Scanning
Introduction to Scanning
SCANNING THEORY
🔍 What is Scanning?
Scanning is the process of identifying active systems, open ports, running services, and available network resources on a target machine or network. It is one of the earliest stages of a penetration test or security assessment.
During scanning, a security tester determines:
- Which hosts are online
- Which ports are open
- Which services are running
- Which operating system is being used
- Which protocols are accessible
Scanning helps security professionals understand the attack surface of a target system.
🎯 Why is Scanning Important?
Scanning helps in:
- Identifying exposed services
- Detecting insecure configurations
- Understanding network architecture
- Finding unnecessary open ports
- Discovering outdated services
- Mapping enterprise infrastructure
Attackers use scanning to locate entry points, while defenders use it to identify weaknesses before attackers do.
🧩 Types of Scanning
1) Port Scanning
Port scanning identifies open, closed, and filtered ports on a target machine.
Examples:
- Port 22 → SSH
- Port 80 → HTTP
- Port 443 → HTTPS
2) Network Scanning
Identifies active hosts and devices connected to a network.
3) Service Scanning
Detects services running behind open ports.
Examples:
- Apache Web Server
- Samba SMB Service
- OpenSSH
4) Vulnerability Scanning
Identifies known weaknesses in systems or applications.
🚦 Port States
During scanning, ports may appear in different states:
| State | Meaning |
| Open | Service is accepting connections |
| Closed | Port is reachable but unused |
| Filtered | Firewall or filtering prevents access |
Understanding port states is critical during reconnaissance.
🔄 TCP and UDP Scanning
TCP Scanning
TCP scanning is more reliable and commonly used. Most enterprise services use TCP.
Examples:
- HTTP
- HTTPS
- SSH
- FTP
UDP Scanning
UDP scanning is slower and less reliable but important for identifying services such as:
- DNS
- SNMP
- NTP
⚖ Active vs Passive Scanning
Active Scanning
The scanner directly interacts with the target system.
Examples:
- Nmap scans
- Banner grabbing
Passive Scanning
Information is gathered without directly communicating with the target.
Examples:
- Packet capture analysis
- OSINT
🖥 OS Fingerprinting
OS fingerprinting attempts to identify the operating system running on a target.
Common operating systems detected during scanning:
- Linux
- Windows
- Unix
- BSD
🏷 Banner Grabbing
Banner grabbing is the process of collecting information exposed by a service.
Examples:
- Apache version
- SSH version
- SMTP banner
This information helps security testers understand service versions and configurations.
🧠 Importance of Reconnaissance
Reconnaissance is the foundation of penetration testing.
Without proper scanning and information gathering:
- Vulnerabilities may be missed
- Attack paths remain unknown
- Systems cannot be mapped properly
Good reconnaissance increases assessment accuracy.
Does scanning help identify open ports?
Which protocol is commonly used by HTTPS?
What port state indicates firewall filtering?
Is UDP scanning generally slower than TCP scanning?
Which scanning type identifies active devices on a network?
True or False: Banner grabbing reveals service information.
Which port state accepts connections?
A tester wants to identify the operating system of a server. Which technique should be used?
True or False: Passive scanning directly communicates with the target system.
Which scanning category focuses on detecting services behind ports?
An administrator wants to identify exposed services in an organization. Which process should be performed first?
Which protocol is commonly associated with DNS queries?
True or False: Closed ports are unreachable.
What is the first major phase of reconnaissance?
A security analyst wants to discover listening services on a host. Which activity should be performed?
SCANNING PRACTICAL
PRACTICAL SCANNING
🔍 What is Practical Scanning?
Practical scanning involves using specialized tools to discover hosts, open ports, running services, and operating systems on a network.
The most commonly used scanning tool is Nmap.
🛰 Nmap Overview
Nmap is a powerful open-source network scanning tool widely used by:
- Penetration testers
- System administrators
- SOC analysts
- Network engineers
Nmap can:
- Identify open ports
- Detect services
- Identify operating systems
- Perform banner grabbing
- Run NSE scripts
⚡ Common Scanning Techniques
📡 Basic Host Discovery
Ping Sweep
Used to identify whether a host is online.
ping <IP> 🔎 Basic Nmap Scan
Scans common ports on a target system.
nmap <IP> 🕵 SYN Scan
Performs a stealthier TCP scan by sending SYN packets without completing the full TCP handshake.
nmap -sS <IP> 🧩 Service Version Detection
Detects running services and their versions on open ports.
nmap -sV <IP> 🚀 Aggressive Scan
Aggressive scanning performs multiple detection techniques together.
- Service detection
- OS detection
- Traceroute
- NSE scanning
nmap -A <IP> 📶 UDP Scan
Used to identify UDP services such as DNS, SNMP, and NTP.
nmap -sU <IP> 🧱 Full Port Scan
Scans all TCP ports on the target machine.
nmap -p- <IP> 💾 Saving Scan Results
Nmap scan results can be exported and stored for analysis.
nmap -oN result.txt <IP> ⏱ Timing Templates
Timing templates control scan speed and performance.
nmap -T4 <IP> nmap -T5 <IP> Higher timing values increase scanning speed.
🏷 Banner Grabbing with Netcat
Netcat can manually connect to services and capture banners.
nc <IP> 25 📞 Using Telnet
Telnet can interact directly with TCP services for testing and enumeration.
telnet <IP> 110 🛠 Practical Scanning Workflow
- Identify active hosts
- Perform port scans
- Detect services
- Identify operating systems
- Save scan results
- Analyze findings
Following a structured workflow improves scanning efficiency and reduces missed information.
Which tool is most commonly used for network scanning?
Which Nmap option performs service detection ?
True or False: The -A option enables aggressive scanning.
A tester wants to scan all TCP ports on a server. Which option should be used?
Which command is used for UDP scanning ?
Which tool can manually connect to a TCP service for banner grabbing ?
True or False: Telnet can interact with remote services.
Which Nmap scan type is considered stealthier ?
Which option is used to save Nmap scan results ?
A security analyst wants to identify the operating system of a target. Which command is commonly used ?
Which protocol does ping primarily use ?
True or False: Timing templates control scan speed.
Which command identifies service versions running on a host ?
A penetration tester wants faster scans during an internal assessment.
Which timing option is commonly used?
Which utility is commonly used for banner grabbing over SMTP ?