![Fixxx](https://pic-cc.com/data/avatars/m/0/110.jpg?1710675581"){kind=avatar}
- Joined
- 31.10.19
- Messages
- 1,560
- Reaction score
- 5,249
- Points
- 113
Port scanning is a method to determine which services are running on a target device and through which points they are accessible. Essentially, it checks which ports are open, closed or filtered, and what applications or protocols lie behind them. For an information security specialist, this is a basic reconnaissance tool: before attacking, one must understand where potential entry points are. Ports are logical connection points on a device. They can be TCP or UDP. TCP ports provide reliable connections: with delivery confirmation and packet order control. UDP is lighter and faster but without guarantees; it's often used in voice and video services. Ports are also categorized by ranges:
- From 0 to 1023 - known (well-known), reserved for standard services, e.g, 80 for HTTP, 443 for HTTPS.
- From 1024 to 49151 - registered, used by third-party applications.
- From 49152 to 65535 - dynamic, assigned by the operating system as needed.
Main Types of Scanning
Port scanning is not just a simple "ping" of addresses. It's a nuanced craft where the choice of method can mean the difference between accurate results and false data, between silence and alarm in IDS logs. The main methods include:
- TCP Connect: Establishes a full connection with the port (three-way handshake). This method is reliable but noisy: scans are easily detected by monitoring tools. It's used when there is no low-level access to the network.
- SYN Scan: Only a SYN packet is sent without completing the connection. It's fast, efficient and less noticeable to IDS. One of the most popular options in Nmap (-sS).
- UDP Scan: UDP packets are sent and an ICMP error is expected in response. If there is no response, the port may be open or filtered. This method is imprecise but necessary for finding non-standard UDP services.
- FIN Scan: Uses the FIN flag without starting a session. Closed ports respond with RST, while open ones remain silent. Some firewalls allow such packets, considering them invalid.
- XMAS Scan: Simultaneously activates the FIN, URG and PUSH flags. The behavior of ports is similar to that in FIN scanning. It's used to bypass weak IDS or non-standard TCP stacks.
- NULL Scan: A packet without any TCP flags. Closed ports return RST, while open ones remain silent. This method can work where other types of scans are blocked, but it's not always stable.
The ability to work with scanning is not about "pressing a button and waiting", but about choosing the approach based on the task and context.
You often need to be quick and direct, while other times, slow and stealthy. The key is to understand how the network will react to your actions!
Purpose of Port Scanning
Port scanning is the starting point for almost any network reconnaissance. It's used not only by hackers but also by security specialists when they want to get an honest picture of what is actually working in the network, rather than what is documented. Typical scenarios include:
- Reconnaissance Before Penetration Testing: Before attempting to breach a system, it's essential to understand where entry points exist. Port scanning reveals which services are accessible from the outside, what operating systems and applications are behind them and which may be vulnerable: the more you know in advance, the less noise there will be later.
- Identifying Shadow IT Resources: Over time, any infrastructure accumulates "ghosts" - servers forgotten by administrators, test environments, open databases without authorization. These may not be documented but are still accessible from the outside. Scanning helps bring them to light before someone with less friendly intentions does.
- Security Auditing and Vulnerability Remediation: Open ports are potential entry points. Regular audits allow for the identification of what is "extra" listening in the network, what is not being filtered and what was opened "temporarily" and forgotten. At this stage, vulnerability analysis tools come into play, but it all starts with a simple list: IP addresses and port numbers.
How Protective Mechanisms Affect Scanning Results
Port scanning may seem straightforward in theory: send a packet → receive a response → draw a conclusion. However, in real infrastructures, there is a whole ensemble of protective mechanisms between you and the target host and they can alter reality. Modern firewalls do not limit themselves to filtering by IP and port. Mechanisms like Stateful Inspection track the state of connections: if a request appears suspicious or "illogical". for example, lacking the start of a TCP session, the system simply ignores it. App-ID can recognize an application not by its port but by its behavior and block access, even if the port is open. Threat Prevention goes even further - it can place itself between you and the server, modifying or dropping packets based on security policies. As a result, a scanner may present a picture that is far from reality. Sometimes it shows a too "clean" view, while other times it appears suspiciously "deaf".
