Network Scanning Techniques Explained

Neha Bhagat

Neha Bhagat

Mar 21, 2026Cyber Security
Network Scanning Techniques Explained

Categories

Security SoftwareHackerOneTryHackMeDatabase SecurityBlockchain SecurityHospital SecurityCyber Security TrendsIT CertificationsSQLiCareer Roadmap

Table of Contents

Introduction

An attacker needs to break into a corporate network of 5,000 computers.
He does not randomly type IP addresses and hope something responds.
He systematically scans the entire network in minutes to create a precise map of every live host, open port, and running service.

But here's the problem:

👉 Without this reconnaissance map built through network scanning, the attacker is completely blind. And so is the defender who never scans their own infrastructure.

Network scanning is the foundational second phase of any professional penetration test or security audit. It bridges the gap between passive intelligence gathering (OSINT) and active exploitation. A truly comprehensive network scan does not just tell you which IP addresses are alive; it reveals an incredibly detailed portrait of the target infrastructure: operating systems in use, specific software versions running on each port, firewall rules, and network topology.

Security professionals use identical network scanning techniques for two entirely opposite but complementary purposes:

  • Offensive (Red Team): Map the attack surface to identify vulnerable services to exploit.
  • Defensive (Blue Team): Proactively scan their own infrastructure to find exposed services before an attacker does.

In this comprehensive guide, you'll learn:

  • The foundational concepts that make network scanning work at the protocol level
  • The primary categories of scanning: host discovery, port scanning, service detection
  • Advanced scanning types: SYN, UDP, NULL, FIN, and XMAS scans
  • How to interpret scan results and prioritize findings
  • The pivotal role of Nmap and how to use it effectively
  • Firewall evasion scanning techniques used by professionals

By the end of this article, you will understand how professional network scanning works, why specific techniques are chosen in different scenarios, and how to apply them appropriately and legally.

Why Network Scanning is the Foundation

Before any vulnerability can be exploited, it must first be discovered. This is the core function of network scanning. A service running a critically exploitable vulnerability on a hidden or non-standard port provides zero risk to an attacker who does not know that port is open.

Conversely, a security team that has never scanned their own network thoroughly is managing an unknown attack surface. They may have legacy servers running for decades on forgotten IP addresses, development environments with default credentials accidentally exposed to the internet, or misconfigured firewalls allowing traffic to sensitive services.

Regular, comprehensive network scanning of your own infrastructure is one of the single most important proactive security practices any organization can implement.

Phase 1: Host Discovery (Finding Live Systems)

Before scanning individual ports, you must determine which IP addresses on the target network have live hosts responding. Scanning 65,535 ports against 254 IP addresses when only 20 of them have active computers is an enormous waste of time.

Ping Sweep (ICMP Echo Request)

The simplest form of host discovery sends an ICMP "Echo Request" (a ping) to each IP address in a range and listens for an "Echo Reply" response. If a host responds, it is alive.

Nmap command:

nmap -sn 192.168.1.0/24

The -sn flag instructs Nmap to skip port scanning entirely and only perform host discovery.

Limitation: Many firewalls and host-based firewalls are configured to block ICMP echo requests, making ping sweeps unreliable against hardened targets.

TCP SYN Ping and TCP ACK Ping

When ICMP is blocked, Nmap can use TCP packets. It sends a SYN (or ACK) packet to a common port (like 80 or 443). If the host responds—even with a RST (reset) packet—it confirms the host is alive.

nmap -sn -PS80,443 192.168.1.0/24    # TCP SYN ping on ports 80 and 443
nmap -sn -PA80,443 192.168.1.0/24    # TCP ACK ping

UDP Ping

Sends a UDP packet to specific ports. An ICMP "port unreachable" response confirms the host is alive.

Phase 2: Port Scanning (Mapping Open Doors)

Once you have a list of live hosts, you perform port scanning to determine which TCP and UDP ports are in which state on each host. The state of a port is the most fundamental piece of information in network scanning.

