This chapter covers active scanning and enumeration techniques essential for the PT0-002 exam, focusing on how to discover live hosts, open ports, and running services on a target network. Active scanning is a core component of the Reconnaissance and Enumeration domain (Objective 2.2), and approximately 15-20% of exam questions address scanning, enumeration, or related tools. Mastering these techniques is critical for identifying attack surfaces and planning subsequent exploitation phases.
Jump to a section
Imagine you're a reconnaissance specialist hired to map out a large apartment complex before a security assessment. You have two approaches: passive and active. Passive means you stand outside, watching who comes and goes, noting delivery trucks, and listening to conversations near the entrance. You gather useful data but never interact directly. Active scanning is like walking through the complex, knocking on every door, and asking, 'Who lives here? What kind of lock do you have? Is anyone home?' Some doors are answered with a friendly 'Hello, I'm in apartment 3B, and I have a deadbolt.' Others slam shut. Some doors are completely unresponsive, indicating the apartment might be vacant or the occupant is away. You also try the main office to get a directory of residents. But here's the risk: if there's a security guard, they might notice you knocking on every door and escort you out, or the police might be called. In network terms, you're sending packets to every possible IP and port, listening for responses, and using that information to build a map of live hosts and services. The 'knock' is a TCP SYN packet; the 'friendly hello' is a SYN-ACK; the 'door slam' is an RST. Unresponsive doors are filtered ports or dead IPs. The guard is an intrusion detection system (IDS) that may detect your scan and trigger an alarm. Active scanning gives you a much more detailed picture than passive observation, but it's noisy and can be detected or blocked.
Overview of Active Scanning
Active scanning involves sending crafted packets to target systems and analyzing their responses to determine live hosts, open ports, and running services. Unlike passive reconnaissance, which relies on eavesdropping, active scanning interacts directly with targets, generating network traffic that can be detected by intrusion detection systems (IDS) or firewalls. The PT0-002 exam expects you to understand the mechanics of common scanning tools (Nmap, Masscan, unicornscan), the differences between scan types (TCP SYN, TCP connect, UDP, ICMP), and how to interpret results to enumerate services and operating systems.
TCP Three-Way Handshake and Scan Types
Active scanning fundamentally relies on the TCP three-way handshake: SYN, SYN-ACK, ACK. Different scan types manipulate this handshake to elicit responses while evading detection or bypassing firewalls.
TCP SYN Scan (Half-Open Scan): Sends a SYN packet to each port. If the port is open, the target responds with SYN-ACK. The scanner then sends an RST to tear down the connection before completing the handshake. This is the default scan type in Nmap (when run as root) because it is fast and less likely to be logged by applications. However, many firewalls and IDS can detect incomplete handshakes.
TCP Connect Scan: Completes the full three-way handshake by sending an ACK after receiving SYN-ACK. This is more detectable and slower but works when the scanner lacks raw socket privileges (e.g., non-root user on Windows). Nmap uses this scan when run without root privileges.
UDP Scan: Sends empty UDP packets to target ports. An open port may respond with nothing (or a protocol-specific response), while a closed port typically responds with an ICMP Port Unreachable message. UDP scanning is slower and less reliable because many services don't respond to empty packets, and firewalls may drop ICMP messages.
TCP ACK Scan: Sends ACK packets to determine firewall rule sets. An unfiltered port responds with RST (both open and closed), while a filtered port drops the packet or responds with ICMP unreachable. This scan doesn't determine if a port is open, only if it is filtered.
TCP FIN, NULL, Xmas Scans: Send packets with unusual flag combinations (FIN only, no flags, or FIN+PSH+URG) to bypass non-stateful firewalls. Closed ports typically respond with RST; open ports often drop the packet silently. These scans are unreliable against modern Windows systems (which always send RST) and many Linux distributions.
Host Discovery Techniques
Before scanning ports, you must identify live hosts. Active host discovery sends probes and waits for responses.
