Recon series #4: Port scanning – uncovering attack vectors by revealing open ports and hidden services

April 25, 2025

Port scanning techniques for finding hidden services

Ever wondered if you’ve overlooked an open port that is hiding a service vulnerable to exploitation?

Port scanning is an invaluable reconnaissance technique for ethical hackers because every undiscovered service is a potential gateway to critical vulnerabilities!

In this article, you will learn passive and active port scanning techniques for revealing open ports and hidden services on a target’s infrastructure.

We’ll explain the advantages of various scanning methods, recommend the most effective port scanning tools, and provide practical examples based on real Bug Bounty targets. Understanding these techniques will empower you to make informed decisions that enhance your recon strategy.

Outline

What is port scanning?
Passive port scanning
Gathering service information from public databases
Finding exposed ports with Shodan
Active port scanning
TCP SYN and CONNECT scanning
UDP scanning and its challenges
Identifying exposed services with banner grabbing
Fingerprinting services and OS detection
Evading firewalls and IDS
Optimising scanning speed and accuracy
Discovering and probing web services
Conclusion
References

What is port scanning?

Port scanning is a technique for identifying open ports – virtual endpoints that are configured to accept incoming network traffic – on a target system.

Identifying open ports helps you to determine which services are running and therefore to map the attack surface – a crucial first step before uncovering potential weak points.

Port scanning is typically performed against a specific domain or IP address, or a defined range of IPs. Bug Bounty Programs that permit port scanning should detail clearly what you are allowed to scan. It’s essential to verify what is permitted before launching any scans to stay compliant with program rules.

Port scanning is often permitted on self-hosted infrastructure (meaning the company owns the IP ranges), but rarely allowed on third-party services such as cloud-hosted apps, SaaS platforms or where scopes include web applications but not IPs or network infrastructure.

Once you’ve mapped your target’s active services, you can search for vulnerabilities arising from outdated software, misconfigurations, weak authentication mechanisms and so on.

Passive port scanning

Port scans need not directly interact with the target to produce useful results. Passive port scanning gathers valuable intel on your target without alerting its defensive mechanisms, which eliminates the risk of detection. This is achieved by drawing on public sources that have already scanned the internet.

Gathering service information from public databases

By querying platforms like Shodan, Censys, or SecurityTrails you can access historical records of open ports and associated services across various domains and IP ranges. You can identify:

Services that were once publicly accessible
Hosts that are inadvertently exposing ports
And forgotten assets that are no longer monitored

This information allows you to understand the historical context of a target’s exposure, often revealing legacy systems that might be otherwise overlooked.

Finding exposed ports with Shodan

A simple Shodan query can reveal open ports on a target domain:

shodan search "hostname:example.com"

Quickly highlighting which ports are publicly accessible, this query enables you to focus your efforts on potentially vulnerable entry points.

Active port scanning

After gathering a high-level view with passive methods, it’s time to delve deeper. Active port scanning interacts directly with the target’s network, revealing live services and open ports that might not appear in public records.

These techniques involve sending crafted packets (such as SYN, ACK or UDP probes) to the target host and analysing their responses. Tools such as Nmap, Masscan or Naabu can scan IPs or domains to uncover:

Services that are live but not publicly indexed
Ports that are selectively open to specific IP ranges
Temporary or forgotten services still running internally

Active scanning is more precise and comprehensive than passive scanning, but introduces risk because it can trigger firewall alerts or intrusion detection systems (IDS).

Effective countermeasures include reducing scan speeds to evade rate-based detection, and employing evasion techniques like fragmentation and decoy scans. If you’re probing a Bug Bounty target, you should also ensure that you are explicitly authorised to conduct the scans you intend to run.

TCP SYN and CONNECT scanning

TCP SYN scanning (using -sS in Nmap) is a popular active port-scanning method in part because of its stealthy nature: it sends a SYN packet and awaits a SYN-ACK response without establishing a full connection.

Example:

nmap -sS -p 22,80,443 192.168.1.1

A TCP CONNECT scan (-sT), which does establish a full connection, is a viable alternative when firewalls block SYN packets. This method provides a more definitive answer on port status when stealth is not your primary concern.

Example:

nmap -sT -p 22,80,443 192.168.1.1

UDP scanning

UDP scanning is useful for services running over UDP (such as DNS or SNMP) and for bypassing TCP-based defenses. Since UDP is connectionless, it’s also harder to detect than TCP scans that require handshakes.

However, the absence of a handshake mechanism means UDP scans sometimes generate ambiguous responses from closed ports and might be ignored by open ports. Moreover, many UDP services only respond to probes customised to their target, making them harder to detect with generic scans – so hunters need relevant expertise.

Example:

nmap -sU -p 53,161,500 192.168.1.1

Because UDP traffic is often rate-limited or dropped by firewalls, it’s crucial to apply rate limiting and enable retries to improve reliability and accuracy.

Identifying exposed services with banner grabbing

Once open ports are identified, banner grabbing is used to extract details about the services running. This technique provides insight into the software version, configuration and potential vulnerabilities that could be exploited.

Banner grabbing involves connecting to a service and reading the initial data it sends back – often a welcome message or banner. Knowing why this matters allows you to quickly assess if a service is using outdated or misconfigured software.

Example using Netcat:

echo -e "\n" | nc -v 192.168.1.1 22

This command prompts the target to reveal its banner, potentially disclosing critical information such as the software name and version.

