Practice Exams:
Home Blog Foundations of Network Scanning – Tools and Basics

Foundations of Network Scanning – Tools and Basics

In the world of cybersecurity, network scanning forms the backbone of reconnaissance, vulnerability assessments, and penetration testing. It enables professionals to map out systems, detect live hosts, uncover open ports, identify running services, and ultimately find weaknesses that could be exploited by malicious actors. Understanding the tools, techniques, and strategies behind network scanning is critical for anyone involved in ethical hacking, security auditing, or network administration.

This article lays the groundwork by exploring what network scanning is, why it matters, and how to use some of the most powerful tools available today, including Nmap, Zenmap, Angry IP Scanner, and Hping3.

What is Network Scanning?

Network scanning is the process of discovering active devices on a network and probing them for information such as open ports, running services, operating systems, and potential vulnerabilities. It is often the first step in both legitimate security assessments and malicious attacks.

The key objectives of scanning include:

  • Identifying live hosts on a network

  • Detecting open or filtered ports

  • Discovering services and their versions

  • Determining the operating systems of remote hosts

  • Mapping out the network topology

Network scanning helps organizations understand their own infrastructure and provides attackers with a blueprint for possible exploitation if left unprotected.

Ethical and Legal Considerations

Before diving into scanning, it’s important to understand the ethical and legal boundaries. Unauthorized scanning of networks is illegal in many jurisdictions and can lead to criminal charges, fines, or civil lawsuits. Ethical hackers and penetration testers must always have explicit written permission before performing any kind of scan on a network.

Professional engagements typically involve scopes defined in contracts that specify IP ranges, methods, and times when scanning is permitted. Always operate within these boundaries to stay on the right side of the law and professional ethics.

Types of Network Scans

Network scans come in various forms depending on what information you seek and how stealthily you want to collect it. The most common scanning types include:

Ping Sweep (ICMP Echo Scan)

Used to identify live hosts by sending ICMP Echo Request packets (ping) and waiting for Echo Reply responses.

TCP Connect Scan

The most basic type of scan. It performs a full TCP handshake (SYN, SYN-ACK, ACK) with each port to determine whether it is open.

SYN Scan (Stealth Scan)

Often referred to as half-open scanning, it sends a SYN packet and analyzes the response. If SYN-ACK is received, the port is open. The connection is not completed, making it less likely to be logged.

UDP Scan

Checks for open UDP ports by sending packets and interpreting responses or the lack thereof. Since UDP does not provide acknowledgment, this type of scan can be slower and less reliable.

ACK Scan

Used not to find open ports, but to map firewall rules and determine whether ports are filtered or unfiltered.

Each of these scan types has its place in the toolkit of a security professional, and often they are used in combination to build a comprehensive picture of a target network.

Overview of Scanning Tools

A variety of tools are available for performing scans, each with its own strengths and specialties. Below is an overview of four widely used tools.

Nmap

Nmap (Network Mapper) is one of the most powerful and versatile network scanning tools available. It supports a wide range of scan types and has built-in scripting capabilities for service detection, vulnerability scanning, and OS fingerprinting.

Key features include:

  • TCP and UDP scanning

  • Service version detection

  • OS fingerprinting

  • Scriptable interactions via NSE (Nmap Scripting Engine)

Nmap is best used by intermediate to advanced users comfortable with the command line.

Zenmap

Zenmap is the official graphical user interface (GUI) for Nmap. It provides a visual and user-friendly way to launch scans, view results, and explore network topologies.

It is ideal for beginners or those who prefer a visual representation of data over text-based output. While it relies entirely on Nmap in the background, it simplifies tasks through pre-configured scan profiles and graphical displays.

Angry IP Scanner

Angry IP Scanner is a lightweight, cross-platform network scanner focused on speed and simplicity. It quickly scans IP address ranges and displays host availability, response time, and basic port information.

This tool is favored by network administrators and help desk personnel for quick checks. However, it lacks the depth and flexibility of Nmap or Hping3 and is limited to ping sweeps and basic port checks.

Hping3

Hping3 is a packet crafting tool that goes beyond typical scanning. It allows users to create custom TCP/IP packets, making it invaluable for firewall testing, network diagnostics, and evasion techniques.

