Port Scanning and Discovery Techniques

2 min read Infrastructure & DevOps Security

Port Scanning and Discovery Techniques

Port scanning identifies open ports and running services, serving both legitimate administrative purposes and malicious reconnaissance. Understanding scanning techniques helps administrators audit their own systems while recognizing potential attack patterns. Various scanning methods provide different levels of stealth and information gathering.

Nmap remains the most powerful port scanning tool, supporting numerous scan types and service detection capabilities. Basic TCP connect scans establish full connections:

# Basic port scan
nmap -sT 192.168.1.100

# Comprehensive scan with service detection
nmap -sV -sC -O -p- 192.168.1.100

# Stealth SYN scan (requires root)
sudo nmap -sS -T4 192.168.1.0/24

# UDP scan for commonly exploited services
sudo nmap -sU -p 53,67,68,69,123,161,500,514,520,1900 192.168.1.100

Windows administrators can use built-in tools for basic port discovery:

# Test specific port connectivity
Test-NetConnection -ComputerName server.domain.com -Port 443

# Scan range of ports
1..1024 | ForEach-Object {
    $result = Test-NetConnection -ComputerName 192.168.1.100 -Port $_ -WarningAction SilentlyContinue
    if ($result.TcpTestSucceeded) {
        Write-Host "Port $_ is open"
    }
}

# Use PortQry for detailed analysis
.\PortQry.exe -n 192.168.1.100 -p tcp -e 135

Advanced scanning techniques reveal additional information about target systems. OS fingerprinting identifies operating system types based on TCP/IP stack implementations. Service version detection probes open ports to determine running applications and versions. Script scanning automates vulnerability checks against discovered services:

# Advanced Nmap scripting
nmap --script vuln 192.168.1.100
nmap --script smb-enum-shares,smb-enum-users 192.168.1.100
nmap --script http-enum 192.168.1.100

Internal scanning differs from external scanning due to network topology and security controls. Establish regular internal scanning schedules to identify unauthorized services, verify firewall rules, and detect configuration drift. Document baseline port configurations for comparison during security audits.