This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Port Scanning

The process of inspecting TCP or UDP ports on a remote machine with the intention of detecting what services are running on the target and what potential attack vectors may exist.

The simplest TCP port scanning technique, usually called CONNECT scanning, relies on the three-way TCP handshake mechanism. In basic terms, a host sends a TCP SYN packet to a server on a destination port. If the destination port is open, the server responds with a SYN-ACK packet and the client host sends an ACK packet to complete the handshake. If the handshake completes successfully, the port is considered open.

We can demonstrate that simply by using Netcat, although it is not considered to be a scanning tool but because of its simplicity and provides an option to check only if the port is opened using -z , we will use it against scanme.nmap.org

With Netcat

TCP

nc -vvz scanme.nmap.org 20-30 # We can use the options also in -vv -z
scanme.nmap.org [45.33.32.156] 30 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 29 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 28 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 27 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 26 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 25 (smtp) : Connection refused
scanme.nmap.org [45.33.32.156] 24 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 23 (telnet) : Connection refused
scanme.nmap.org [45.33.32.156] 22 (ssh) open
scanme.nmap.org [45.33.32.156] 21 (ftp) : Connection refused
scanme.nmap.org [45.33.32.156] 20 (ftp-data) : Connection refused
 sent 0, rcvd 0

The default is to connect on the ports using TCP, we can see also that it resolves the service name depending on the port.

UDP

nc -vvzu scanme.nmap.org 120-123 # -u to scan UDP
scanme.nmap.org [45.33.32.156] 123 (ntp) open
scanme.nmap.org [45.33.32.156] 122 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 121 (?) : Connection refused
scanme.nmap.org [45.33.32.156] 120 (?) open
 sent 0, rcvd 0

With NMAP

Nmap is one of the most popular, versatile, and robust port scanners available. It has been actively developed for over two decades and offers numerous features beyond port scanning. Some of the Nmap example scans we’ll cover in this Module are run using sudo. This is because quite a few Nmap scanning options require access to raw sockets, which in turn require root privileges. Raw sockets allow for surgical manipulation of TCP and UDP packets. A default Nmap TCP scan will scan the 1000 most popular ports on a given machine.

TCP

  • Default 

nmap scanme.nmap.org
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 13:51 +03
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
2000/tcp  open  cisco-sccp
5060/tcp  open  sip
9929/tcp  open  nping-echo
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds

  • Specified Ports

nmap -p- scanme.nmap.org # All ports
nmap -p22,53,80 scanme.nmap.org google.com # Comma separated ports
nmap -p22-80 scanme.nmap.org # Scans all the ports range from 22 up to 80 (shown below)
nmap -p 1-65335 scanme.nmap.org  # All ports, range from 1 to 65335
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 13:59 +03
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.21s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 56 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds

  • SYN Scan

    • SYN scanning is a TCP port scanning method that involves sending SYN packets to various ports on a target machine without completing a TCP handshake. If a TCP port is open, a SYN-ACK should be sent back from the target machine, informing us that the port is open. At this point, the port scanner does not bother to send the final ACK to complete the three-way handshake.

nmap -sS scanme.nmap.org

  • TCP Connect Scan

    • As discussed at the begining of the section, thi scan goes through the three-way handshake

nmap -sT scanme.nmap.org

UDP

  • Default

nmap -sU -p 120-123 scanme.nmap.org
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 14:09 +03
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.21s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

PORT    STATE  SERVICE
120/udp closed cfdptkt
121/udp closed erpc
122/udp closed smakynet
123/udp open   ntp

Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds

  • With TCP

    • You can run both TCP and UDP scan at the same time but you can't specify ports.

nmap -sU -sS scanme.nmap.org

Common Nmap Options

Option / Switch
Function

-sS

TCP SYN Scan

-sT

TCP Connect Scan

-sU

UDP Scan

-sC

Default scripts

-sV

Get service version

-O

OS Scan - OS Guessing

-A

Aggressive mode, it does; default scripts, get service version, traceroute,

OS Guessing

With PowerShell

  • Using Test-NetConnection

Test-NetConnection -Port 22 scanme.nmap.org
ComputerName     : scanme.nmap.org
RemoteAddress    : 45.33.32.156
RemotePort       : 22
InterfaceAlias   : Wi-Fi
SourceAddress    : 192.168.5.54
TcpTestSucceeded : True

  • Using Net.Sockets.TcpClient

    • This scan is slow so try to specify what ports you are looking for

# Scan specific ports
22,23,53,80  | % { echo  ((New-Object Net.Sockets.TcpClient).Connect("scanme.nmap.org", $_)) "TCP port $_ is open"} 2>$null
# Scan range of ports
22..80  | % { echo  ((New-Object Net.Sockets.TcpClient).Connect("scanme.nmap.org", $_)) "TCP port $_ is open"} 2>$null
TCP port 22 is open
TCP port 53 is open
TCP port 80 is open
PreviousActive ReconnaissanceNextDNS

Last updated

Was this helpful?