The Three Port States

  • Open: A service is actively listening and accepting connections on this port. This is the most significant finding.
  • Closed: No service is listening on this port, but the host is reachable. The port responds to probes but rejects connections.
  • Filtered: A firewall, filter, or other network obstacle is blocking the scan probes. Nmap cannot conclusively determine whether the port is open or closed.

The Key Port Scanning Techniques

Understanding the mechanics behind each scanning type is what distinguishes a genuine security professional from someone who simply runs tools blindly.

1. TCP Connect Scan (-sT)

This is the most basic and reliable TCP scan. Nmap completes the full three-way TCP handshake (SYN → SYN-ACK → ACK) with each target port. If the handshake completes, the port is open. If a RST is received, the port is closed.

Advantages: Highly reliable. Works even without root/administrator privileges. Disadvantages: Extremely noisy and easily logged. Every completed connection is recorded in the target's application logs.

nmap -sT 192.168.1.10

2. TCP SYN Scan (Stealth Scan) (-sS)

The TCP SYN scan (also called the "half-open" or "stealth" scan) is the most popular and default Nmap scan type. Instead of completing the three-way handshake, Nmap sends a SYN packet, waits for the SYN-ACK response (confirming port open), then immediately sends a RST packet to abort the connection before it fully establishes.

Advantages: Faster than a full Connect scan. More difficult to detect because no full connection is logged by applications—only the firewall logs the incomplete connection attempt. Disadvantages: Requires root/administrator privileges to craft raw packets.

sudo nmap -sS 192.168.1.10

3. UDP Scan (-sU)

TCP scanning finds TCP services. But DNS (port 53), SNMP (port 161), and many other critical services run over UDP. UDP scanning is significantly slower than TCP because UDP is a connectionless protocol—there is no three-way handshake to confirm a port is open.

Nmap sends a UDP packet to each port. If a UDP response comes back, the port is open. If an ICMP "port unreachable" comes back, the port is closed. If nothing comes back, the port is marked as open/filtered (a firewall may be blocking it).

sudo nmap -sU -p 53,161,123 192.168.1.10

4. NULL, FIN, and XMAS Scans

These are specialized TCP scanning techniques that use unusual flag combinations to probe ports. They are designed to bypass some stateless firewall rule sets and evade less-sophisticated Intrusion Detection Systems (IDS).

  • NULL Scan (-sN): Sends a TCP packet with no flags set.
  • FIN Scan (-sF): Sends a TCP packet with only the FIN flag set.
  • XMAS Scan (-sX): Sends a TCP packet with FIN, URG, and PSH flags set ("lighting it up like a Christmas tree").

According to the RFC specification, a closed port should respond to these illegal flag combinations with a RST. An open port should simply ignore the packet (no response, marked as open/filtered). These scans work against UNIX/Linux systems but are generally unreliable against modern Windows targets.

sudo nmap -sX 192.168.1.10   # XMAS scan

Phase 3: Service and Version Detection

Finding that Port 80 is open is only the beginning. The most valuable information comes from identifying exactly what service is running on that port and, more specifically, which version of that software.

The simplest form of service detection—many services announce themselves (their software name and version) in a "banner" text string they send immediately when a connection is established.

nc -nv 192.168.1.10 80      # Netcat grab from port 80
GET / HTTP/1.1              # Manually request a web page to trigger a full response

Nmap Service Version Detection (-sV)

Nmap's -sV flag automates banner grabbing and uses an extensive internal database of over 6,000 service signatures to accurately identify the service and version. This is the information directly used to search for known exploits.

nmap -sV 192.168.1.10

Operating System Detection (-O)

Nmap analyzes subtle variations in how different operating systems respond to network probes (TCP window sizes, response TTL values, IP flags) to make educated guesses about the target's operating system and version.

sudo nmap -O 192.168.1.10

Phase 4: Firewall Evasion Techniques

Against hardened targets with sophisticated firewalls and IDS, standard scans are immediately detected and blocked. Professional penetration testers use evasion techniques to increase scan stealth.

