify active hosts running a particular service.Helps attackers map a network.Use case: Scanning large subnets to find specific services (e.g., who runs port 3306 for MySQL?).7. UDP ScanTargets UDP-based services like DNS (53), SNMP (161), or NTP (123).Since UDP is connectionless, it’s harder to detect whether the port is open.Often sends a UDP packet and waits for an ICMP “port unreachable” response.Use case: Finding services that don’t use TCP.Tools: Nmap -sU⚠️ Ethical ConsiderationPort scanning should only be performed on systems you own or have permission to test. Unauthorized scanning is illegal in many jurisdictions and can be considered a cybercrime.🔧 Popular Tools for Port ScanningNmap (most widely used)Masscan (ultra-fast)Zenmap (GUI for Nmap)UnicornscanNetcat (nc)Port scanning is a critical step in both offensive and defensive security. By understanding different scanning methods, cybersecurity professionals can better detect, prevent, and respond to network threats. Whether you're a penetration tester or a network defender, mastering these techniques is essential for identifying and securing system vulnerabilities.
Create an account or sign in to comment