- It's nearly impossible to build a reliable picture based solely on a scanner's report. One might try to filter out problematic hosts where, for example, there are too many open ports.
- Typically, firewalls use the following mechanisms to detect scanning: Port Scan Detection, limits on the number of TCP SYN packets from a single source, detection of new connections with non-standard TCP flags (XMAS, NULL, FIN), honeypot hosts and ports, comparison of SRC IP with threat intelligence lists, use of p0f and Layer 7 packet analysis.
- If scanning is detected, protective systems begin to counteract and "confuse" the scanner. For example, they may send false RST (reset connection) responses to all SYN requests, false ICMP Port Unreachable messages for UDP, create the illusion of an open port (responding with ACK to all SYN), delay connection establishment, modify service banners, lure the scanner into traps (honeypots) and use tarpit techniques (simulating an open port but preventing data transmission).
Bypassing Detection Systems: Hidden Services and Anti-Detection
When IDS and IPS are operational in a network, scanning becomes an art of disguise. Obvious SYN packets will immediately light up logs and aggressive nmap -A scans will be like fireworks in the night. However, hidden services have not disappeared; they are just harder to find now. This means one must act carefully and with an awareness of the defenses in place. A good practice is to start with passive methods: DNS queries, route analysis and searching for records in public databases. Sometimes, this is enough to determine which hosts are worth targeting. The less traffic generated, the lower the chances of falling into a trap. Detecting hidden services in the presence of IDS/IPS requires a balance between stealth and effectiveness. Attackers often combine passive and active techniques. Passive methods can include gathering information from open sources: if it's not an internal network, tools like Shodan or similar services, as well as various sniffer attacks, can be useful. Active scanning methods may include:
- Disguising as Legitimate Traffic: For instance, mimicking HTTP or HTTPS requests by altering TLS ClientHello, browser User-Agent strings and handshakes.
- Slow Scans: For example, sending 1 request every 5 seconds or scanning one port per minute - many IDS will not react to this.
- Using Various Scanning Techniques: For example, SYN+ACK scanning may be less noticeable than SYN scanning.
- TTL/Fragmentation Evasion: Breaking packets into non-standard segments or altering TTL to bypass inspection.
- Rotating Source IP Addresses: This reduces the correlation of requests.
Legality of Scanning
Port scanning is akin to picking a lock with a skeleton key: it's not a crime in itself, but the context determines its legality. In the hands of an administrator, it's a useful tool; in the hands of a malicious actor, it becomes an element of an attack. The boundary between research and intrusion is very thin and it can be crossed accidentally. If you are scanning your own systems, with internal approval or working within the framework of an official test, such as a penetration test under contract, everything is fine. This is part of safe practice: you check what is accessible from the outside, look for forgotten services and assess the attack surface. Scanning someone else's resources without consent (even without attempting exploitation) can be perceived as an attempt at unauthorized access. In some jurisdictions, such as the USA or the EU, this formally violates the law, especially if the detected traffic is logged by a monitoring system and triggers a response. In Russia, the same applies: scanning third-party systems without permission can be interpreted as creating interference or preparing for an attack.
Conclusion
Port scanning is not merely a way to "probe" a network; it's a comprehensive tool for reconnaissance and auditing. It helps identify open services, vulnerable nodes and shadow infrastructure, but it yields useful results only in skilled hands. It's essential to remember that the scanner's conclusions are not absolute truths but starting points. The results depend on context, security settings and network behavior. They must not only be collected but also correctly interpreted, especially in environments with filtering, NAT, IPv6 and advanced IPS. In 2025, the best approach is to combine techniques: passive reconnaissance, targeted scanning, behavior analysis and correlation with logs. Scanning is a powerful tool, but it must be handled like a surgical scalpel: precisely, carefully and strictly according to instructions.
![Madman330](https://pic-cc.com/data/avatars/m/181/181725.jpg?1751371195"){kind=avatar}