ICMP Echo Request (Ping): Sends ICMP type 8 (echo request). A live host responds with ICMP type 0 (echo reply). However, many hosts and firewalls block ICMP, making this unreliable.
TCP SYN Ping: Sends a SYN packet to a common port (e.g., 80, 443). A response (SYN-ACK or RST) indicates the host is live. This is more reliable than ICMP.
TCP ACK Ping: Sends an ACK packet; a live host responds with RST (since the connection doesn't exist).
UDP Ping: Sends a UDP packet to a closed port; an ICMP Port Unreachable indicates the host is live. This can be slow.
ARP Ping: Sends ARP requests to local subnet hosts. This is the most reliable method for local networks because ARP is required for Ethernet communication.
Nmap's default host discovery combines ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp request. You can customize with the -sn flag (skip port scan) and -PE, -PS, -PA, -PU options.
Port Scanning Mechanics
Port scanning determines which TCP and UDP ports are listening on a target.
- Port States: Nmap defines six port states: - open: An application is listening and accepting connections. - closed: The port is accessible but no application is listening (RST response to SYN). - filtered: Firewall or filter blocks probes; no response or ICMP unreachable. - unfiltered: Port is accessible but Nmap cannot determine open/closed (ACK scan). - open|filtered: Nmap cannot distinguish between open and filtered (common for UDP and FIN scans). - closed|filtered: Nmap cannot distinguish between closed and filtered (rare).
Port Ranges and Speed: By default, Nmap scans the top 1,000 ports. You can specify a range (-p 1-1000) or all ports (-p-). Scanning all 65,535 ports is time-consuming; tools like Masscan can scan the entire Internet in minutes.
Timing Templates: Nmap offers six timing templates (-T0 to -T5). -T3 is default. -T4 is aggressive (faster but more intrusive). -T0 is paranoid (very slow, evades IDS). The exam expects you to know that -T5 is insane (very fast, may miss ports or crash targets).
Service Version Detection
Service version detection (-sV) probes open ports to identify the application and version running. Nmap sends a series of probes defined in the nmap-service-probes file and matches responses against a database of signatures. This is crucial for identifying vulnerable software versions.
Intensity: Version detection intensity can be set from 0 (light) to 9 (heavy) with --version-intensity. Higher intensity sends more probes but takes longer.
Version Traceroute: --traceroute can be combined to show the path to the service.
OS Detection
OS detection (-O) uses TCP/IP stack fingerprinting to determine the operating system of a target. Nmap sends a series of TCP and UDP packets to open and closed ports and analyzes responses for characteristics like initial TTL, window size, DF flag, and TCP options. It compares these against a database of known fingerprints.
Accuracy: OS detection is not always accurate, especially behind load balancers or firewalls that modify packets. The exam may test scenarios where OS detection fails (e.g., due to IP ID manipulation or packet normalization).
Limitations: OS detection requires at least one open and one closed port. It may incorrectly identify a host if the fingerprint is not in the database.
Scripting Engine (NSE)
Nmap Scripting Engine (NSE) extends Nmap's functionality with pre-written scripts for vulnerability detection, exploitation, and enumeration. Scripts are categorized as safe, intrusive, or destructive.
- Common NSE Scripts for Enumeration:
- http-enum: Enumerates web directories and files.
- smb-enum-shares: Lists SMB shares.
- dns-brute: Brute-forces DNS subdomains.
- ftp-anon: Checks for anonymous FTP access.
- ssh2-enum-algos: Enumerates SSH algorithms.
- Running Scripts: Use -sC for default safe scripts, or --script=<script-name> for specific scripts. The exam expects you to know common NSE scripts for enumeration.
Evasion Techniques
Active scans can trigger alarms. Evasion techniques help avoid detection.
Decoy Scan (`-D`): Spoofs source IPs by sending packets with decoy addresses. The target sees multiple IPs scanning simultaneously, obscuring the real scanner.
Idle Scan (`-sI`): Uses a zombie host to bounce packets, making the scan appear to come from the zombie. Requires a zombie with predictable IP ID sequence.