Features include:

  • TCP/UDP/ICMP packet generation

  • Traceroute mode

  • TCP flag control (SYN, FIN, ACK, etc.)

  • Firewall and intrusion detection testing

Due to its complexity, Hping3 is more suitable for experienced users who understand low-level networking.

Installing the Tools

Installation varies depending on your operating system. Below is a general overview for Linux systems:

Nmap: Most Linux distributions include Nmap in their repositories

 nginx
CopyEdit
sudo apt install nmap

  • Zenmap: Available for download as a standalone package, but may require dependencies on newer Linux distros

  • Angry IP Scanner: Download the appropriate package from its official release page (cross-platform support)

Hping3: Also found in standard repositories

 nginx
CopyEdit
sudo apt install hping3

On Windows and macOS, binaries or installation packages can be obtained from the respective websites or app stores. Ensure proper permissions and system compatibility before installing.

Basic Commands and Outputs

Let’s explore some basic commands and their outputs using real-world examples.

Nmap – TCP SYN Scan

Command:

nginx

CopyEdit

nmap -sS 192.168.1.1

 

This initiates a stealth SYN scan on the target. The output may look like:

bash

CopyEdit

PORT     STATE  SERVICE

22/tcp   open   ssh

80/tcp   open   http

443/tcp  closed https

 

This tells you which ports are open and what services they likely represent.

Zenmap – GUI Scan Example

Launch Zenmap, select a scan profile such as “Intense Scan,” enter your target IP or range, and click “Scan.” The output will appear in multiple tabs, including:

  • Ports and services

  • Topology map

  • Host details

  • Scanning logs

No command-line input is needed here, making it ideal for beginners.

Angry IP Scanner – Quick Sweep

Open Angry IP Scanner, set the IP range (e.g., 192.168.1.1 to 192.168.1.254), and click “Start.”

The scanner returns a list of live hosts with:

  • IP address

  • Ping time

  • Hostname

  • Open port info (optional based on settings)

This is perfect for quick discovery of active devices on a LAN.

Hping3 – SYN Packet to Specific Port

Command:

nginx

CopyEdit

hping3 -S 192.168.1.1 -p 80 -c 1

 

This sends a single SYN packet to port 80. A typical response might be:

bash

CopyEdit

len=46 ip=192.168.1.1 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=0.5 ms

 

A SYN-ACK (flags=SA) means the port is open. No reply or RST indicates a closed or filtered port.

Choosing the Right Tool

Choosing the right tool depends on your objectives, skill level, and time constraints. Here are some general recommendations:

  • Use Angry IP Scanner for quick detection of live hosts on a local network.

  • Use Nmap for comprehensive port scanning, OS detection, and service identification.

  • Use Zenmap if you prefer GUI-based scanning or are new to Nmap.

  • Use Hping3 for advanced firewall testing or when custom packet crafting is required.

Often, professionals use a combination of tools to cross-validate results and expand coverage. For example, Angry IP Scanner for initial discovery, followed by Nmap for deeper analysis, and Hping3 to probe for firewall behavior.

Limitations and Best Practices

While these tools are powerful, they have limitations. Firewalls, intrusion prevention systems (IPS), and rate-limiting can skew results. Here are a few best practices:

  • Use multiple scan types (e.g., SYN, UDP, ACK) for more comprehensive detection.

  • Space out scans to avoid detection or rate-limiting.

  • Record all outputs for future reference.

  • Avoid scanning public IPs unless explicitly authorized.

  • Learn how your organization logs scans and responds to unusual traffic.

Proper documentation and ethical boundaries are key to successful and responsible network scanning.

ChatGPT said:

Advanced Scanning Techniques – Evasion, Speed, and Custom Probes

After mastering the fundamentals of network scanning, it’s time to take things further by exploring advanced techniques and tools. These approaches allow cybersecurity professionals to evade detection, scan large networks at lightning speed, and customize packets to test firewalls or simulate specific attacks. In high-security environments, basic scans often trigger alerts or get blocked, which is why stealth, speed, and precision are essential.

