Port Scanning Techniques

Port scanning is a fundamental process in network enumeration and vulnerability assessment. By probing a target system for open ports, you can uncover entry points that may be exploited by attackers or require further investigation. Port scanning helps you map the attack surface of a network, revealing which services are exposed and potentially vulnerable.

There are several scanning methods you can use to identify open ports, each with its own strengths and detection risks. The full connect scan, also known as a TCP connect scan, completes the entire TCP handshake with the target port. This approach is reliable but easily detected by intrusion detection systems (IDS). In contrast, stealth scanning, such as the SYN scan, sends only the initial SYN packet and analyzes the response without completing the handshake, making it harder to detect. UDP scans target User Datagram Protocol ports, which do not use handshake mechanisms and are often overlooked by administrators, but can reveal services that might otherwise go unnoticed.

# UDP scan example using Nmap
# This command scans all UDP ports on the target 192.168.1.1

nmap -sU 192.168.1.1

The -sU option in Nmap instructs the tool to perform a UDP scan. Unlike TCP scans, UDP scans probe for open UDP ports, which are commonly used for services like DNS, SNMP, and DHCP. Because UDP is connectionless, these ports can be more challenging to detect and are sometimes neglected in routine assessments, making UDP scanning a crucial part of comprehensive network enumeration.