What is Port Scanning?
Port scanning is a method of determining which ports on a network host are open and what services are running. It is a fundamental reconnaissance technique used by both security professionals (for auditing) and attackers (for finding targets).
Scan Types
TCP Connect Scan
Completes the full TCP three-way handshake (SYN → SYN-ACK → ACK). Reliable but easily logged by intrusion detection systems.
SYN Scan (Half-Open)
Sends a SYN packet and waits for SYN-ACK. Does not complete the handshake — faster and stealthier than a full connect scan.
UDP Scan
Sends UDP packets to target ports. Slower and less reliable due to the connectionless nature of UDP. Used to discover services like DNS, SNMP, and DHCP.
FIN / XMAS / NULL Scans
Send packets with unusual TCP flag combinations to bypass simple firewalls and packet filters.
Common Tools
| Tool | Speed | Language | Key Feature |
|---|---|---|---|
| Nmap | Moderate | C | Most feature-rich, scripting engine |
| Masscan | Very fast | C | Internet-scale scanning |
| ZMap | Very fast | C | Single-port high-speed scanning |
| RustScan | Fast | Rust | Modern, pipes to Nmap |
Legal Considerations
Port scanning legality varies by jurisdiction:
- Authorized testing — always legal with written permission
- Unauthorized scanning — may violate computer misuse laws
- Internet-wide scanning — legal in most places for research, but may trigger ISP abuse reports
Always ensure you have proper authorization before scanning.
Passive Alternative
Instead of active scanning, use Zondex to passively discover open ports and services without sending any traffic to the target. This avoids legal concerns and detection.
- Search
port:22 country:USto find SSH servers in the US - Search
service:httpto find all web servers