Network Scanning Techniques

Go back to Tutorial

Network Scanning Types

TCP scanning – The simplest port scanners use the operating system’s network functions and are generally the next option to go to when SYN is not a feasible option (described next). Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection to avoid performing a Denial-of-service attack. Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less common. This method is “noisy”, particularly if it is a “portsweep”: the services can log the sender IP address and Intrusion detection systems can raise an alarm.

SYN scanning – SYN scan is another form of TCP scanning. Rather than use the operating system’s network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as “half-open scanning”, because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed. If the port is closed but unfiltered, the target will instantly respond with a RST packet.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection. However, the RST during the handshake can cause problems for some network stacks, in particular simple devices like printers. There are no conclusive arguments either way.

UDP scanning – UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g., nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g., nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

ACK scanning – ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.

Window scanning

Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1’s before it returns to the sender. Using this scanning technique with systems that no longer support this implementation returns 0’s for the window field, labeling open ports as closed.

FIN scanning – Since SYN scans are not surreptitious enough, firewalls are, in general, scanning for and blocking packets in the form of SYN packets. FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall.

Other scan types

Some more unusual scan types exist. These have various limitations and are not widely used. Nmap supports most of these.

  • Protocol scan – determines what IP level protocols (TCP, UDP, GRE, etc.) are enabled.
  • Proxy scan – a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy’s IP address as the source. This can also be done using some FTP servers.
  • Idle scan – Another method of scanning without revealing one’s IP address, taking advantage of the predictable IP ID flaw.
  • CatSCAN – Checks ports for erroneous packets.
  • ICMP scan – determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

Port Scanning

The act of systematically scanning a computer’s ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. Types of port scans

  • vanilla: the scanner attempts to connect to all 65,535 ports
  • strobe: a more focused scan looking only for known services to exploit
  • fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
  • UDP: the scanner looks for open UDP ports
  • sweep: the scanner connects to the same port on more than one machine
  • FTP bounce: the scanner goes through an FTP serverin order to disguise the source of the scan
  • stealth scan: the scanner blocks the scanned computer from recording the port scan activities.

Port scanning in and of itself is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system.

A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service,. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.

To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used to search for a specific service, for example, an SQL-based computer worm may portsweep looking for hosts listening on TCP port 1433.

Some port scanners scan only the most common port numbers, or ports most commonly associated with vulnerable services, on a given host. The result of a scan on a port is usually generalized into one of three categories:

  • Open or Accepted: The host sent a reply indicating that a service is listening on the port.
  • Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
  • Filtered, Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:

  • Security and stability concerns associated with the program responsible for delivering the service – Open ports.
  • Security and stability concerns associated with the operating system that is running on the host – Open or Closed ports.

Filtered ports do not tend to present vulnerabilities.

Ping Sweep

A machine is active on the network, should be found before attack. It is accomplished by a ping sweep. Although ping is found on every system running TCP/IP, but is restricted by many organizations.

Ping is used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer and back. The name comes from active sonar terminology which sends a pulse of sound and listens for the echo to detect objects underwater.

Options and output vary widely depending on implementation (see man ping for the system you are using). They frequently include changing the size of the payload, count of tests, and limiting the number of hops (TTL). Many systems provide a companion utility, ping6, for testing using Internet Protocol version 6 (IPv6). The results of the test usually include a statistical summary of the response packets received, including the minimum, maximum, and the mean round-trip times, and standard deviation of the mean.

Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply. It measures the time from transmission to reception (round-trip time) and reports any packet loss. If the target device is unreachable, a request time out is returned. Ping is a useful tool to identify active machines and to measure the speed at which packets are moved from one host to another or to get details like the TTL.


Ping does have a couple of drawbacks: First, only one system at a time is pinged and second, not all networks allow ping. To ping a large amount of hosts, a ping sweep is usually performed. Programs that perform ping sweeps typically sweep through a range of devices to determine which ones are active. Some of the programs that will perform ping sweeps include Angry IP Scanner, Pinger, WS_Ping_ProPack. Network scan tools, Super Scan and Nmap.

Ping sweep is a method that can establish a range of IP addresses which map to live hosts.

The classic tool used for ping sweeps is fping, which traditionally was accompanied by gping to generate the list of hosts for large subnets, although more recent version of fping include that functionality. Well-known tools with ping sweep capability include nmap for Unix systems, and the Pinger software from Rhino9 for Windows NT.

OS Fingerprinting

OS fingerprinting is the process of determining the operating system used by a host on a network.

Types of OS fingerprinting are

  • Active fingerprinting – Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
  • Passive fingerprinting – Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn’t put any traffic on a network.

Fingerprinting techniques – Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems. Common techniques are based on analysing:

  • IP TTL values
  • IP ID values
  • TCP Window size
  • TCP Options (generally, in TCP SYN and SYN+ACK packets)
  • DHCP requests
  • ICMP requests
  • HTTP packets (generally, User-Agent field).
  • Running services
  • Open port patterns

The IP TTL value Different OSes set the TTL to unique values on outbound packets. The TCP Window Size OS vendors use different values for the initial window size. The IP DF Option Not all OS vendors handle fragmentation in the same way. The IP Type of Service (TOS) Option TOS is a three-bit field that controls the priority of specific packets. Again, not all vendors implement this option in the same way. Other items that can be examined include IP Identification Number (IPID), IP options, TCP options, and even ICMP. Many passive fingerprinters are getting confused when analysing packets from a NAT device.

Tools used for active fingerprinters is Nmap and for passive fingerprinters are NetworkMiner, p0f and Satori

Active fingerprinting is more powerful than passive fingerprint scanning because the hacker doesn’t have to wait for random packets, but, active fingerprinting is not as stealthy as passive fingerprinting. Active fingerprinting has a much higher potential for being discovered or noticed. Some methods used in active fingerprinting are

  • The FIN probe A FIN packet is sent to an open port, and the response is recorded. Although RFC 793 states that the required behavior is not to respond, many OSes such as Windows will respond with a RESET.
  • Bogus flag probe As you might remember from Table 3.7, there are only six valid flags in the 1 byte TCP header. A bogus flag probe sets one of the used flags along with the SYN flag in an initial packet. Linux will respond by setting the same flag in the subsequent packet.
  • Initial Sequence Number (ISN) sampling This fingerprinting technique works by looking for patterns in the ISN number. Although some systems use truly random numbers, others, such as Windows, increment the number by a small fixed amount.
  • IPID sampling Many systems increment a systemwide IPID value for each packet they send. Others, such as older versions of Windows, do not put the IPID in network byte order, so they increment the number by 256 for each packet.
  • TCP initial window This fingerprint technique works by tracking the window size in packets returned from the target device. Many OSes use exact sizes that can be matched against a database to uniquely identify the OS.
  • ACK value Again, vendors differ in the ways they have implemented the TCP/IP stack. Some OSes send back the previous value +1, whereas others send back more random values.
  • Type of service This fingerprinting type tweaks ICMP port unreachable messages and examines the value in the type of service (TOS) field. Whereas some use 0, others return different values.

Go back to Tutorial

Get industry recognized certification – Contact us