This article focuses on advanced scanning methods using powerful tools like Nmap, Hping3, Masscan, Netcat, and Unicornscan. You’ll learn how to evade detection, scan efficiently, and understand what each advanced technique reveals about your target environment.

Why Go Beyond Basic Scans?

Basic scans, such as SYN or TCP connect scans, are sufficient in many environments. However, enterprise-level networks often deploy:

  • Firewalls that block or filter scanning attempts

  • Intrusion Detection Systems (IDS) that log or alert unusual activity

  • Rate-limiters that slow or stop large scan bursts

  • Honeypots that attract and monitor attackers

To bypass these defenses, attackers and penetration testers use alternate flags, fragmented packets, randomized timing, and packet crafting to remain undetected and successful in their reconnaissance.

Advanced scanning techniques help uncover services or vulnerabilities that basic scans may miss or fail to reach due to active defenses.

Advanced Nmap Scan Types

Nmap supports several advanced scan types that manipulate TCP flags or timing to gain deeper insight or evade detection.

TCP Null Scan

Command:

nginx

CopyEdit

nmap -sN 192.168.1.1

 

Description: Sends a packet with no flags set. According to RFC 793, open ports should ignore it, while closed ports respond with a reset (RST). Useful for bypassing stateless firewalls.

TCP FIN Scan

Command:

nginx

CopyEdit

nmap -sF 192.168.1.1

 

Description: Sends packets with the FIN flag. Open ports should not respond; closed ports send a reset. This method can bypass simple firewall rules and packet filters.

XMAS Scan

Command:

nginx

CopyEdit

nmap -sX 192.168.1.1

 

Description: Sends packets with FIN, URG, and PUSH flags set — resembling a “Christmas tree” packet. This scan also relies on RFC behavior and can bypass certain firewall types.

Idle Scan

Command:

nginx

CopyEdit

nmap -sI zombie_ip 192.168.1.1

 

Description: Uses a third-party “zombie” host to perform a completely stealthy scan, with no packets appearing to come from your machine. Highly effective but dependent on a suitable idle host.

Fragmentation and Decoy Scans

Command:

nginx

CopyEdit

nmap -f 192.168.1.1

 

Description: Sends fragmented packets to evade detection systems that reassemble packets differently or fail to inspect fragments.

Command:

nginx

CopyEdit

nmap -D RND:10 192.168.1.1

 

Description: Launches decoy scans using randomized IPs to hide the real origin of the scan.

These scans are especially useful in penetration testing scenarios where stealth and evasion are key.

Speed vs. Stealth – Masscan and Timing Options

Sometimes the priority isn’t stealth, but raw speed. Enter Masscan — the fastest port scanner available, capable of scanning the entire Internet in minutes.

Using Masscan for High-Speed Scanning

Command:

nginx

CopyEdit

masscan 192.168.1.0/24 -p1-1024

 

This scans the first 1024 TCP ports on an entire subnet with incredible speed. Output is limited to open ports only.

Masscan uses its own network stack, so you may need to configure interface, rate limits, and source IP:

nginx

CopyEdit

masscan 192.168.1.0/24 -p80 –rate=10000 -e eth0 –router-mac aa:bb:cc:dd:ee:ff

 

Key considerations:

  • No service detection (unlike Nmap)

  • Results can be piped to Nmap for deeper inspection

  • Can overwhelm networks if not throttled

Masscan is perfect for quickly discovering targets before passing them to slower, more detailed tools.

Nmap Timing Templates

Nmap provides built-in timing templates from T0 (slowest, most stealthy) to T5 (fastest, more detectable). Example:

nginx

CopyEdit

nmap -T4 -sS 192.168.1.1

 

Higher timing values increase scan speed but risk detection or dropping packets in unstable networks. Use T0-T2 for IDS evasion; T3-T5 for speed.

Packet Crafting with Hping3

Hping3 is a command-line tool used to craft custom TCP/IP packets. It is not a scanner in the traditional sense but is often used for:

  • Sending specific flags to test firewall rules

  • Checking host responsiveness beyond ICMP

  • Measuring packet round-trip times

  • Performing advanced reconnaissance

Basic SYN Scan with Hping3

Command:

nginx

CopyEdit

hping3 -S 192.168.1.1 -p 80 -c 1

 

Sends a SYN packet to port 80. If the response is SYN-ACK, the port is open. If no reply or RST is received, the port is filtered or closed.