Nmap can also perform banner grabbing with its version detection feature using the -sV flag. This not only confirms the service’s identity but also provides additional details like SSL support or custom configurations.

Example:

nmap -sV 192.168.1.1

This output shows how Nmap identifies exact versions of services – a crucial prerequisite for pinpointing vulnerabilities in outdated or misconfigured software:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))

For more detailed detection, you can increase the intensity with:

nmap -sV --version-intensity 9 192.168.1.1

Or perform an all-inclusive scan with:

nmap -sV --version-all 192.168.1.1

You can also target specific ports:

nmap -sV -p 22,80,443 192.168.1.1

For OS detection, Nmap’s -O flag attempts to identify the operating system based on TCP/IP stack behaviour. Knowing the OS can help tailor further exploitation or remediation strategies.

nmap -O 192.168.1.1

Evading Firewalls and IDS

⚠️ Bug hunters beware: Always ensure you have proper authorisation and that your actions comply with a Bug Bounty Program’s rules.

Port scanning can trigger security defences, so employing stealthy scanning techniques is often necessary to avoid detection.

An IDS (intrusion detection system) monitors network traffic to detect suspicious activity, including port scans. Knowing how an IDS might flag your actions as potentially malicious can usefully inform your recon strategy to mitigate these risks.

Evasion techniques include:

Using decoys (-D): Sends fake scan traffic from spoofed IPs along with your real scan, making it harder for detection systems to pinpoint your activity. For example:

nmap -sS -D RND:10 -p 80,443 target.com

This method obscures the true source of your scan, reducing the chance of being blocked.

Slowing down scans (--scan-delay): Introduces a delay between probes to prevent triggering threshold-based IDS rules. For example:

nmap -sS --scan-delay 1s target.com

A slower pace mimics regular traffic, lowering the risk of detection.

Fragment packets (-f): Splits TCP packets into smaller fragments, which can bypass simple IDS/IPS that do not reassemble packets properly. For example:

nmap -sS -f target.com

Fragmenting packets can confuse basic detection mechanisms, though it may not work against more advanced systems.

Optimising scanning speed and accuracy

While traditional tools like Nmap might prove too slow for large-scale reconnaissance, there’s generally a trade-off between scan speed and thoroughness. Striking the right balance is therefore key to ensuring you do not miss any open ports.

Use Masscan for ultra-fast port scanning

Masscan, the fastest internet port scanner, sends asynchronous TCP packets, which allows you to scan massive IP ranges quickly – a boon for initial recon. Consider the following example:

masscan -p1-65535 --rate=10000 target.com

In the above example, -p1-65535 scans all TCP ports, while --rate=10000 sets scan speed to 10,000 packets per second. This high rate facilitates a rapid assessment, though you may need to recalibrate based on bandwidth and target limitations.

Inevitably, this rapid speed means scans are less thorough. Therefore it’s wise to supplement Masscan probes with Nmap scans in order to gain deeper insights.

Use Naabu for fast port scanning

Naabu is a lightweight port scanner ideal for identifying live hosts quickly. Its simplicity makes it perfect for initial reconnaissance, and it integrates well with other tools for further analysis.

naabu -host target.com

Combine results with httpx for efficient web service discovery

The command below first identifies open ports and then confirms which of them are hosting live web services – ensuring you focus on genuine targets:

naabu -host target.com | httpx -silent

Discovering and probing web services

Once open ports are identified, it’s important to check which ones – especially common web ports like 80, 443, 8080 or 8443 – are serving HTTP or HTTPS content. Not all open ports provide web content, so this step can sharpen your focus.

This is where tools like httpx come into play. Httpx is a rapid HTTP probing tool that accepts a list of hosts or IPs (with optional ports) and checks for active web services. These capabilities mean you can quickly filter out inactive endpoints and concentrate on viable targets.

This command automates the process of identifying live web services from a list of open ports:

cat open-ports.txt | httpx -o web-services.txt

This command elicits more detailed results, including page titles, status codes and technology detection:

cat open-ports.txt | httpx -title -status-code -tech-detect -o detailed-web.txt

Triggering more enriched output in this way provides a snapshot of the web service environment, helping you determine potential vulnerabilities more quickly.

Before probing ports, you can also perform subdomain enumeration to reveal additional potential entry points. Amass is an excellent tool for achieving this purpose.

Combine it with httpx to quickly check which subdomains host live web services:

amass enum -d target.com -o subs.txt
cat subs.txt | httpx -silent -o alive.txt

This process enhances your reconnaissance by identifying and verifying additional targets.

Conclusion: harness port scans to reveal what other hunters might miss

Port scanning is a critical element of Bug Bounty reconnaissance.

By finding not just open ports but also uncovering the hidden services behind them, these techniques lay the groundwork for deeper exploitation by maximising the visible attack surface – thereby increasing your likelihood of discovering vulnerabilities.

From this guide you’ve learned how to mix passive methods (using tools like Shodan and Censys) with active techniques (using Nmap, Masscan and Naabu) to comprehensively map services exposed on your target.

Combined with subdomain enumeration, these techniques deepen your understanding of the target’s infrastructure and help you identify targets that others might overlook.

In the end, effective reconnaissance is about more than just scanning – it’s also about understanding the rationale and use cases for every recon tool and technique.

Happy hunting! 👾