standard for port scanning is
nmap
, so we’ll start by using that and then look at other
tools for high-speed scanning, used for scanning really large networks in a time-
efficient manner.
TCP Scanning
TCP is a connection-oriented protocol. Because it is connection oriented, which
means the two ends of the conversation keep track of what is happening, the commu‐
nication can be considered to be guaranteed. It’s only guaranteed, though, under the
control of the two endpoints. If something were to happen in the middle of the net‐
work between those two systems, the communication isn’t guaranteed to get there,
but you are guaranteed to know when the transmission fails. Also, if an endpoint
doesn’t receive a transmission, the sending party will know that.
Because TCP is connection-oriented, it uses a
three-way handshake
to establish that
connection. TCP port scans generally take advantage of that handshake to determine
whether ports are open. If a SYN message, the start of the three-way handshake, gets
sent to a server and the port is open, the server will respond with a SYN/ACK mes‐
sage. If the port is not open, the server will respond by sending a RST (reset) message
indicating that the sending system should stand down and not send any more mes‐
sages. This clearly tells the sending system that the port is not available.
The challenge with any port scanning, and potentially TCP most of all, is firewalls or
other port-blocking mechanisms. When a message is sent, firewalls or access control
lists can prevent the message from getting through. This can leave the sending host in
an uncertain state. Having no response doesn’t indicate that the port is open or
closed, because there may simply be no response at all if the firewall or access control
list just drops the inbound message.
Another aspect to port scanning with TCP is that the protocol specifies header flags
aside from the SYN and ACK flags. This opens the door to sending other types of
messages to remote systems to see how they respond. Systems will respond in differ‐
ent ways, based on the different flags that are configured.
UDP Scanning
UDP is a simple protocol. There are no connections and no guarantee of delivery or
notification. Therefore, UDP scanning can be more challenging. This may seem
counterintuitive, considering UDP is simple.
With TCP, the protocol defines interactions. A client is expected to send a message
with the SYN flag set in the TCP header. When it’s received on an open port, the
server responds with a SYN and an ACK. The client responds with an ACK. This
guarantees that both parties in the communication know that the other end is there.
