Port Scanning Techniques

Port Scanning is a process of identifying listening ports on a networked system. It reveals a wealth of information about the target including running services, operating system, presence of a firewall.

Introduction

Just as with other reconnaissance techniques, port scanning must be both efficient and reliable in order to be useful. Several techniques were developed to deal with firewalls, intrusion detection systems and other filtering devices while still being able to complete the scan in a timely manner. Today’s arsenal of port scanning techniques has moved far beyond the classic TCP Connect Scan to include a number of stealth and more efficient scans like SYN, ACK, and others that are described below.

TCP Port Scanning

TCP port scanning targets services utilizing Transmission Control Protocol (TCP). Such services include Web Servers, SSH, FTP, and others that require reliable communication.

TCP Connect Scan

TCP Connect Scan is the original form of port scanning which attempts to establish a complete connection with a range of ports. A connection is established to the target port with a complete three-way handshake exchange (SYN -> SYN/ACK -> ACK). A successful connection indicates an open port.

The exchange that happens when attempting to establish a TCP connection is described in RFC 793 as follows:

The synchronization requires each side to send it’s own…