Network Scanning — Port Scanning and Nmap for Beginners

What Is Network Scanning and Why Does It Matter?

Network scanning is the active process of probing target systems to discover open ports, running services, and operating system details. As defined in NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment), scanning is a core component of security assessment methodology and is tested on CompTIA PenTest+ (PT0-002) and CompTIA Security+ (SY0-701).

Network scanning is the second phase of the ethical hacking methodology — the phase where you take the assets discovered during footprinting and actively probe them to find open ports, running services, operating system details, and potential vulnerabilities. It turns a list of IP addresses into a detailed map of what is actually running and where.

If footprinting is like looking at a building from the outside and reading its public records, network scanning is like walking through every hallway, checking which doors are open, and noting what is behind each one. You are directly interacting with the target, which means you need explicit written permission before running any scan.

Understanding network scanning is essential for multiple reasons:

• Penetration testing relies on scanning to identify what services and ports to target. You cannot exploit what you have not discovered.
• SOC analysts review scan results and IDS alerts triggered by scanning activity — both authorised internal scans and suspicious external probes.
• Certification exams including CompTIA Security+, CEH, and CompTIA PenTest+ all cover scanning concepts, Nmap syntax, and scan type differences.
• Vulnerability management begins with scanning. You must know what is running before you can assess whether it is vulnerable.

This page covers port scanning fundamentals, Nmap commands, scan types, and how to interpret results — all explained for beginners with no prior networking experience beyond the basics covered in Networking Basics.

Running my first Nmap scan in a home lab was one of the most satisfying moments in my cybersecurity learning journey. I had set up a vulnerable virtual machine, pointed Nmap at it, and watched as it revealed open ports, service names, and version numbers. Suddenly, the target was not just an IP address — it was an SSH server running OpenSSH 7.2, a web server running Apache 2.4.18, and an FTP service accepting anonymous logins. Each open port was a potential story, and I wanted to investigate all of them. That feeling of discovery is what makes hands-on security work so engaging.

Ethical and legal warning: Only scan systems you own or have explicit written authorisation to test. Unauthorised port scanning can violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and the Criminal Code Act 1995 (Australia). In your home lab, you can scan freely. On any other network, you need permission first.

Quick Answer

Network scanning discovers open ports, running services, and operating system details on target systems. The primary tool is Nmap, which offers SYN stealth scans (fast, requires root), TCP connect scans (no root needed), and service version detection. Always have written authorisation before scanning, save results with -oA, and start with the top 1,000 ports before expanding to a full 65,535-port scan.

What Do Real-World Scanning Attacks Look Like?

According to the Verizon 2024 DBIR, scanning and reconnaissance were precursors to over 90% of successful network intrusions, making scanning detection a critical SOC capability. Network scanning is used every day in both offensive and defensive security operations.

Scenario	What scanning reveals	Why it matters
Penetration test	Open ports, service versions, OS types across the target’s network	Identifies the attack surface for the next phase of testing
Vulnerability management	All services running across an organisation’s infrastructure	Feeds into vulnerability scanners to check for known weaknesses
Incident response	Unexpected open ports or services on a compromised system	Reveals backdoors, unauthorised services, or lateral movement
Compliance audit	Whether only authorised services are running on production systems	Validates hardening standards and security baselines
Home lab practice	Services running on your intentionally vulnerable VMs	Builds hands-on skills with scanning tools in a safe environment

The key takeaway is that scanning is not just for attackers. Defensive teams use the same tools to audit, monitor, and secure their own environments.

How Does Network Scanning Work?

NIST SP 800-115 defines network scanning as the use of automated tools to send crafted packets to target hosts and analyse their responses to determine port states, service versions, and OS characteristics. The Nmap Reference Guide (nmap.org) documents the protocol-level mechanics behind each scan type.

Key Definition

Port scanning is the process of sending probe packets to a range of port numbers on a target host and classifying each port as open (a service is accepting connections), closed (reachable but no service is listening), or filtered (a firewall or packet filter is blocking the probe). The IANA port registry defines 65,535 possible TCP and UDP ports per host.

To understand network scanning, you need to understand three things: ports, the TCP handshake, and how different scan types manipulate these to discover information.

Ports and Services

Every networked service listens on a port number. Ports range from 0 to 65,535. When Nmap finds an open port, it tells you that a service is accepting connections on that port.

