Port Scanning Techniques

Peter Kacherginsky
14 min readDec 22, 2008

Port Scanning is a process of identifying listening ports on a networked system. It reveals a wealth of information about the target including running services, operating system, presence of a firewall.


Just as with other reconnaissance techniques, port scanning must be both efficient and reliable in order to be useful. Several techniques were developed to deal with firewalls, intrusion detection systems and other filtering devices while still being able to complete the scan in a timely manner. Today’s arsenal of port scanning techniques has moved far beyond the classic TCP Connect Scan to include a number of stealth and more efficient scans like SYN, ACK, and others that are described below.

TCP Port Scanning

TCP port scanning targets services utilizing Transmission Control Protocol (TCP). Such services include Web Servers, SSH, FTP, and others that require reliable communication.

TCP Connect Scan

TCP Connect Scan is the original form of port scanning which attempts to establish a complete connection with a range of ports. A connection is established to the target port with a complete three-way handshake exchange (SYN -> SYN/ACK -> ACK). A successful connection indicates an open port.

The exchange that happens when attempting to establish a TCP connection is described in RFC 793 as follows:

The synchronization requires each side to send it’s own initial sequence number and to receive a confirmation of it in acknowledgment from the other side. Each side must also receive the other side’s initial sequence number and send a confirming acknowledgment.

1) A → B SYN my sequence number is X 2) A ← B ACK your sequence number is X 3) A ← B SYN my sequence number is Y 4) A → B ACK your sequence number is Y

Because steps 2 and 3 can be combined in a single message this is called the three way (or three message) handshake.

If a port is closed, the host will respond with a RST (Reset) packet indicating a closed port. The behavior for closed ports is described in RFC 793 as follows:

1. If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means.

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net