TCP Scanner: Top Tools and Techniques for Network Discovery
What a TCP scanner does
A TCP scanner probes target IPs and ports using TCP to determine which services are listening, how hosts respond, and sometimes service/version info. Common scan types include SYN (half-open), CONNECT (full TCP handshake), ACK (firewall/filtered detection), FIN/NULL/XMAS (stealth), and TCP version/service probes.
Top tools (summary table)
| Tool | Strengths | Typical use |
|---|---|---|
| Nmap | Flexible scan types, OS/service detection, scripting engine (NSE) | General-purpose discovery, audits |
| Masscan | Extremely fast, handles Internet-scale scans | Wide-range port sweep, mapping large address spaces |
| ZMap | Fast single-packet scanning, research-scale | Large-scale Internet measurement |
| RustScan | Fast port discovery + Nmap integration | Quickly find open ports then run Nmap |
| Hping3 | Custom TCP/IP packet crafting | Firewall testing, custom probes, evasion tests |
Techniques and when to use them
- SYN scan: Fast and stealthier than full connect; use for standard discovery when you can send raw packets.
- CONNECT scan: Use when raw sockets aren’t available (e.g., no root), reliable but noisier.
- Parallelization: Increase concurrency to scan many hosts/ports faster—tools like Masscan/ZMap excel here.
- Rate limiting and randomization: Avoid overloading networks and reduce detection; essential for large scans.
- Service/version probes: Follow up open-port finding with banner grabs or Nmap service detection to identify services.
- Firewall/AV evasion: Use fragmented packets, timing jitter, or scan types like FIN/XMAS—only for authorized testing.
- Combining tools: Use a fast scanner (Masscan/RustScan) to find candidates, then run Nmap for detailed results.
Best practices and safety
- Always have explicit authorization before scanning networks you don’t own.
- Start small: test on a limited range and increase rate once confident.
- Log scans and use identifiable contact information (if required) to reduce confusion.
- Respect rate limits and local rules; scanning can trigger IDS/IPS, blacklists, or legal issues.
- Validate results with multiple scan types to reduce false positives.
Quick example workflow (prescriptive)
- Use Masscan to quickly find open ports across the target range (low rate initially).
- Feed discovered IP:port pairs into Nmap with: -sS -sV -oA detailed_scan for handshake + service/version.
- Review results, run targeted hping3 tests for abnormal responses or firewall behavior.
- Correlate with logs and repeat with adjusted timing or different scan types if needed.
Further reading
- Nmap documentation and NSE scripts
- Masscan and ZMap project pages for large-scale scanning guidance
- RFCs for TCP behavior and state machine (for advanced crafting)
Leave a Reply