Port scanning is the process of probing a target system to determine which network ports are open, closed, or protected by firewalls. Each open port represents a running service, and every service becomes a potential pathway for exploitation. Port scanning is one of the most important active reconnaissance techniques because it exposes exactly what surface the attacker sees.
This chapter includes full theory and fully detailed practical workflows for using Nmap, masscan, netcat, and manual probing techniques. Every concept is reinforced with real commands and examples.
Purpose of Port Scanning
Port scanning reveals:
-
What servers are actually running
-
Which services are exposed externally
-
Version details for vulnerable services
-
Firewall filtering behavior
-
Misconfigurations such as open databases
-
Unknown assets like test servers or forgotten services
Without port scanning, you cannot know which services can be exploited.
Port scanning is the starting point for:
-
SSH brute force
-
FTP enumeration
-
Database exploitation
-
HTTP endpoint discovery
-
Vulnerability scanning
-
Banner grabbing
-
Service fingerprinting
Everything depends on your ability to map ports correctly.
How Port Scanning Works
Port scanning works by sending packets to target ports and analyzing responses.
Responses reveal the port state:
-
Open → service actively listening
-
Closed → host responds but no service available
-
Filtered → firewall blocks traffic
-
Unfiltered → host reachable, but port state unknown
-
Open|Filtered → could not determine; usually UDP
Active recon begins by identifying all open ports, then fingerprinting each service.
Practical Port Scanning: Full Hands-On Guide
Below are practical steps you will actually execute on a pentest.
Step 1: Identify the Target Host
Perform a ping check:
ping -c 4 target.com
If ICMP is blocked, use DNS resolution to verify the host exists:
dig +short target.com
Resolve IP:
host target.com
Store it:
export IP=1.2.3.4
Now scanning begins.
Nmap: The Practical Core Tool
Nmap is the industry-standard port scanner. It supports fast scans, deep scans, version detection, OS detection, script scanning, and timing control.
Step 2: Perform a Fast Scan (Top 100 Ports)
nmap -F $IP
This gives a quick overview of common services.
Step 3: Full TCP Scan (All 65,535 Ports)
This is the real enumeration:
nmap -p- -sS -T4 $IP -oN full_tcp.txt
Explanation:
-
-p-→ scan all ports -
-sS→ SYN scan (stealth, fast, reliable) -
-T4→ speed preset -
-oN→ save output
This scan reveals all open TCP ports.
Step 4: Detailed Scan of Found Open Ports
Assume your full scan revealed:
22
80
3306
8080
Scan them with service detection:
nmap -sV -sC -p22,80,3306,8080 $IP -oN service_scan.txt
This enables:
-
-sV→ version detection -
-sC→ default NSE scripts
Sample output interpretation:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu
80/tcp open http Apache 2.4.29
3306/tcp open mysql MySQL 5.7.33
8080/tcp open http Jetty 9.4.z-SNAPSHOT
Each version number becomes a vulnerability research target.
UDP Scanning (Often Ignored But Critical)
UDP scanning reveals services like:
-
DNS (53)
-
NTP (123)
-
SNMP (161)
-
TFTP (69)
-
Syslog (514)
Run this:
nmap -sU --top-ports 50 $IP -oN udp_scan.txt
If port 161 is open, you test SNMP later.
If port 53 is open, you inspect DNS.
Practical Timing Control (To Avoid Detection)
Slow, stealthy scan:
nmap -sS -T1 -p- $IP
Aggressive scan (noisy but fast):
nmap -sS -T5 -p- $IP
Use speed depending on RoE (Rules of Engagement).
Step 5: Banner Grabbing
Banner grabbing reveals service versions manually.