Fragmentation (`-f`): Splits TCP headers into multiple IP fragments, making it harder for IDS to reassemble and analyze.
MTU Manipulation (`--mtu`): Sets a custom MTU to fragment packets at a specific size.
Source Port Manipulation (`--source-port`): Sets a specific source port (e.g., 53, 80) to bypass firewalls that allow traffic from well-known ports.
Randomize Hosts (`--randomize-hosts`): Scans hosts in random order to avoid pattern detection.
Enumeration Beyond Ports
Active scanning isn't just about ports. Enumeration involves extracting detailed information from discovered services.
Banner Grabbing: Connecting to a service and reading its banner. Tools like Netcat (nc) or Nmap's -sV can capture banners. Example: nc -v target 22 returns SSH version.
SNMP Enumeration: Using snmpwalk to query SNMP-enabled devices for system information, running processes, network interfaces, and more. Community strings (public/private) are common default credentials.
DNS Enumeration: Querying DNS servers for zone transfers (dig axfr), subdomain brute-forcing (dnsrecon), and reverse lookups.
LDAP Enumeration: Using ldapsearch to query Active Directory for users, groups, and computers.
SMB Enumeration: Using smbclient or enum4linux to list shares, users, and OS information.
Web Enumeration: Using tools like gobuster, dirb, or nikto to discover hidden directories, files, and vulnerabilities.
Command Examples
Basic TCP SYN scan on top 1000 ports: nmap -sS 192.168.1.1
Full port scan with service and OS detection: nmap -sS -sV -O -p- 192.168.1.1
UDP scan: nmap -sU -p 161,162 192.168.1.1
Ping sweep with TCP SYN to port 80: nmap -sn -PS80 192.168.1.0/24
Decoy scan: nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1
Idle scan: nmap -sI zombie_ip 192.168.1.1
NSE script for HTTP enumeration: nmap --script http-enum -p 80 192.168.1.1
Masscan for fast scans: masscan -p1-65535 --rate=1000 192.168.1.1
Interaction with Firewalls and IDS
Firewalls can filter packets based on state, protocol, or port. Stateful firewalls track connections and drop packets that don't match an established session. Stateless firewalls filter based on packet headers alone. IDS/IPS systems can detect scanning patterns (e.g., multiple SYN packets to different ports) and generate alerts or block the source IP. To evade, attackers may use slow scans, random delays, or spoofed packets. The exam may ask which scan type is least likely to be detected by a stateful firewall (e.g., FIN scan against a stateless firewall, but not stateful).
Define Scan Scope and Objectives
Begin by determining the target IP range, ports of interest, and the type of information needed (live hosts, open ports, services, OS). Obtain authorization in writing. Use CIDR notation (e.g., 192.168.1.0/24) or IP ranges. For the exam, remember that scanning without permission is illegal. Scope also includes choosing between a full scan (all ports) or a targeted scan (specific ports like 80, 443, 22).
Perform Host Discovery
Send probes to identify live hosts. Use ICMP echo, TCP SYN to common ports, or ARP for local networks. Nmap's `-sn` flag disables port scan after host discovery. Example: `nmap -sn -PS80,443 192.168.1.0/24`. This step reduces the number of targets for port scanning, saving time. On the exam, know that ARP ping is most reliable for local subnets.
Select and Execute Port Scan
Choose a scan type based on stealth requirements and privileges. For most cases, TCP SYN scan (`-sS`) is preferred. If raw sockets are unavailable, use TCP connect (`-sT`). Specify ports with `-p`. For speed, use `-T4` or `--min-rate`. Example: `nmap -sS -p 1-10000 -T4 192.168.1.1`. Record open, closed, and filtered ports.
Run Service Version Detection
On open ports, run `-sV` to identify service names and versions. This helps in finding known vulnerabilities. Increase intensity with `--version-intensity 9` if needed. Example: `nmap -sV -p 22,80,443 192.168.1.1`. The output shows 'OpenSSH 7.4' or 'Apache httpd 2.4.6'. Version detection sends multiple probes and can be noisy.
