Port Scanning - Network Reconnaissance Techniques
About 2 min read
Port scanning is a reconnaissance activity that investigates the open or closed state of each port on a host on a network. Attackers use port scanning to identify running services and software with vulnerabilities, using them as a foothold for intrusion. On the other hand, security administrators also perform port scanning to verify the safety of their own organization's network. As of 2025, services that scan the entire internet, such as Shodan and Censys, have made information about exposed ports searchable by anyone, further increasing the risk of unintended port exposure.
Real-World Use Cases
"During a routine port scan, we discovered that a Redis server (port 6379) a developer had spun up for testing was exposed to the outside without authentication. It was caused by a misconfigured security group, and we immediately restricted access."
Types of Scanning Techniques
A TCP SYN scan (half-open scan) is the most common technique for checking a port's state without completing the connection. A TCP Connect scan establishes a full connection, so it is easier to detect, but it requires no special privileges. A UDP scan investigates UDP services such as DNS (53) and SNMP (161). Nmap is the most widely used port scanning tool, capable of identifying even the OS type and service versions.port scanning books on Amazon can help you learn the technical details.
Practical Usage Scenarios
In the early stages of penetration testing, a port scan of the target network is always performed. For example, if a web server exposes ports 22 (SSH), 3306 (MySQL), and 8080 (admin panel) to the outside in addition to 80/443, each becomes an attack target. Security administrators should perform port scans regularly to check whether any unintended ports are open. In cloud environments, cases where unnecessary ports are exposed due to misconfigured security groups occur frequently.
Countermeasures
Use a firewall to open only the necessary ports, and stop unnecessary services. Configuring IDS/IPS to detect and automatically block port scans is also effective. Protect SSH and admin panels with strong random passwords, and changing the default port (such as moving SSH from 22 to another port) is also a measure against casual scans. Based on the principles of zero trust security, strengthen authentication not only at the network perimeter but also at each service level.firewall configuration guides (Amazon) are also helpful references.
Was this article helpful?