Firewall Evasion with Custom Flags

Command:

css

CopyEdit

hping3 -F -P -U 192.168.1.1 -p 80

 

Sends a packet with FIN, PUSH, and URG flags — similar to an XMAS scan — to test firewall response to abnormal packets.

Traceroute Mode

Command:

css

CopyEdit

hping3 –traceroute -S -p 80 192.168.1.1

 

Performs a traceroute using TCP packets rather than traditional ICMP, useful for evading filters that block ping.

Hping3 requires a solid understanding of TCP/IP but provides unmatched flexibility in firewall testing.

Using Netcat for Manual Testing

Netcat (nc) is a simple yet powerful utility for manual port testing, banner grabbing, and setting up listeners or reverse shells. While not a scanner, it’s often used in recon workflows.

Checking if a Port is Open

Command:

nginx

CopyEdit

nc -v 192.168.1.1 22

This connects to port 22 on the target. If open, it will complete the connection and possibly display a service banner.

Banner Grabbing

Command:

nginx

CopyEdit

nc -v 192.168.1.1 80

 

After connecting, press enter or send a minimal HTTP request:

vbnet

CopyEdit

GET / HTTP/1.1

Host: 192.168.1.1

 

This often reveals server type and version, which can be useful for identifying vulnerabilities.

Setting Up a Listener

Command:

yaml

CopyEdit

nc -lvp 4444

Useful for catching reverse shells or testing inbound connections.

Asynchronous Scanning with Unicornscan

Unicornscan is a network scanner designed for large-scale scanning with asynchronous communication. It performs exceptionally well on networks with many hosts or high latency.

Command:

nginx

CopyEdit

unicornscan -Iv 192.168.1.0/24:80

 

Scans port 80 across the subnet using non-blocking I/O for faster results. While not as detailed as Nmap, it’s useful for mass discovery.

Pros:

  • Faster than Nmap on large networks

  • Asynchronous scanning reduces wait time

  • Can output to database or text formats

Cons:

  • Less maintained

  • Lower community support

  • Limited service/version detection

Combining Tools for Maximum Effectiveness

Experienced professionals rarely rely on one tool. Combining tools yields richer data and helps avoid blind spots.

Example Workflow:

  1. Discovery: Use Masscan or Angry IP Scanner to find live hosts and open ports.

  2. Enumeration: Use Nmap to identify services, versions, and OS information.

  3. Firewall Testing: Use Hping3 to craft custom packets and test defenses.

  4. Manual Checks: Use Netcat for banner grabbing or open communication testing.

  5. Large Network Scanning: Use Unicornscan for subnet-wide probes.

This layered approach allows for accuracy, speed, and stealth, depending on what’s needed at each stage.

Output Parsing and Automation

Handling scan results efficiently is essential when working with large networks. Nmap and Masscan support multiple output formats:

Nmap Output Options:

  • Normal: -oN output.txt

  • Grepable: -oG output.gnmap

  • XML: -oX output.xml

  • All: -oA output_prefix

You can then parse or import results into reporting tools, SIEM platforms, or scripts.

Parsing with Grep or AWK:

Example:

swift

CopyEdit

grep open output.gnmap | awk ‘{print $2 ” ” $3}’

 

This extracts open ports and their hosts from a grepable Nmap output.

Automating Scan Chains

You can write simple scripts to combine tools. For example, scan with Masscan and pass the results to Nmap for deeper inspection:

nginx

CopyEdit

masscan 192.168.1.0/24 -p22 –rate=1000 -oL masscan.txt

awk ‘/open/{print $6}’ masscan.txt | while read ip; do nmap -sV $ip -p22; done

 

This type of automation speeds up workflow and reduces human error.

Advanced scanning techniques allow you to operate in stealth, save time, and extract more precise data from target networks. Whether you’re bypassing firewalls with packet manipulation, using high-speed scans to find live services quickly, or crafting tailored reconnaissance strategies, understanding these tools elevates your capabilities significantly.

