HackFixLearn Logo
Skip to main content

Port & Service Discovery

Ehsan Ebadi profile picture by Ehsan Ebadi
December 10, 2025 8 min read

Port Scanning Basics

Information gathering doesn’t stop at public data. At some point, an attacker must interact with the target network directly. Port and service discovery is usually the first active step — carefully knocking on doors to see which ones respond.

This phase answers a simple but critical question:

What is actually exposed and listening on the network?

What Port Scanning Really Is

Port scanning means checking which network ports are open on a host to discover running services.

Each open port is:

  • A service
  • A protocol
  • A potential attack surface

This activity is active reconnaissance:

  • It generates traffic
  • It can be logged
  • It is often illegal without explicit permission
🛑

Only perform these techniques inside labs or authorized scopes.

Understanding Port Scanning at the Protocol Level (Netcat)

Before using automated scanners, it’s important to understand what’s happening on the wire.

TCP Port Discovery

TCP uses a three-way handshake: SYN → SYN-ACK → ACK

  • Handshake completes → port is open
  • Target replies with RST → port is closed

Using Netcat, we can observe this behavior manually:

nc -nvz -w1 192.168.50.10 1-1000

Netcat is not a real scanner, but it teaches:

  • How services respond
  • Why scans are detectable
  • What “open” and “closed” really mean

UDP Port Discovery

UDP has no handshake.

  • Closed port → ICMP “Port Unreachable”
  • No response → open or filtered
nc -nvzu -w1 192.168.50.10 1-200

This explains why UDP scanning is:

  • Slow
  • Inaccurate
  • Firewall-sensitive

Understanding this now prevents confusion later when tools return ambiguous results.

Port Scanning with Nmap

Nmap is the industry-standard tool for network reconnaissance. We use Nmap only to answer discovery questions, not to exploit.

At this stage, Nmap helps us:

  • Identify live hosts
  • Discover exposed ports
  • Identify running services
  • Build a network attack map

Host Discovery: Finding What’s Alive

Before scanning ports, attackers determine which hosts actually exist.

sudo nmap -sn 192.168.1.0/24

This performs:

  • ARP discovery (local networks)
  • ICMP probes
  • TCP-based liveness checks
Result:
A clean list of reachable systems — no wasted scans.

Basic Port Discovery (Top Ports)

The first scan should always be small and controlled.

sudo nmap -sS 10.10.10.10

What this does:

  • Scans the 1000 most common ports
  • Uses a TCP SYN scan
  • Minimizes traffic and noise

This is the default recon scan in most real-world engagements.

Understanding Port States (Recon Perspective)

During information gathering, port states guide next decisions, not exploitation.

Key states to recognize:

  • open → service is listening
  • closed → host is alive, service isn’t
  • filtered → firewall or packet filtering present
  • open|filtered → common with UDP or strict filtering

These states reveal:

  • Firewall posture
  • Network segmentation
  • Monitoring maturity

Service Identification (Light Touch)

Once ports are found, basic service identification helps build context.

nmap -sV 10.10.10.10

This reveals:

  • Service names (HTTP, SSH, SMTP)
  • Software versions (when possible)

At this stage, version data is used for mapping, not attacking.

Why Full Port Scans Come Later

A full scan (-p-) touches 65,535 ports.

That means:

  • More traffic
  • More logs
  • Higher detection risk

Port Scanning from Windows

When you’re on a real engagement and only have a standard Windows workstation (no internet, no Nmap, no third-party tools), you can still perform solid port scanning using nothing but built-in PowerShell.

Quick single-port check

If TcpTestSucceeded : True → the port is open. Perfect for fast checks of common services (445, 3389, 5985, etc.).

Test-NetConnection -Port 445 192.168.50.10

Scan the first 1024 ports silently

This one-liner tries a full TCP connect on every port and only prints the ones that succeed. It’s quiet, leaves almost no traces, and works even on locked-down corporate laptops.

1..1024 | ForEach-Object {
    $conn = New-Object Net.Sockets.TcpClient
    try { $conn.Connect("192.168.50.10", $_) | Out-Null
          Write-Host "Port $_ is OPEN" }
    catch {}
    $conn.Close()
}

In red team ops you’ll often land on a regular Windows host first. Being able to map the internal network with just PowerShell (no downloads, no privileges needed beyond a normal user) is a core “living off the land” skill. Once you know what’s open, you can decide your next move — credential dumping, lateral movement tools, or deeper enumeration — all without ever dropping a binary.

Reconnaissance Mindset: Scan With Intent

Good attackers don’t scan everything. They scan what matters.

Information gathering is about:

  • Reducing unknowns
  • Building attack paths
  • Choosing the right targets

Every scan should answer a question — not create noise.

Module Progress: 1. Information Gathering

  1. 1 Nmap
  2. 1 Introduction
  3. 2 WHOIS & ASN Reconnaissance
  4. 3 Public footprinting
  5. 4 DNS OSINT
  6. 5 Port & Service Discovery (Currently Reading)
    Reading Now