Port	Common service	What it does
21	FTP	File transfer
22	SSH	Secure remote access
25	SMTP	Email sending
53	DNS	Domain name resolution
80	HTTP	Web traffic (unencrypted)
443	HTTPS	Web traffic (encrypted)
445	SMB	Windows file sharing
3306	MySQL	Database
3389	RDP	Remote desktop
8080	HTTP-Alt	Alternative web server

Ports 0-1023 are “well-known ports” assigned to standard services. Ports 1024-49151 are “registered ports” used by applications. Ports 49152-65535 are “dynamic/private ports” used for temporary connections. Understanding common port-to-service mappings is foundational knowledge for security work.

The TCP Three-Way Handshake

TCP connections use a three-step process to establish a reliable connection. Understanding this handshake is essential because different scan types complete, partially complete, or skip it entirely.

1. SYN — The client sends a SYN (synchronise) packet to the server: “I want to connect.”
2. SYN-ACK — The server responds with SYN-ACK (synchronise-acknowledge): “I received your request, and I am ready.”
3. ACK — The client sends an ACK (acknowledge): “Connection established.”

If the port is closed, the server sends back a RST (reset) packet instead of SYN-ACK. If the port is filtered by a firewall, there may be no response at all.

Three Types of Network Scanning

Network scanning is a broad category that includes several distinct activities:

• Port scanning discovers which ports are open, closed, or filtered on a target host. This is the most common type and what most people mean when they say “network scanning.”
• Host discovery (also called network scanning or ping sweeps) identifies which hosts on a network are alive and responding.
• Vulnerability scanning goes beyond port discovery to check running services against databases of known vulnerabilities. This is covered in detail on the vulnerability analysis page.

Step-by-Step: Network Scanning Methodology

DocHowTo

Goal: Systematically discover all live hosts, open ports, running services, and operating system details on a target network. Time: 15–60 minutes per subnet depending on scan depth and network size. Prerequisites: Written authorisation, Nmap installed, target IP range defined.

A structured approach to network scanning ensures you are thorough without wasting time.

1. Confirm authorisation. Verify your scope document includes the IP ranges and systems you plan to scan. Confirm any time-of-day restrictions or scan rate limits.

2. Host discovery. Before scanning individual ports, identify which hosts on the network are alive. A ping sweep across the target range gives you a list of responding systems, so you do not waste time scanning inactive IP addresses.

3. Port scanning. Scan discovered hosts for open ports. Start with the most common ports (top 1000) and expand if needed. Choose your scan type based on the situation — SYN stealth scan for speed, TCP connect scan when you do not have root privileges.

4. Service detection. Once you know which ports are open, identify what services are running and their versions. Nmap’s service detection probes open ports with specially crafted requests to determine the actual software and version behind each port.

5. OS detection. Nmap can analyse response characteristics (TTL values, TCP window sizes, option ordering) to fingerprint the target’s operating system. This helps prioritise which exploits or misconfigurations to investigate.

6. Output and analysis. Save scan results in a structured format. Review the output to identify interesting services, outdated software versions, and potential entry points. Feed these results into the vulnerability analysis phase.

Network Scanning Methodology

Visual Explanation

Network Scanning Methodology

From host discovery to actionable intelligence — each step builds on the last

Pause

Confirm Scope

Authorisation

Verify IP ranges

Check time restrictions

Confirm rules of engagement

Host Discovery

Find live hosts

Ping sweep

ARP scan (local)

TCP/UDP probes

Port Scanning

Find open ports

SYN stealth scan

Top 1000 ports

Full port scan if needed

Service Detection

Identify software

Version probing

Banner grabbing

Script scanning

Output & Analysis

Document results

Save to XML/grepable

Identify high-value targets

Feed into vuln analysis

Idle

Scan Types: TCP Connect vs SYN Stealth

The two most important scan types for beginners are TCP connect scans and SYN stealth scans. Understanding their differences is essential for both practical work and certification exams.

TCP Connect Scan vs SYN Stealth Scan

TCP Connect Scan (-sT)

• Completes full handshake — SYN → SYN-ACK → ACK — full TCP connection established
• No root/admin required — Uses standard OS socket calls — any user can run it
• More easily detected — Full connections are logged by most firewalls and services
• Slightly slower — Completing and tearing down connections adds overhead

VS

SYN Stealth Scan (-sS)

• Half-open handshake — SYN → SYN-ACK → RST — never completes the connection
• Requires root/admin — Crafts raw packets — needs elevated privileges
• Harder to detect — Half-open connections may not be logged by older systems
• Faster — Skipping the full handshake speeds up scanning significantly

Verdict: SYN stealth scan is the default and most common. Use TCP connect when you lack root privileges or need guaranteed connection logging.