Key takeaways include:

  • Advanced scan types like FIN, NULL, and XMAS can bypass basic defenses

  • Tools like Masscan and Unicornscan provide unmatched speed

  • Hping3 offers deep control for firewall testing

  • Netcat supports manual interaction for validation

  • Combining tools leads to more reliable and complete assessments

Real-World Use Cases – Reconnaissance, Pentesting, and Defense

Network scanning is more than a technical task—it’s a strategic process that drives security assessments, penetration tests, and defense planning. After learning about basic and advanced scanning techniques, the next step is understanding how to apply them in real-world scenarios. This involves using the right tools at the right phase of an engagement, making sense of the output, and responding effectively to what the scans reveal.

This article explores how network scanning fits into professional penetration testing workflows, red teaming exercises, and even blue team defensive strategies. You’ll see how scanning techniques directly support asset discovery, vulnerability exploitation, firewall evasion, and even post-exploitation activities.

The Role of Scanning in Cybersecurity Operations

In both offensive and defensive cybersecurity, network scanning plays a critical role. Below are the most common contexts in which it is applied:

  • Reconnaissance in penetration testing

  • Attack surface mapping for red teams

  • Asset discovery and risk prioritization

  • Validation of patching and hardening measures

  • Monitoring exposed services for the blue team

Each of these contexts requires specific approaches, tools, and techniques depending on the objectives and the environment.

Phases of a Penetration Test Involving Scanning

Professional penetration testing engagements follow a structured process. Network scanning is a key component in the early phases, though it supports later activities as well.

Information Gathering

In this phase, the tester identifies target systems, subnets, and services. Tools like Nmap, Masscan, and Angry IP Scanner are used to detect hosts, ports, and services.

Typical actions:

  • Ping sweep with Angry IP Scanner

  • TCP SYN scans with Nmap

  • High-speed port discovery with Masscan

Enumeration and Service Discovery

Once live hosts and open ports are known, the next step is identifying what’s running behind those ports. Nmap with version detection or Netcat for banner grabbing is used here.

Typical actions:

  • Nmap -sV for service versioning

  • Banner grabbing with Netcat

  • Scripted enumeration using Nmap Scripting Engine (NSE)

Vulnerability Identification

Now that services are known, they can be matched with known vulnerabilities. Scanning isn’t just about identifying services but also confirming the attack surface.

Typical actions:

  • NSE scripts for vulnerability checks

  • Targeting known weak services (e.g., SMBv1, outdated FTP servers)

Exploitation and Post-Exploitation Support

Even during exploitation, scanning plays a role. For example, lateral movement within an internal network often begins with another scan to identify new targets.

Typical actions:

  • Use of tools like Hping3 to avoid triggering IDS during post-exploitation recon

  • Unicornscan to map out internal subnets quietly

Red Team Use: Staying Stealthy and Smart

Red teams simulate real-world threat actors. They aim not just to find vulnerabilities but to operate without detection. Scanning in red team ops must be surgical and stealthy.

Stealth Scanning Tactics

Red teams use techniques such as:

  • Idle scanning to hide the source of scans

  • Decoy scanning to confuse defenders

  • Fragmented packet scanning to evade detection

A typical red team reconnaissance command might look like:

nginx

CopyEdit

nmap -sS -T2 -D 10.0.0.5,10.0.0.6,ME,10.0.0.7 -f 192.168.1.100

This command sends fragmented packets using multiple decoys to obscure the source and reduce the chance of detection.

Timing and Throttling

Instead of scanning an entire subnet at once, red teams might scan only a few IPs at a time with long delays:

nginx

CopyEdit

nmap -sS -T1 –scan-delay 5s 192.168.1.1-10

This can slip under the radar of many intrusion detection and prevention systems.

Passive Recon When Scanning is Not an Option

Sometimes active scanning is too risky. In such cases, passive recon techniques are used:

  • DNS zone transfers

  • WHOIS lookups

  • Traffic sniffing (if internal access is available)

  • NetFlow or packet capture analysis

Scanning leaves footprints. Red teams always weigh the benefits of information gathering against the risk of being detected.

