Overview

Port scanning is a crucial step in the information gathering phase and is one of the primary methods for obtaining service information from a target host. Its core relies on the transport layer characteristics of the TCP/IP protocol stack. Common active port scanning can be broadly divided into TCP Scanning and UDP Scanning.

UDP Port Scanning Principle

Unlike TCP, UDP is a connectionless, stateless protocol, so the information obtained during scanning is relatively limited.

  • When a client sends data to a closed UDP port on the server, the server usually returns an ICMP Port Unreachable packet.
  • From this, we know: if this ICMP packet is received, it can be determined that the port is closed.
  • If no response is received, the port may be open, or the packet may have been dropped by a firewall.

👉 Therefore, the characteristics of UDP scanning are:

  • The conclusion that a port is closed is reliable;
  • The conclusion that a port is open is uncertain (it may be open or blocked).

This is why UDP scanning is often slow and inaccurate.

TCP Port Scanning Principle

Since TCP is a connection-oriented, stateful protocol and has multiple flags, scanning methods for TCP are more diverse. Here are several common methods (using Nmap as an example):

Scanning Method Principle Typical Application Nmap Parameter
Full Connect Scan Completely execute the TCP three-way handshake Most stable results, but easy to be logged -sT
SYN Scan (Half-open Scan) Only send SYN, immediately send RST after receiving SYN/ACK to avoid full handshake Fast, relatively stealthy, commonly used -sS
FIN Scan Only send FIN flag packet, closed port returns RST Suitable for Unix-like systems -sF
Xmas Scan Set FIN, URG, PUSH flags simultaneously, closed port returns RST Bypass some firewalls -sX
TCP Null Scan No flags set, closed port returns RST Similar to FIN scan -sN
ACK Scan Send ACK packet, closed port returns RST Detect firewall filtering rules, not port status -sA
UDP Scan Send UDP packet, closed port usually returns ICMP Port Unreachable UDP service discovery -sU

TCP Packet Format (Key Flags)

Below is the structure of the TCP Header, focusing on the 6 control bits (Flags):

 0 1 2 3 4 5 6 7 8 9 A B C D E F
+-------------------------------+
|          Source Port          |
+-------------------------------+
|       Destination Port        |
+-------------------------------+
|        Sequence Number        |
+-------------------------------+
|     Acknowledgment Number     |
+-------+-----------+-+-+-+-+-+-+
| Data  | Reserved  |U|A|P|R|S|F|
| Offset|           |R|C|S|S|Y|I|
+-------+-----------+-+-+-+-+-+-+
|       Window Size             |
+-------------------------------+
|       Checksum                |
+-------------------------------+
|       Urgent Pointer          |
+-------------------------------+
|   Options     |   Padding     |
+-------------------------------+
|               Data            |
+-------------------------------+

Flag Explanation:

  • URG: Urgent Pointer field significant
  • ACK: Acknowledgment field significant
  • PSH: Push Function
  • RST: Reset the connection
  • SYN: Synchronize sequence numbers
  • FIN: No more data from sender

Idle Scan

The attacker does not communicate directly with the target host, but “borrows” the IPID increment characteristic of a third-party Zombie Host to scan. Therefore, the attacker’s IP will not appear in the target host’s logs; only the IP of the “Zombie Host” will be recorded. However, this scanning method relies on older zombie hosts.

sequenceDiagram participant A as Attacker participant Z as Zombie Host participant T as Target Host Note over A, T: Phase 1: Probe Zombie Host's Initial IPID A->>Z: Send SYN/ACK packet Z->>A: Reply RST packet (IPID = x) Note right of A: Record initial IPID: x Note over A, T: Phase 2: Spoof Zombie Host IP to send probe packet to Target A->>T: Spoofed SYN packet (Src IP = Z) alt Target Port Open T->>Z: Send SYN/ACK packet Z->>T: Reply RST packet (IPID increments to x+1) else Target Port Closed T->>Z: Send RST packet Note right of Z: Receive RST, no reply, IPID unchanged end Note over A, T: Phase 3: Probe Zombie Host IPID again A->>Z: Send SYN/ACK packet Z->>A: Reply RST packet (IPID = y) Note right of A: Analyze IPID change alt If y == x + 1 Note right of A: Target port likely [Filtered]
(or Zombie IPID increment irregular) else If y == x + 2 Note right of A: Target port [Open] else If y == x Note right of A: Target port [Closed] end

Nmap Usage:

nmap -sI <zombie_host> <target_host>

Example:

nmap -sI 192.168.1.100 192.168.1.200
  • 192.168.1.100 → Zombie Host, must have predictable IPID.
  • 192.168.1.200 → Target Host.

Defense and Detection

  1. Minimize Service Exposure: Only open ports required for business, the simplest and most effective way.
  2. Use Firewall/ACL: Restrict access from untrusted sources.
  3. IDS/IPS Detection: Identify scanning behavior through traffic characteristics.
  4. Honeypot Technology: Induce scanners to expose their intentions.

Summary

Port scanning is both a reconnaissance tool for attackers and a key object of protection for defenders. Understanding the principles of different scanning methods helps security researchers better master attack and defense thinking, and also helps to quickly locate risk points in actual work.