Using Netcat
nc -nv $IP 22
Example banner:
SSH-2.0-OpenSSH_7.2p2 Ubuntu
Using Telnet
telnet $IP 80
Type:
HEAD / HTTP/1.1
Host: target.com
Output example:
Server: Apache/2.4.29 (Ubuntu)
Using OpenSSL for HTTPS
openssl s_client -connect $IP:443
Look for:
-
certificate CN
-
SAN entries
-
internal names
-
email addresses
-
cloud provider references
Step 6: Masscan for Ultra-Fast Full Range Scanning
Masscan scans the entire TCP range in seconds.
masscan $IP -p1-65535 --rate=5000 -oG masscan.txt
Import discovered ports into Nmap:
ports=$(cat masscan.txt | grep "Ports:" | cut -d " " -f 4 | cut -d "/" -f 1 | paste -sd, -)
nmap -sV -sC -p$ports $IP -oN deep_scan.txt
Masscan finds ports fast, Nmap fingerprints them deeply.
Step 7: HTTP/HTTPS Validation for Web Ports
Check if port is running a web service:
curl -I http://$IP:8080
Output example:
HTTP/1.1 200 OK
Server: Jetty(9.4.z-SNAPSHOT)
If no response, check HTTPS:
curl -I https://$IP:8443 -k
Now you know which ports host web servers for later directory brute forcing.
Step 8: Reconstructing the Attack Surface
After scanning, construct a structured attack surface map.
Example:
22/tcp SSH → Bruteforce? Version vuln?
80/tcp Apache → Web attack surface
443/tcp Nginx → HTTPS + reverse proxies
3306/tcp MySQL → Misconfigured database access
8080/tcp Jetty → Java-based admin panels
Every service becomes a potential vulnerability.
Step 9: Understanding Firewall Behavior Through Scans
Firewall behavior reveals security posture.
Pattern: All ports filtered
Means external firewall or cloud security group.
Pattern: Random filtered/open ports
Means host firewall with inconsistent rules.
Pattern: Proxy ports open on 80/443
Means load balancer in front (e.g., Cloudflare).
Pattern: Rate-limited responses
Indicates IDS execution.
Port scan patterns tell you how the network is protected and where misconfigurations exist.
Step 10: Use NSE Scripts for Deeper Analysis
Nmap scripts reveal vulnerabilities and misconfigurations.
SMB Enumeration Example
nmap --script smb-os-discovery -p445 $IP
SSL/TLS Vulnerability Scan
nmap --script ssl-enum-ciphers -p443 $IP
MySQL Enumeration
nmap --script=mysql-info -p3306 $IP
Every script exposes additional intel.
Step 11: Manual Port-Specific Probing
Probe FTP Port (21)
nc $IP 21
Look for:
-
anonymous login
-
server version
Probe Redis (6379)
nc $IP 6379
INFO
If it responds, it’s exposed.
Probe MySQL (3306)
mysql -h $IP -u root
Many servers allow root login without password.
Step 12: Full Practical Workflow Summary
-
Identify host
host target.com
ping -c 4 target.com
-
Full TCP scan
nmap -p- -sS $IP -oN all_ports.txt
-
Service enumeration
nmap -sV -sC -p<open ports> $IP -oN service_scan.txt
-
UDP scan
nmap -sU --top-ports 50 $IP
-
Banner grabbing
nc -nv $IP <port>
-
Masscan for fast coverage
masscan $IP -p1-65535 --rate=5000
-
Analyze web services
curl -I http://$IP:8080
-
NSE script scanning
nmap --script vuln -p<ports> $IP
By the end, you have the full attack surface mapped.
Intel Dump
-
Port scanning exposes open, closed, and filtered ports.
-
Practical workflow begins with fast scans, then full scans, then service detection.
-
Nmap performs SYN scans, version detection, and NSE scripting.
-
Masscan accelerates large port scanning.
-
Banner grabbing manually retrieves service information.
-
UDP scans reveal DNS, SNMP, NTP, and other UDP services.
-
Detailed interpretation of results identifies misconfigured and vulnerable services.
-
Port scanning shapes the entire attack path for exploitation.