Blue Team Use: Defense and Monitoring

While scanning is mostly associated with attackers and penetration testers, defenders also use it for visibility and hardening.

Internal Network Visibility

Security teams routinely scan their own networks to:

  • Identify rogue or unauthorized devices

  • Detect exposed ports that shouldn’t be open

  • Monitor services for compliance and patch status

Nmap and Nessus are often used together in corporate environments to combine asset discovery with vulnerability scanning.

Change Monitoring

Automated scans can be scheduled daily or weekly to detect changes in the environment. For example:

  • A port that was previously closed is now open

  • A new device is connected to the network

  • An old service reappears after being retired

These signs can indicate misconfiguration or an intruder.

Testing Security Controls

Firewalls and IDS/IPS systems are only as good as their configuration. Tools like Hping3 are used to validate whether they actually block or allow certain types of traffic.

For example:

nginx

CopyEdit

hping3 -S 10.0.0.1 -p 22 -c 1

This tests whether port 22 is filtered at the firewall or silently dropped.

Honeypots and Deception

Blue teams also deploy honeypots—fake systems that appear vulnerable to attract attackers. These often trigger when scanning is detected.

Common honeypot triggers include:

  • SYN scans

  • XMAS scans

  • Banner grabbing

  • High port scanning

Detecting such scans helps defenders trace and block early-stage attacks before exploitation occurs.

Real-World Scenarios

Scenario 1: Web Application Penetration Test

Objective: Identify vulnerable services and web apps on a subnet

Approach:

  • Angry IP Scanner to find live hosts

  • Nmap -p80,443 -sV to check web services

  • Netcat to grab server banners

  • Nmap NSE script http-enum to list web directories

Outcome: Tester finds an outdated CMS on port 8080 with a known vulnerability, confirmed by version scanning.

Scenario 2: Internal Network Compromise

Objective: After gaining access to an internal network via phishing, expand access

Approach:

  • Nmap -sS -T1 10.0.0.0/24 for slow and stealthy host discovery

  • Hping3 to confirm filtered ports are actually dropping packets silently

  • Netcat to test for open admin ports

Outcome: The attacker maps out the internal subnet, identifies a legacy Windows server running SMBv1, and uses a known exploit to gain system access.

Scenario 3: Blue Team Periodic Scanning

Objective: Ensure there are no exposed services violating internal policy

Approach:

  • Daily Nmap -sS -p1-1000 scan with logging

  • Output compared to baseline configuration

  • Alerts triggered if a new open port appears

Outcome: An unauthorized database service appears on a developer’s machine. Investigation reveals testing was done without approval, and the issue is resolved.

Making Sense of Scan Output

Understanding what scan output is telling you is just as important as running the scan. Some key interpretations include:

  • Open: Service is reachable and likely active

  • Closed: Port is accessible but no service is running

  • Filtered: Firewall or filter is blocking the probe

  • Unfiltered: Port is reachable but scan type cannot determine state

Also consider:

  • Service versions may reveal vulnerabilities

  • OS detection might guide your choice of exploits

  • Traceroute and TTL values can help map network layouts

Using these details correctly can make the difference between a successful test and an incomplete one.

Best Practices for Real-World Scanning

  • Always get written authorization for any scanning

  • Start broad, then go deep (e.g., Masscan followed by Nmap)

  • Throttle scans on production networks

  • Keep logs and document findings

  • Use multiple tools for validation

  • Automate repetitive tasks

  • Use output formats that can be parsed easily

A skilled tester uses the right tool for each situation and understands both the technical and strategic implications of their scanning.

Summary

Network scanning is an essential capability in modern cybersecurity, supporting offensive and defensive operations alike. In real-world environments, scanning is not about running a single tool—it’s about building a layered understanding of networks through thoughtful, legal, and tactical reconnaissance.

Red teams use stealth and evasion to map networks without being seen. Blue teams use scanning for defense, compliance, and anomaly detection. In all cases, combining tools like Nmap, Hping3, Netcat, and Masscan leads to better visibility, smarter decision-making, and stronger security outcomes.

Whether discovering hidden assets, validating firewall configurations, or identifying vulnerable services, network scanning bridges the gap between visibility and action in cybersecurity operations.

Related Posts