Pentest Methodology & Recon · intermediate · ~12 min
Explain port states, service/version/OS detection, and why UDP scanning is slow.
Scanning finds open/closed/filtered ports, then identifies the service and version (nmap -sV), guesses the OS (nmap -O), and grabs banners. SYN scans are fast; UDP scans are slow and ambiguous.
The scanning phase converts an IP into a list of attackable services. Version detection in particular is what links a running service to specific known vulnerabilities, driving the rest of the engagement.
Port states. open / closed / filtered. SYN vs connect. Half-open is faster and quieter. UDP ambiguity. No reply = open or filtered. Version detection. -sV maps service→known issues. OS detection. -O infers OS from stack quirks. Banner grabbing. Read what the service announces.
Scanning answers: which ports are open, what's listening, and what OS is underneath. Nmap is the standard tool.
A scan classifies each port:
Beyond "port 80 open," probe the service to learn the exact software and version (nmap -sV) by reading banners and matching response signatures. Version is what maps a service to known vulnerabilities.
nmap -O guesses the OS from subtle TCP/IP stack behaviours (default TTLs, window sizes, option ordering) — an educated guess, not certainty.
The simplest version check: connect and read what the service announces (an SSH or SMTP banner often states the exact version). You can do it with netcat or curl — or, as in this course's exercises, by parsing a banner string in C.
A scan classifies ports (open/closed/filtered), then fingerprints service, version, and OS. Version detection and banner grabbing are what connect a live service to its known weaknesses — the bridge from scanning to exploitation.