Fragmentation (-f)

Splits Nmap's TCP packets into smaller fragments, making it harder for packet inspection systems to reassemble and analyze the probe.

sudo nmap -f 192.168.1.10

Decoy Scanning (-D)

Instructs Nmap to send scan packets from multiple fake "decoy" IP addresses simultaneously alongside the real source IP. This makes it significantly harder for the target's IDS to isolate which source is the real attacker.

sudo nmap -D RND:10 192.168.1.10   # Use 10 randomly generated decoy IPs

Timing Templates (-T)

Nmap uses timing templates from 0 (Paranoid) to 5 (Insane) to control the scan speed. Faster scans are more likely to trigger IDS alerts. Slower scans are harder to detect.

nmap -T1 192.168.1.10   # Sneaky timing — very slow, much less detectable
nmap -T4 192.168.1.10   # Aggressive timing — fast, standard default for CTFs

Interpreting and Using Scan Results

A complete Nmap scan output provides a roadmap for the exploitation phase. Here is how to interpret the results intelligently:

  1. Prioritize critical ports: Focus first on ports running high-risk services historically targeted by major exploits (SMB on 445, RDP on 3389, unencrypted HTTP on 80 with sensitive forms).
  2. Look for outdated software versions: Use the software name and version from -sV output to search the NVD (National Vulnerability Database at nvd.nist.gov) and Exploit-DB for known CVEs.
  3. Note filtered ports: Filtered ports may still be reachable from a different network segment after getting initial access.
  4. Compare against expected baseline: For defensive scanning, any port or service that was NOT previously documented in your asset inventory requires immediate investigation.

Short Summary

Network scanning is the methodical process of discovering live hosts, mapping open ports, and fingerprinting services across an IP network. It begins with host discovery (ping sweeps, TCP pings), moves to port scanning using techniques ranging from basic TCP Connect scans to stealthy SYN scans and specialized NULL/FIN/XMAS scans, and culminates with service version detection to identify the exact software running behind each open port. Advanced evasion techniques (fragmentation, decoys, slow timing) allow penetration testers to probe hardened targets. For both offensive and defensive security, regular network scanning is the foundational prerequisite to understanding and securing a network's attack surface.

Conclusion

Network scanning is not a glamorous skill in the way that executing a complex exploit chain might seem to an outsider. However, it is the quiet, methodical competence that every successful penetration tester and security engineer has permanently internalized.

The attacker who can perfectly map a target network quickly, accurately, and with minimal detection noise has a decisive strategic advantage over any automated vulnerability scanner. The defender who runs regular network scans of their own infrastructure will discover the forgotten management interface or the misconfigured server firewall long before a criminal does.

Master the concepts of network scanning—specifically Nmap in its full depth—before progressing to any other offensive or defensive security technique. It is the foundation upon which all subsequent security work is built.

Explore Tags

Network ScanningPort ScanningNmap TutorialEthical HackingNetwork Reconnaissance

Related Articles

View All
Aircrack NG WiFi Hacking Guide: Breaking WPA2 Security
Cyber Security

Aircrack NG WiFi Hacking Guide: Breaking WPA2 Security

Explore the mechanics of wireless exploitation with this Aircrack NG WiFi hacking guide. Learn how ethical hackers intercept handshakes and crack WPA2 networks.

Artifact Geeks
Artifact Geeks
Read More
Cyber Security Trends in 2026: Preparing for the Future of Digital Threats
Cyber Security

Cyber Security Trends in 2026: Preparing for the Future of Digital Threats

Discover the most critical security developments. This cyber security trends guide covers AI-driven attacks, quantum-resistant cryptography, and the rise of autonomous defense.

Harshit Chhipa
Harshit Chhipa
Read More
Password Cracking Techniques Explained
Cyber Security

Password Cracking Techniques Explained

Learn how password cracking techniques work, from dictionary attacks to brute force and rainbow tables. Understand the methods hackers use—and how to defend against them.

Artifact Geeks
Artifact Geeks
Read More