// recon knowledge base

ReconAtlas  /  checklists  /  port-scanning

Port Scanning

Scanning LOW v1.0.0 updated 2026-04-04

Identify open TCP/UDP ports and enumerate running services across the target's IP space to reveal the full network attack surface.

Tools

nmapmasscanrustscannaabu

Machine-readable JSON available at:

https://reconatlas.pages.dev/api/checklists/port-scanning

Tags

scanningnetworktcpudpservice-detection

// checklist steps

portscan-01

Host discovery

Determine which hosts in the target IP range are alive before running port scans.

nmap -sn -T4 192.168.1.0/24 -oG hosts-alive.txt
naabu -host target.com -p - -silent -o naabu-out.txt

Skip ICMP-only host discovery in environments that block ping. Use TCP SYN probes instead.

portscan-02

Fast full-port TCP scan

Run a high-speed scan across all 65535 TCP ports to catch non-standard service placements.

masscan -p1-65535 target.com --rate 1000 -oL masscan-out.txt
rustscan -a target.com --ulimit 5000 -- -sV
naabu -host target.com -p - -c 50 -o open-ports.txt

Rate-limit to 1000 pps or less on external targets. Aggressive rates will trigger IDS/IPS and may violate programme rules.

portscan-03

Service and version detection

Run nmap service detection against the open ports identified in the fast scan.

nmap -sV -sC -p $(cat open-ports.txt | tr '\n' ',') target.com -oA nmap-services

-sC runs the default script set. Review output carefully — some scripts are intrusive.

portscan-04

UDP scan for key services

Check for commonly misconfigured UDP services that are often overlooked.

nmap -sU -p 53,67,68,69,123,161,162,500,1194,1900,4500,5353 target.com -oA nmap-udp

UDP scanning is slow and unreliable on rate-limited networks. Focus on high-value ports only.

portscan-05

Banner grabbing and protocol fingerprinting

Collect service banners to identify exact versions and look for outdated software.

nmap --script banner -p $(cat open-ports.txt | tr '\n' ',') target.com
nc -nv target.com 22
curl -sk https://target.com -o /dev/null -w '%{http_version}\n'

Overview

Port scanning maps the network footprint of a target. Open ports represent services — and every service is a potential attack surface. Even a single misconfigured port can lead to critical findings.

Scope considerations

Confirm that active scanning is permitted before running port scans. Many bug bounty programmes restrict or prohibit port scanning of shared infrastructure. Always verify the target IP or hostname is within scope.

What to prioritise

  • Non-standard ports running web services (e.g., 8080, 8443, 9000, 3000)
  • Administrative interfaces (8080, 8443, 9090, 15672 for RabbitMQ, 6379 for Redis)
  • Database ports left open to the internet (3306, 5432, 27017, 6379)
  • VPN and tunnelling endpoints that reveal internal network access

// references

  1. https://nmap.org/book/man.html
  2. https://github.com/RustScan/RustScan
  3. https://github.com/projectdiscovery/naabu
  4. https://github.com/robertdavidgraham/masscan
← All checklists JSON ↗