Perform OS Detection
Use `-O` to guess the operating system. Requires at least one open and one closed port. Example: `nmap -O 192.168.1.1`. The output shows confidence percentage (e.g., 'Linux 3.10 - 4.11'). OS detection can be inaccurate; combine with other enumeration. The exam may test that OS detection uses TCP/IP stack fingerprinting.
Execute Enumeration Scripts
Use NSE scripts to extract detailed information. For web servers, run `http-enum` or `http-headers`. For SMB, run `smb-enum-shares`. Example: `nmap --script http-enum -p 80 192.168.1.1`. Scripts may be intrusive; use `-sC` for default safe scripts. Document findings like directory listings, share names, and user accounts.
Document and Analyze Results
Save scan output in normal, XML, or grepable format using `-oN`, `-oX`, `-oG`. Example: `nmap -sS -oA scan_results 192.168.1.1`. Analyze for open ports, services with known vulnerabilities, and misconfigurations (e.g., anonymous FTP, default credentials). Prioritize findings for exploitation phase. The exam expects you to interpret Nmap output correctly.
In enterprise environments, active scanning is a double-edged sword. Security teams use it for vulnerability assessments and penetration testing, while attackers use it for reconnaissance. Consider a large financial institution with thousands of hosts across multiple subnets. The penetration tester must scan the entire internal network but avoid disrupting critical services. Using Nmap's timing templates, the tester might choose -T2 (polite) to reduce bandwidth usage and avoid triggering IPS. They would first perform a ping sweep with -sn to identify live hosts, then scan only those hosts with -sS -sV -O. To evade detection, they may use decoy scans (-D) or randomize host order (--randomize-hosts). However, the security operations center (SOC) monitors for scanning activity; they might see a sudden influx of SYN packets and block the source IP. To avoid this, the tester coordinates with the SOC and schedules scans during maintenance windows.
Another scenario: a cloud environment (AWS, Azure) where the customer is responsible for securing their virtual machines. The pentester must scan public-facing instances. Cloud providers often block ICMP, so host discovery relies on TCP SYN to ports 80, 443, or 22. Additionally, security groups act as stateful firewalls; a TCP SYN scan may show filtered ports that are actually open but blocked by the security group. The pentester must interpret results accordingly. For example, a port showing 'filtered' in Nmap might be open on the instance but blocked at the security group level. This distinction is crucial for the exam.
A common misconfiguration: an organization allows SNMP read access with default community string 'public'. An active scanner can enumerate system information, running processes, and network interfaces via SNMP. This is a goldmine for attackers. The pentester would use snmpwalk -v2c -c public target to dump the entire MIB tree. Similarly, SMB null sessions (without authentication) can enumerate users and shares. Tools like enum4linux automate this. The exam expects you to know these enumeration techniques and their implications.
Performance considerations: scanning 65,535 ports on a single host with version detection can take 30 minutes or more. Tools like Masscan can scan the entire Internet in minutes but are less stealthy. In production, prioritize critical ports (web, database, remote access) and use Nmap's --top-ports option. Always obtain written authorization and define clear rules of engagement to avoid legal issues.
The PT0-002 exam (Objective 2.2) tests your ability to perform active scanning and enumeration effectively. Key areas include:
Scan Types and Their Characteristics: You must know the differences between TCP SYN, TCP connect, UDP, FIN, NULL, Xmas, and ACK scans. The exam often asks which scan is least likely to be logged by an application (SYN scan) or which scan is best for bypassing a stateless firewall (FIN scan). A common wrong answer is choosing TCP connect scan for stealth, but it completes the handshake and is more detectable. Another trap: thinking that UDP scan is reliable because most services respond; in reality, many UDP services don't respond to empty packets, leading to false negatives.
Port States: Know the six Nmap port states. The exam may present a scenario where a port is 'filtered' and ask what that means. A common mistake is assuming 'filtered' means the port is closed; actually, it means the scanner cannot determine if it's open or closed because a firewall is interfering. Another trap: confusing 'unfiltered' with 'open' — unfiltered means the port is accessible but the scan type (ACK) can't determine open/closed.