Use case

Most penetration testers use SYN scans by default. SOC analysts should recognise both scan types in their IDS alerts.

Other Scan Types Worth Knowing

• UDP scan (-sU): Scans for open UDP ports. UDP is connectionless, so scanning is slower and less reliable. Services like DNS (53), SNMP (161), and DHCP (67/68) run on UDP.
• ACK scan (-sA): Does not find open ports but maps firewall rules. Helps determine whether ports are filtered or unfiltered.
• FIN/Xmas/Null scans: Send unusual flag combinations to bypass simple packet filters. These are less reliable on modern systems but still appear on certification exams.
• Idle scan (-sI): A truly stealthy scan that uses a third-party “zombie” host so no traffic comes from your IP. Advanced technique covered in CEH.

What Does Network Scanning Look Like in Practice?

The Nmap Reference Guide (nmap.org/book/man.html) documents over 100 command-line options. The commands below cover the core techniques tested on CompTIA PenTest+ and used daily by penetration testers and vulnerability management teams.

These are the Nmap commands you will use most often. Practise them in your home lab against intentionally vulnerable machines like Metasploitable, DVWA, or HackTheBox targets.

Host Discovery

# Ping sweep — find live hosts on a subnet
nmap -sn 192.168.1.0/24

# ARP scan — more reliable on local networks (requires root)
nmap -sn -PR 192.168.1.0/24

# Discover hosts without ping (useful when ICMP is blocked)
nmap -Pn 192.168.1.0/24

Port Scanning

# SYN stealth scan — default, fast, requires root
sudo nmap -sS 192.168.1.100

# TCP connect scan — no root required
nmap -sT 192.168.1.100

# Scan specific ports
nmap -p 22,80,443,3389 192.168.1.100

# Scan a range of ports
nmap -p 1-1000 192.168.1.100

# Scan ALL 65535 ports (slow but thorough)
nmap -p- 192.168.1.100

# UDP scan (slower — UDP is connectionless)
sudo nmap -sU --top-ports 20 192.168.1.100

Service and OS Detection

# Service version detection
nmap -sV 192.168.1.100

# OS detection (requires root)
sudo nmap -O 192.168.1.100

# Aggressive scan — OS detection + version detection + scripts + traceroute
sudo nmap -A 192.168.1.100

# Combine version detection with specific ports
nmap -sV -p 22,80,443 192.168.1.100

Output Formats

# Save output in all three formats at once
nmap -sV -oA scan_results 192.168.1.100
# Creates: scan_results.nmap (normal), scan_results.xml (XML), scan_results.gnmap (grepable)

# Normal output to file
nmap -sV -oN output.txt 192.168.1.100

# XML output (useful for importing into other tools)
nmap -sV -oX output.xml 192.168.1.100

# Grepable output (easy to parse with grep/awk)
nmap -sV -oG output.gnmap 192.168.1.100

Reading Nmap Output

A typical Nmap result looks like this:

PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
80/tcp   open     http        Apache httpd 2.4.18 ((Ubuntu))
443/tcp  closed   https
445/tcp  filtered microsoft-ds
3306/tcp open     mysql       MySQL 5.7.28

Each line tells you:

• Port/protocol: Which port and whether it is TCP or UDP
• State: open (accepting connections), closed (reachable but no service), or filtered (firewall is blocking)
• Service: What Nmap thinks is running on that port
• Version: The specific software and version number (when -sV is used)

An open port running an outdated service version (like MySQL 5.7 when the current version is 8.x) is a finding worth investigating further.

What Are the Limitations of Network Scanning?

NIST SP 800-115 cautions that scanning results are a point-in-time snapshot and can be affected by firewalls, IDS evasion, rate limiting, and protocol-specific constraints. No single scan technique provides a complete picture of the target environment.

Network scanning is powerful but not infallible. Understanding its limitations prevents false confidence.

Factor	Limitation	How to handle it
Firewalls and IDS	Modern firewalls drop scan packets silently; IDS systems alert on scanning patterns	Slow your scan rate, use authorised IP ranges, expect “filtered” results
Rate limiting	Aggressive scanning can crash fragile services or trigger lockouts	Use timing templates (-T2 or -T3) on production systems; never -T5
UDP scanning	UDP is connectionless — scans are slow and results are unreliable	Scan only common UDP ports unless you have reason to go deeper
Evasion techniques	Port knocking, non-standard ports, and service obfuscation hide services	Full port scans (-p-) catch non-standard ports; version detection catches obfuscated services
IPv6	Scanning IPv6 address space is impractical due to the enormous range	Target specific IPv6 addresses from DNS or other reconnaissance
False positives	Honeypots and deception technologies present fake services intentionally	Cross-reference findings and verify manually before reporting

A common beginner mistake is running aggressive scans (-T5 -A) against production systems without understanding the impact. Fast, aggressive scans can overwhelm network devices, trigger denial-of-service conditions on fragile services, and generate massive numbers of IDS alerts that waste the security team’s time. Start slow, be deliberate, and increase intensity only when appropriate.

