Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 07. The Killchain / 02. Scanning

Scanning

If reconnaissance is scouting from a distance, scanning is the first stage where we begin actively interacting with the target. If you've ever played StarCraft, this is the part where you send a worker to the enemy base early in the game to determine their build order and infer their intentions.

I use this example because this is the point at which you begin interacting with the target directly. During reconnaissance, we primarily collect information from public resources and third-party databases. During scanning, we start asking the target itself questions.

Because of this, scanning is often detectable and may generate logs, alerts, firewall events or intrusion detection activity.

Examples of questions we may be trying to answer include:

  • Which hosts are online?
  • Which ports are open?
  • Which services are running?
  • Which operating system is being used?
  • Which technologies are exposed?

For example:

10.10.10.15

22/tcp   Open   SSH
80/tcp   Open   HTTP
443/tcp  Open   HTTPS

At this stage we have not yet gathered detailed information about these services. We have simply identified that they exist and may warrant further investigation.


Common Scanning Tools

The most widely used scanning tool in cybersecurity is Nmap.

Nmap can perform tasks such as:

  • Host discovery
  • Port scanning
  • Service identification
  • Operating system detection
  • Basic vulnerability discovery

For example:

nmap 10.10.10.15

A larger scan may reveal:

22/tcp   Open   SSH
80/tcp   Open   HTTP
135/tcp  Open   MSRPC
445/tcp  Open   SMB
3389/tcp Open   RDP

Other commonly encountered scanning tools include:

ToolPurpose
NmapGeneral-purpose network scanning
MasscanExtremely high-speed port scanning
RustScanFast port discovery
NaabuFast port discovery
NessusVulnerability scanning
OpenVASVulnerability scanning

Scanning Example

To clearly demonstrate scanning, I first completely disabled the Firewall on the Windows 10 machine from the lab and I will perform a scan from Kali.

KaliScan

As you can see, we acquired several results, even though this is simply an out-of-the-box Windows 10 installation.

The command breakdown:

nmap -Pn -sS -T4 -v 10.10.10.201 -oN ./workstation_ports.txt

-Pn              : Treat the target as online and skip host discovery
-sS              : SYN scan by initiating, but not completing TCP handshakes
-T4              : Do it faster / more aggressive
-v               : Verbose / display output immediately, not just after exit
10.10.10.201     : The workstation IP address we set at the lab setup
-oN <filename>   : Save the results to the file "workstation_ports.txt"

However, please note that very noticeable traffic was generated:

ScanTraffic

Observe how:

  • 10.10.10.100 (Kali) sends probes, sequentially to different ports
  • 10.10.10.201 (Windows) responds either positively or negatively to them

Based on the responses, the scanner may infer whether the target service is:

  • Up
  • Down
  • Possibly up but behind a firewall

For example, knowing that TCP/445 is open tells us that SMB likely exists on the target, but it does not tell us what shares are available, whether anonymous access is enabled, which users exist or what version is running. Those questions belong to the next phase: Enumeration.


OPSEC

It is important to understand that scanning is often one of the loudest activities an operator can perform. Aggressively scanning infrastructure may be perfectly acceptable during a penetration test or other authorized assessment, but real-world environments are frequently protected by logging, monitoring and detection capabilities that generate telemetry from such activity.

For this reason, scanning is often performed deliberately and within a tightly defined scope. The objective is not to collect every possible piece of information, but rather to gather enough information to make informed decisions about the next stage of the engagement.

As operators gain experience, they often rely less on broad scans and more on their understanding of how environments are typically constructed. For example, when assessing an Active Directory environment, an experienced operator may reasonably expect to encounter services such as RPC, SMB, Kerberos, LDAP, WinRM and RDP without needing to perform extensive scanning first.

This does not mean scanning becomes unimportant. Rather, it becomes more focused and purposeful, with each scan designed to answer a specific question rather than simply collecting information for its own sake.