Host Discovery Methods: The exam tests which method is most reliable for local networks (ARP ping) and which is commonly blocked (ICMP). A wrong answer might be that ICMP is always reliable, but many hosts block it. Another: thinking that TCP SYN ping to port 80 always works, but if the host doesn't have port 80 open, it still responds with RST (indicating live).
Evasion Techniques: Know decoy scans, idle scans, fragmentation, and source port manipulation. The exam may ask which technique uses a zombie host (idle scan). A common trap is confusing decoy scans with idle scans — decoys use multiple spoofed IPs, while idle uses a single zombie. Also, remember that idle scan requires a zombie with predictable IP ID.
NSE Scripts: The exam expects familiarity with common NSE scripts for enumeration (e.g., http-enum, smb-enum-shares, dns-brute). A wrong answer might be using a vulnerability exploitation script (e.g., smb-vuln-ms17-010) for enumeration — that's exploitation, not enumeration.
Service and OS Detection: Know that -sV identifies service versions and -O identifies OS. The exam may test that OS detection requires both an open and closed port. A common wrong answer is that OS detection works with only one open port.
Command Syntax: You may be given a command and asked what it does. For example, nmap -sS -p- -T4 192.168.1.1 scans all TCP ports with SYN scan and aggressive timing. A trap: forgetting that -p- means all 65535 ports.
Enumeration Tools: Beyond Nmap, know tools like Netcat (banner grabbing), snmpwalk (SNMP enumeration), enum4linux (SMB enumeration), dig (DNS zone transfer), and ldapsearch (LDAP). The exam may ask which tool is used for a specific task.
To eliminate wrong answers, focus on the mechanism: understand what each scan type does at the packet level. If a question asks for a stealthy scan, think about which scan doesn't complete the handshake (SYN scan). If it asks about bypassing a firewall, consider which flags might be allowed through (FIN scan for stateless). Always read the scenario carefully — the presence of a stateful firewall changes the answer.
TCP SYN scan (-sS) is the default and most common scan; it sends SYN, receives SYN-ACK, then sends RST.
UDP scan (-sU) is slow and unreliable; many services don't respond to empty UDP packets.
Host discovery uses ICMP, TCP SYN/ACK, or ARP; ARP is most reliable for local subnets.
Nmap port states: open, closed, filtered, unfiltered, open|filtered, closed|filtered.
Service version detection (-sV) identifies application and version; OS detection (-O) uses TCP/IP stack fingerprinting.
Common NSE scripts for enumeration: http-enum, smb-enum-shares, dns-brute, ftp-anon.
Evasion techniques: decoy scan (-D), idle scan (-sI), fragmentation (-f), source port manipulation (--source-port).
Masscan is a high-speed scanner that can scan the entire Internet; Nmap is more feature-rich for detailed enumeration.
Always obtain written authorization before scanning; unauthorized scanning is illegal.
Enumeration includes banner grabbing (nc), SNMP (snmpwalk), SMB (enum4linux), DNS (dig), LDAP (ldapsearch).
These come up on the exam all the time. Here's how to tell them apart.
TCP SYN Scan
Also called half-open scan; does not complete the three-way handshake.
Requires raw socket privileges (root on Linux, admin on Windows).
Faster and less likely to be logged by applications.
Default scan type for Nmap when run as root.
Can be detected by IDS/IPS due to incomplete handshakes.
TCP Connect Scan
Completes the full three-way handshake (SYN, SYN-ACK, ACK).
Works without raw socket privileges (e.g., non-root user on Unix).
Slower and more detectable; applications log the full connection.
Default scan type when Nmap is run without root privileges.
More likely to appear in firewall logs as a complete connection.
Mistake
A TCP SYN scan completes the three-way handshake.
Correct
A TCP SYN scan sends a SYN packet and, upon receiving SYN-ACK, sends an RST to tear down the connection before completing the handshake. It does not send the final ACK, so the connection is never fully established.
