Reconnaissance is the initial phase of the cyber kill chain, where information about a target system or organization is systematically gathered to understand its exposure and attack surface.
In ethical hacking, this phase leads into port scanning, where the focus shifts from general information gathering to identifying active services and understanding how a target system responds to network probes.
Port scanning helps identify accessible ports, discover exposed services, and understand how a target system presents its network attack surface.
Reconnaissance Phase
Reconnaissance is the process of gathering information about a target before any deeper technical interaction begins. It is classified into passive and active reconnaissance.
Passive Reconnaissance
- Public websites and metadata
- DNS and WHOIS records
- Search engine results
- OSINT sources
No direct interaction occurs with the target in this phase.
Active Reconnaissance
- Host discovery
- Port scanning
- Service probing
This involves direct interaction with the target system.
Port Scanning Phase
Port scanning is an active reconnaissance technique used to identify open ports and understand the services running on a target system.
During scanning, crafted network packets are sent to TCP and UDP ports. The responses help determine which services are accessible and how the system behaves.
One of the most widely used tools for this is Nmap.
Basic Scan Example
nmap 192.168.1.10
Sample Output
PORT STATE SERVICE
22/tcp open ssh
80/tcp filtered http
443/tcp closed https
Full Port Scan
nmap -p- 192.168.1.10
Scans all 65535 TCP ports to identify hidden services.
Service Detection Scan
nmap -sV 192.168.1.10
PORT STATE SERVICE
25/tcp filtered smtp
80/tcp open http
Understanding Port States
Port states describe how a target system responds to network probes.
| Port State | Meaning |
|---|---|
| open | Service is actively accepting connections |
| closed | No service is listening on the port |
| filtered | Traffic is blocked or dropped by a firewall or filter |
| unfiltered | Port is reachable but state cannot be determined |
| open|filtered | Cannot determine whether port is open or filtered |
| closed|filtered | Cannot determine whether port is closed or filtered |
TCP Behavior
TCP is a connection-oriented protocol that uses a three-way handshake.
Scanner → Target : SYN
Target → Scanner : SYN-ACK
Scanner → Target : ACK
TCP Port State Summary
| Port Condition | Target Response | State |
|---|---|---|
| Open Port | SYN → SYN/ACK → ACK | open |
| Closed Port | SYN → RST | closed |
| Blocked Port | No Response or ICMP Unreachable | filtered |
Open Port (TCP)
SYN → SYN/ACK → ACK
State: open
Closed Port (TCP)
SYN → RST
State: closed
Filtered Port (TCP)
SYN → No Response
or
SYN → ICMP Unreachable
State: filtered
UDP Behavior
UDP does not use a handshake, so results depend on responses or silence from the target.
| Observation | State |
|---|---|
| Application Response Received | open |
| ICMP Port Unreachable | closed |
| No Response | open|filtered |
| ICMP Unreachable (Administratively Prohibited) | filtered |
Open Port (UDP)
UDP Probe → Application Response
State: open
Closed Port (UDP)
UDP Probe → ICMP Port Unreachable
State: closed
Open|Filtered Port (UDP)
UDP Probe → No Response
State: open|filtered
Filtered Port (UDP)
UDP Probe → ICMP Unreachable (Administratively Prohibited)
State: filtered
Role of ICMP in Port Scanning
ICMP messages indicate network-level conditions such as unreachable hosts or administrative restrictions.
They support interpretation but do not directly define port states.
Firewall Influence
Firewalls can:
- Block all probes
- Allow selective traffic
- Drop packets silently
- Modify scan visibility
This affects how ports appear during scanning.
Key Takeaways
- Port scanning identifies exposed services on a system
- TCP provides more reliable responses than UDP
- UDP results are often ambiguous due to lack of handshake
- Firewalls heavily influence scan outcomes
- Correct interpretation of port states is essential for security analysis
Conclusion
Port scanning is a core reconnaissance technique used to identify open services and understand system exposure.
Understanding port states helps security professionals interpret how a system responds to network probes and what services may be exposed in real-world environments.