Basic Port Scanning Techniques
There is a wide range of port scanning techniques to choose from as a cybersecurity professional. EC-Council’s C | PENT certification course teaches many of these techniques, focusing on the latest approaches. Four of the most common techniques you will encounter are ping scans, vanilla scans, SYN scans, and XMAS scans.
Ping scans are one of the most basic port scanning techniques. In ping scans, a scanner sends several Internet Control Message Protocol (ICMP) requests to different servers in an attempt to elicit a response. The goal of a ping scan is to see if the scanner can send a data packet to an IP address without issue. If a response is received, it indicates the absence of a firewall or other type of network protection (Avast Business, 2021).
SYN scans, or half-open scans, determine whether a port is open and is receiving information. Scanners can do this by initiating a TCP connection with the target port in the form of a SYN (request to connect) message. The scanner will know the status of the target port when the target responds with an acknowledgment response (SYN-ACK). The target system will not log the interaction if the scanner takes no further action and does not complete the TCP connection (Palo Alto Networks, 2012).
Vanilla scans, or full-connect scans, work much like SYN scans at a larger scale. The scanner sends SYN messages to all 65,536 ports in a network to elicit SYN-ACK responses from as many as possible. When the scanner receives acknowledgment responses, it responds with a final ACK response to complete the TCP handshake and connect to the port. While these scans are incredibly accurate and comprehensive, they are also easily detected, since target networks log full-connect interactions (Palo Alto Networks, 2012).
XMAS scans are another covert scanning technique that doesn’t often appear in monitoring logs, as they take advantage of FIN packets: packets that a server or client normally sends to terminate a TCP connection. XMAS scans send packets to a server containing all necessary TCP flags, such as SYN and ACK. They also include the FIN flag to terminate the TCP connection simultaneously. Usually, this receives no response and indicates that the target port is open. The port is closed if the scanner receives an RST (connection reset) response instead of a SYN-ACK response that initiates the TCP handshake (Avast Business, 2021).