Mistake
A closed port always responds with RST to a SYN packet.
Correct
According to RFC 793, a closed port should respond with RST to any TCP packet, but some firewalls may drop the packet or send ICMP unreachable instead, making the port appear filtered.
Mistake
UDP scanning is as fast and reliable as TCP scanning.
Correct
UDP scanning is slower because it must wait for timeouts or ICMP responses, and many UDP services don't respond to empty probes, leading to false 'open|filtered' results. It is less reliable than TCP scanning.
Mistake
OS detection always identifies the exact operating system version.
Correct
OS detection uses fingerprinting and may only provide a range (e.g., Linux 3.10-4.11) with a confidence percentage. It can be inaccurate due to firewall modifications or unusual stack implementations.
Mistake
ICMP ping is the most reliable host discovery method.
Correct
ICMP is often blocked by firewalls and hosts. TCP SYN ping to common ports (80, 443) or ARP ping on local networks is more reliable for host discovery.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A TCP SYN scan sends a SYN packet and, upon receiving a SYN-ACK, sends an RST to abort the connection before it is fully established. A TCP connect scan completes the full three-way handshake by sending an ACK after the SYN-ACK. The SYN scan is faster and less likely to be logged by the target application, but it requires raw socket privileges. The connect scan is slower and more detectable but works without special privileges. Nmap uses SYN scan by default when run as root; otherwise, it falls back to connect scan.
Nmap shows 'open|filtered' when it cannot determine whether a port is open or filtered. This commonly occurs with UDP scans because many UDP services do not respond to empty probes, and firewalls may silently drop packets. It also happens with TCP FIN, NULL, and Xmas scans because open ports are expected to drop the packet silently, while closed ports send RST. If no response is received, Nmap cannot distinguish between an open port that ignored the probe and a filtered port that dropped it.
Evasion techniques include using decoy scans (-D) to spoof multiple source IPs, idle scans (-sI) to bounce packets off a zombie host, fragmenting packets (-f) to split TCP headers across multiple IP fragments, setting a custom MTU (--mtu) to further fragment, using a specific source port (--source-port) that may be allowed through firewalls (e.g., port 53 or 80), and slowing down the scan with timing templates (-T0 or -T1). However, no technique guarantees complete evasion; advanced IDS/IPS can still detect scanning patterns.
NSE allows users to write and run scripts that extend Nmap's functionality. Scripts can perform tasks like vulnerability detection, service enumeration, brute-force attacks, and exploitation. For enumeration, common scripts include http-enum (web directory discovery), smb-enum-shares (SMB share listing), dns-brute (subdomain brute-forcing), and ftp-anon (checking for anonymous FTP). Scripts are categorized as safe, intrusive, or destructive; use -sC for default safe scripts.
OS detection (-O) works by sending a series of TCP and UDP packets to open and closed ports and analyzing the responses. It looks at initial TTL, window size, DF flag, TCP options (like MSS, window scale), and the IP ID sequence. These characteristics are compared against a database of known OS fingerprints. Nmap outputs the best match with a confidence percentage. It requires at least one open and one closed port for accurate results.
Nmap is a feature-rich scanner with extensive scripting, OS detection, and service version detection. It is slower but provides detailed results. Masscan is designed for speed, capable of scanning the entire Internet in minutes by using asynchronous transmission. Masscan supports similar scan types (SYN, UDP) but has limited service detection and no scripting engine. Choose Nmap for in-depth enumeration and Masscan for large-scale, fast scans.
Yes, firewalls and IDS/IPS can detect active scanning. Stateful firewalls track connection states and may flag incomplete handshakes (SYN scans) or unusual flag combinations (FIN scans). IDS can detect patterns like multiple SYN packets to different ports from the same source. To reduce detection, use slower timing, randomize host order, spoof source IPs, or fragment packets. However, any active scan generates traffic that can be logged and analyzed.
You've just covered Active Scanning and Enumeration — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?