Skip to content
Lesson 4 of 8

Scanning and Enumeration

5 min read

From Reconnaissance to Scanning

Once you have a map of the target's assets, scanning confirms which hosts are alive, which ports are open, and which services run behind them. If reconnaissance answers "what exists?", scanning answers "what is active and accessible?". This phase transforms a theoretical inventory into a concrete attack surface.

Scanning is inherently active: you send packets to the target's systems and observe their responses. That is why it is detectable and must always be performed within the authorized scope and respecting the agreed testing windows. An aggressive scan can overload fragile services, so adjusting intensity to the environment is part of professionalism.

The dominant tool for this phase is Nmap, a flexible and powerful network scanner that is practically an industry standard. Mastering it is essential for any pentester.

Host Discovery

Before scanning ports it is wise to know which hosts are alive within a range. Host discovery avoids wasting time probing nonexistent addresses. Nmap offers the -sn flag (ping scan) that identifies active hosts without scanning ports, using combinations of ICMP, ARP, and TCP/UDP probes depending on the network context.

On local networks, ARP discovery is very reliable because it operates at the link layer. On remote networks, where a firewall may block ICMP, it is best to use probes to common ports to infer whether a host responds. Understanding how the target filters traffic helps you correctly interpret which hosts are truly alive versus simply filtered.

The result of this stage is a refined list of live targets on which to focus detailed port scanning, saving time and reducing unnecessary noise.

Port Scanning with Nmap

Port scanning identifies which services listen on a host. The TCP SYN scan (-sS), also called a "half-open scan", is the default and most efficient method: it sends a SYN, observes the response, and does not complete the handshake, which makes it fast and relatively discreet. The TCP connect scan (-sT) completes the connection and is used when you do not have root privileges.

For UDP services, the UDP scan (-sU) is slower and less precise due to the nature of the protocol, but it is important because many critical services — DNS, SNMP, DHCP — run over UDP and are often overlooked. A scan that ignores UDP leaves significant blind spots in the attack surface.

Nmap lets you control the port range (-p), the speed via timing templates (-T0 to -T5), and the level of detail. Starting with a quick scan of the most common ports and then going deeper into the interesting findings is an efficient strategy that respects the client's systems.

Service and Version Detection

Knowing that a port is open is just the beginning; what is valuable is knowing what runs there and in what version. The -sV flag enables version detection: Nmap interrogates the service, analyzes its responses, and compares them against a database of signatures to identify the exact product and version.

This information is gold for the following phases. Knowing that a server runs, for example, a specific version of OpenSSH or a web server lets you look for known vulnerabilities associated with that exact version. The -O flag adds operating system detection via TCP/IP stack fingerprinting, completing the host profile.

The combination -sV -O, or the aggressive mode -A that additionally adds scripts and traceroute, offers a rich view of each target. That said, the deeper the scan, the noisier and slower, so dose it according to context.

Banner grabbing consists of capturing the identification information that many services announce upon connection. A banner can reveal the software name, its version, and even configuration details. Simple tools like netcat let you connect to a port and read the banner manually, while Nmap automates it with its version detection.

For example, connecting to an SMTP mail server usually returns a banner with the MTA's software and version. A web server responds with HTTP headers that may include the Server field. These details, although seemingly minor, steer the vulnerability search toward concrete versions and specific configurations.

It is worth clarifying that some administrators obfuscate or spoof banners as a defensive measure, so you should not blindly trust them. Corroborate the information with multiple techniques before drawing conclusions.

Deep Enumeration with Scripts

Nmap includes the Nmap Scripting Engine (NSE), a library of hundreds of scripts that automate advanced enumeration: enumerating SMB shares, listing users, detecting weak configurations, querying DNS records, or identifying known vulnerabilities. The category --script default (or -sC) runs a safe set of useful scripts.

Deep enumeration extracts detail from each discovered service: a server's users, a web service's directories, database versions, or a configuration's policies. The more information you gather in a structured way, the stronger the vulnerability analysis phase that follows.

Document each finding by associating it with its host and service. An orderly and complete enumeration is the foundation on which a successful pentest is built, and it avoids having to repeat scans later.