Port scanning and service detection constitute the critical transition from passive reconnaissance to active enumeration in the CompTIA PenTest+ methodology. Port scanning involves probing a target system to determine which TCP or UDP ports are listening for connections, effectively mapping the dig…Port scanning and service detection constitute the critical transition from passive reconnaissance to active enumeration in the CompTIA PenTest+ methodology. Port scanning involves probing a target system to determine which TCP or UDP ports are listening for connections, effectively mapping the digital 'doors' available for entry.
The industry-standard tool for this is Nmap. Scans generally rely on the TCP three-way handshake logic. A **TCP Connect scan** (-sT) completes the full handshake (SYN, SYN-ACK, ACK), which is reliable but noisy and easily logged by Intrusion Detection Systems (IDS). A **SYN scan** (-sS), often called a 'stealth' or 'half-open' scan, sends a SYN packet and awaits a SYN-ACK, but replies with a RST (reset) immediately. This is faster and generally the default for root users. **UDP scanning** (-sU) is distinct because UDP is connectionless; open ports often do not respond at all, while closed ports send an ICMP 'Port Unreachable' message, making the process significantly slower.
Service detection evolves the process from finding an open door to identifying who is standing behind it. Simply knowing Port 80 is open is insufficient; a tester must know if it is running Apache 2.4 or Microsoft IIS 10.0. By using version detection flags (like -sV in Nmap), the scanner interrogates the open port—often via banner grabbing or protocol-specific probes—to identify the application name and version number. This is vital for vulnerability assessment, as specific versions map to specific Common Vulnerabilities and Exposures (CVEs). Combined with OS fingerprinting (-O), these techniques define the specific attack surface, allowing the penetration tester to select precise exploits and avoid effectively 'firing blind' against the target.
Port Scanning and Service Detection Guide for CompTIA PenTest+
What is Port Scanning and Service Detection? Port scanning is the second phase of the reconnaissance and enumeration process. After identifying live hosts (discovery), a penetration tester must determine which ports are open on those hosts. A port is a communication endpoint; if a port is open, a service is listening. Service detection (or version detection) takes this a step further by interrogating the open port to determine exactly what application and version is running behind it (e.g., identifying that port 80 is running Apache 2.4.41).
Why is it Important? This step defines the attack surface. You cannot exploit a vulnerability if you cannot communicate with the vulnerable service. By knowing the specific software version (via service detection), you can search for Common Vulnerabilities and Exposures (CVEs) specific to that version. For example, knowing port 445 is open is good; knowing it is running Windows Server 2008 R2 (vulnerable to EternalBlue) is actionable.
How it Works Port scanning involves sending specific network packets to a target IP and port range and analyzing the response.
1. TCP Flags & Handshakes: Scanners manipulate TCP flags (SYN, ACK, RST, FIN) to elicit responses. 2. Responses determine state: - Open: The target responds indicating it is listening (e.g., SYN/ACK). - Closed: The target responds that nothing is listening (e.g., RST). - Filtered: The packet was dropped or blocked by a firewall; no response is received. 3. Service Detection: Once a port is found open, the scanner sends probes specifically designed to trick the application into revealing its banner or protocol details.
Exam Tips: Answering Questions on Port scanning and service detection The CompTIA PenTest+ exam heavily favors Nmap. You must be able to read Nmap output and select the correct flags.
Key Nmap Flags to Memorize: -sS (SYN Scan): The default "Stealth" scan. It sends a SYN packet. If it receives a SYN/ACK, it sends a RST (tearing down the connection). It is fast and usually requires root privileges. It does not complete the 3-way handshake. -sT (TCP Connect Scan): Completes the full 3-way handshake (SYN, SYN/ACK, ACK). It is less stealthy (more likely to be logged) but works without root privileges. -sV (Version Detection): Interrogates open ports to determine service versions. -sU (UDP Scan): Scans UDP ports. This is slow because UDP is connectionless and does not send acknowledgments, forcing the scanner to wait for timeouts. -O (OS Detection): Attempts to identify the Operating System. -A (Aggressive): Enables OS detection, version detection, script scanning, and traceroute simultaneously. -p (Port Specification): e.g., -p 80, -p 1-1000, or -p- (scan all 65,535 ports). -T0 through -T5 (Timing): Controls speed. -T0 is paranoid (slowest, for evasion), -T5 is insane (fastest, inaccurate). -T4 is the standard for modern high-speed networks.
Strategic Scenarios for the Exam: Scenario A: "The output shows the state as Filtered." Analysis: This indicates a firewall or ACL is dropping the packets. It does not mean the port is closed; it means the scanner cannot reach it.
Scenario B: "You need to scan without root privileges." Answer: Use -sT (TCP Connect). You cannot use -sS without raw socket access (root/admin).
Scenario C: "You see a service running on a non-standard port (e.g., HTTP on 8080 or SSH on 2222)." Answer: Do not assume the service based on the port number. Always rely on the output of -sV (Service Version) to confirm what is actually running.