Blue Team Perspective

How defenders detect network scanning: Intrusion detection systems (IDS) flag port scans by detecting rapid connection attempts across multiple ports from a single source. SOC analysts see these as alerts in the SIEM. See Log Analysis for how firewall logs reveal scanning activity.

What Interview Questions Should You Expect About Network Scanning?

CompTIA PenTest+ (PT0-002) and CEH v13 exam objectives both require candidates to explain scan types, interpret Nmap output, and describe the relationship between scanning and vulnerability assessment. Interviewers for SOC analyst and penetration testing roles consistently test these skills.

Network scanning questions are standard in security interviews because scanning is a fundamental skill that bridges offensive and defensive roles.

Q1: What is the difference between a SYN scan and a TCP connect scan?

Strong answer: “A SYN scan sends a SYN packet and waits for a SYN-ACK, then sends a RST instead of completing the handshake. It is faster and less likely to be logged because the connection is never fully established. It requires root privileges to craft raw packets. A TCP connect scan completes the full three-way handshake using the operating system’s standard socket functions. It does not require root but is more easily detected because full connections are logged.”

Q2: You see Nmap report a port as ‘filtered.’ What does that mean?

Strong answer: “Filtered means Nmap could not determine if the port is open or closed because a firewall, packet filter, or other network device is blocking the probe. No response was received, or an ICMP unreachable message was returned. It does not mean the port is closed — it means something is preventing Nmap from reaching it.”

Q3: How would you scan a network without triggering IDS alerts?

Strong answer: “I would slow the scan rate using Nmap’s timing templates like -T2, scan fewer ports at a time, randomise the port order, and spread the scan over a longer time window. For authorised internal scans, I would coordinate with the security team so they can whitelist my source IP or tune their alert rules. Truly silent scanning is difficult against modern IDS, but reducing speed and volume significantly reduces detection.”

Q4: What is the significance of finding an open port running an outdated service version?

Strong answer: “An outdated service version may have known vulnerabilities with published CVEs and public exploits. For example, finding Apache 2.4.18 when the current version is 2.4.58 suggests the system has not been patched recently, which means it may be vulnerable to multiple known exploits. This finding would be documented and fed into the vulnerability analysis phase for further investigation.”

How Is Network Scanning Used in Real Security Operations?

The ASD Essential Eight recommends regular vulnerability scanning as part of patching and hardening, and NIST SP 800-115 classifies scanning as a foundational activity in any security assessment programme. In production environments, scanning connects to broader asset management, vulnerability management, and compliance workflows.

Network scanning is not an isolated activity. In production environments, it connects to broader security processes.

Day-One SOC Scenarios

As a new SOC analyst, you will interact with scanning in several ways:

• Internal vulnerability scans. Your organisation likely runs scheduled Nmap or vulnerability scanner sweeps. You may be responsible for reviewing results, identifying new services, and escalating findings.
• Suspicious external scanning. IDS alerts for port scan activity from external IP addresses are common. You triage these alerts to determine if the scanning is targeted reconnaissance or automated internet-wide scanning (tools like Shodan and Censys scan the entire internet continuously).
• Asset discovery. When new systems appear on the network, scanning helps identify what they are running. Shadow IT — systems deployed without security team awareness — is a real and common problem.

Australian Context

The ASD Essential Eight recommends regular vulnerability scanning as part of patching and hardening processes. Australian government agencies and critical infrastructure operators are expected to maintain current asset inventories and regularly scan their environments for unauthorised services and missing patches.

The ACSC’s Information Security Manual (ISM) includes controls for network scanning as part of ongoing security assessment. For career changers targeting Australian government or managed security service roles, familiarity with Nmap and its integration into vulnerability management workflows is expected knowledge.

When scanning in Australian environments, be aware that the Privacy Act 1988 and sector-specific regulations (such as the SOCI Act for critical infrastructure) may impose additional requirements on how scan data is handled, stored, and reported.

Summary and Key Takeaways

Network scanning transforms the reconnaissance data from footprinting into a detailed, actionable map of the target’s attack surface.

