Port Scanning Cheat Sheet for Pentesters

In penetration testing, port scanning is the routine that tells you which network services are reachable on a target. Open ports map directly to running services (web servers, SSH, DNS, databases, etc.).

Those services are the possible entry points attackers test for programming errors, misconfigurations, and implementation flaws that can lead to compromise. Port scanning is the first step to discover attack vectors - but it must be done carefully, ethically, and within scope.

TCP vs UDP - the basics ​

Two transport protocols matter for port scanning:

• TCP (Transmission Control Protocol) - connection-oriented, reliable; most common services (HTTP, SSH, SMTP) use TCP.
• UDP (User Datagram Protocol) - connectionless and faster; used for DNS, SNMP, VoIP, etc. UDP scans are slower and trickier because many UDP services don’t respond when probed.

Both protocols can expose vulnerable services - you need to check both where applicable.

---

Port scanning workflow (ethical steps) ​

1. Get authorization - always have clear, written permission before scanning any system. Unauthorized scanning can be illegal and disruptive.
2. Scope & rules of engagement - define IP ranges, testing windows, and what to avoid (production databases, medical devices, etc.).
3. Host discovery - find live hosts before scanning ports (ping sweep, ARP scan on LAN).
4. Port enumeration - scan for open TCP/UDP ports.
5. Service detection - identify services and versions (HTTP server, SSH version).
6. Vulnerability mapping - correlate services to known vulnerabilities (only after permissions allow deeper checks).
7. Report & remediate - document findings, risk levels, and remediation steps.

---

Quick, safe Nmap commands (examples) ​

Use these only on targets you are authorized to test. Nmap is powerful - treat it with respect.

• Host discovery (no port scan):

nmap -sn 192.168.1.0/24

• Top ports + service detection:

nmap -sS -sV -p 1-1000 10.0.0.5

• Full TCP port scan (slower):

nmap -p- -T4 10.0.0.5

• UDP scan for common services (requires root, slow):

sudo nmap -sU -p 53,123,161 10.0.0.5

• OS detection + scripts + traceroute (aggressive):

sudo nmap -A -T4 target.example.com

• Save output in multiple formats:

nmap -oN out.txt -oX out.xml -oG out.gnmap target

Tip: Use timing (-T2 slower, stealthier; -T5 faster, noisier) depending on your impact tolerance.

---

Web-based port scanners & quick checks ​

For quick, non-invasive checks (public-facing only), these online scanners can be handy:

1. Ping.eu - https://ping.eu/port-chk/
2. ViewDNS.info - https://viewdns.info/portscan/
3. HackerTarget - https://hackertarget.com/tcp-port-scan/
4. IPFingerprints - https://www.ipfingerprints.com/portscan.php
5. YouGetSignal - https://www.yougetsignal.com/tools/open-ports/

Use these only for systems you own or where public scanning is allowed.

---

Interpreting results - what to look for ​

• Open ports - service is accepting connections; check the service banner and version.
• Closed ports - reachable but not accepting connections; usually safe yet worth noting.
• Filtered ports - traffic is blocked by a firewall or filter; may require different techniques.
• Unexpected services - e.g., SMB or RDP on a public IP; raise a red flag for exposure.
• Version strings - outdated versions often map to known CVEs; prioritize for remediation.

---

Common pitfalls & false positives ​

• ICMP blocked - host discovery may fail when ping is blocked; use ARP or -Pn to skip discovery.
• Rate-limiting - IDS/IPS or web application firewalls may throttle scans or trigger alarms.
• Shared infrastructure - cloud or shared hosting may show services that belong to other tenants; verify ownership.
• Timing choices - too fast a scan can disrupt services; too slow may miss timing-dependent responses.

---

Defensive actions after scanning ​

If you find risky services, suggest these mitigations:

• Close or restrict unused ports with firewall rules.
• Apply vendor patches and update software.
• Use network segmentation - keep critical services off public networks.
• Enforce strong authentication (keys, MFA) for exposed management services (SSH, RDP).
• Deploy intrusion detection/prevention and rate-limiting.

---

Legal & ethical reminders ​

Port scanning can be considered intrusive. Always:

• Obtain written authorization (scope, IP ranges, time windows).
• Respect privacy and service availability - avoid destructive tests unless explicitly allowed.
• Escalate discoveries responsibly: report critical findings to owners and coordinate remediation.

---

Tools to add to your toolkit ​

• Nmap - deep, scriptable scanning (NSE scripts).
• Masscan - internet-scale, ultra-fast port discovery (follow-up with Nmap).
• ZMap - large-scale scanning research.
• Netcat (nc) - quick banner grabs.
• Online scanners (listed above) - quick public checks.

Final notes - scanning with purpose ​

Port scanning is an essential, first-line reconnaissance technique in a pentest. Done ethically, it reveals the attack surface so defenders can fix weak spots. Keep your scans legal, keep them documented, and always recommend actionable remediation.