• Port scanning discovers open doors. Each open port represents a service that could be a potential entry point for attackers or a legitimate service that needs hardening.
• SYN stealth scans are the default and most common scan type. They are fast, relatively quiet, and require root privileges.
• TCP connect scans complete the full handshake and work without root, but are more easily detected and logged.
• Service detection (-sV) is essential. Knowing that port 80 is open is useful; knowing it is running Apache 2.4.18 is actionable.
• Always save output in structured formats (-oA). Scan results are documentation that feeds into vulnerability analysis and final reports.
• Scanning requires authorisation. No exceptions. Even in a learning context, only scan systems you own or have explicit permission to test.
• Scanning feeds into vulnerability analysis. The services and versions you discover become the targets for the next phase.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Related

• Footprinting and Reconnaissance for the phase that comes before scanning
• Vulnerability Analysis for assessing the weaknesses scanning reveals
• Nmap for a deep dive into the primary scanning tool
• Networking Basics for the TCP/IP fundamentals that scanning relies on

Frequently Asked Questions

What is network scanning in cybersecurity?

Network scanning is the process of sending probes to target systems to discover live hosts, open ports, running services, and operating system details. It is the second phase of the ethical hacking methodology and uses tools like Nmap to map an organisation's attack surface.

What is the difference between a port scan and a vulnerability scan?

A port scan discovers which ports are open and what services are running. A vulnerability scan goes further by checking those services against databases of known vulnerabilities to identify specific security weaknesses. Port scanning is a prerequisite for vulnerability scanning.

What does it mean when Nmap says a port is filtered?

Filtered means a firewall or packet filter is preventing Nmap from determining whether the port is open or closed. The probe was either dropped silently or received an ICMP unreachable response. Filtered does not mean closed — it means the port's true state is hidden.

Do I need root or admin privileges to run Nmap?

SYN stealth scans and OS detection require root or administrator privileges because they craft raw network packets. TCP connect scans work without elevated privileges because they use the operating system's standard socket API. On Linux, use sudo with Nmap for full functionality.

What are the most common ports to scan?

The most commonly scanned ports include 22 (SSH), 80 (HTTP), 443 (HTTPS), 21 (FTP), 25 (SMTP), 53 (DNS), 445 (SMB), 3306 (MySQL), and 3389 (RDP). Nmap's default scan checks the top 1000 most common ports, which covers the vast majority of services.

How fast should I scan a network?

Use Nmap's timing templates: T1 or T2 for stealth, T3 for normal balanced scanning, and T4 for faster scans on reliable networks. Never use T5 on production systems as it can overwhelm fragile services and network devices. When in doubt, go slower.

Can network scanning crash systems?

Yes. Aggressive scanning can overwhelm fragile services, cause denial-of-service conditions on older devices, and trigger security lockouts. This is why authorisation, scope limits, and appropriate scan rates are critical. Always start with conservative timing and increase only when you understand the target environment.

What is banner grabbing?

Banner grabbing is the process of connecting to an open port and reading the service banner — the text the service sends when a connection is made. Banners often reveal the software name, version, and sometimes the operating system. Nmap's service detection feature automates banner grabbing across all open ports.

How do I practise network scanning safely?

Set up a home lab with virtual machines. Intentionally vulnerable systems like Metasploitable 2, DVWA, and VulnHub machines are designed for scanning practice. You can also use platforms like TryHackMe and Hack The Box which provide legal targets for scanning exercises.

Is port scanning illegal?

The legality of port scanning varies by jurisdiction and context. Scanning systems you own is legal everywhere. Scanning systems without authorisation may violate computer crime laws in many countries. In professional security work, always have a signed authorisation document before scanning any systems you do not own.

Related sections

Footprinting and Reconnaissance

The first phase of ethical hacking — gather intelligence about the target before you start scanning.

Explore Vulnerability Analysis

The next step after scanning — assess the security weaknesses in the services and versions you discovered.

Explore Nmap

Deep dive into Nmap — the most important tool in your scanning toolkit with advanced techniques and scripts.

Explore

More resources

Nmap Official Documentation

The definitive reference for Nmap — scan types, options, NSE scripts, and usage examples from the creators.

Visit SANS Nmap Cheat Sheet

Quick-reference card with common Nmap commands, scan types, and output options for everyday use.

Visit IANA Port Number Registry

The official list of port number assignments maintained by IANA — the authoritative source for port-to-service mappings.

Visit

---

Technical content verified in March 2026 against Nmap 7.94, CompTIA Security+ SY0-701 exam objectives, CEH v12 syllabus, and NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment).