Every penetration test starts with discovery: what is alive, what's listening, what version is it? The technique you choose — full connect, SYN scan, FIN scan, UDP, version detection — affects both what you learn and how visible you are to the target's defenses.
The lab below is a simulator. No packets actually leave your machine. You pick a target scenario and a scan type, then fire. The simulator shows what the real packets would look like, what the host would respond, and what an attacker would conclude.
Web Server (Linux). Standard Ubuntu LTS running a few common services. No firewall in the way. The most permissive scenario — useful baseline.
Scan Type
Ports observed
What each scan tells you
TCP Connect (-sT). The kernel makes a full socket connection. SYN, SYN+ACK, ACK, then immediate RST. Reliable — you know for sure the port is open because the OS completed the handshake. Loud — the connection appears in the target's application logs (e.g., Apache's access log).
SYN (-sS). Nmap sends a raw SYN and waits for SYN+ACK (port open) or RST (port closed). If it gets SYN+ACK it sends a RST instead of completing the handshake. The connection never fully forms; many older IDS missed it. Modern logging catches it easily. Still the default for nmap with privileges.
FIN, NULL, Xmas (-sF, -sN, -sX). Send packets with non-standard flag combinations. RFC 793 says closed ports must respond with RST; open ports must drop silently. So no response means open. Works against old Unix stacks. Windows violates the RFC — it sends RST regardless — so these scans report every port as "closed" on Windows.
UDP (-sU). Send a UDP datagram. If the port is closed, you get ICMP "port unreachable." If open, you get nothing (no response) OR an application-level response (e.g., a DNS response on port 53). Slower than TCP because timeouts are long and ICMP can be rate-limited. Essential for finding DNS, NTP, SNMP, IKE.
Version detection (-sV). After finding open ports, nmap connects to each and tries to identify the service via banner grabbing and protocol probes. Returns "Apache 2.4.49 on Ubuntu" or "OpenSSH 8.9p1" or "Microsoft IIS 10". This is the recon step that turns a list of ports into a list of CVEs.
How defenders see a scan
From the target's perspective:
- One source IP hitting many ports in a short window — the SIEM rule is "more than 20 distinct ports from one source in 10 seconds = scan."
- SYN with no follow-up ACK — half-open connections that never complete are visible in
netstat -anasSYN_RECVentries piling up. - Unusual flag combinations — FIN, NULL, Xmas scans trigger most IDS signatures because real applications don't send packets with these flags.
- Application logs for TCP Connect scans show short-lived connections from one source — e.g., 50 entries in Apache's access log from
198.51.100.7within seconds.
Defenders correlate these signals to identify the scan and the scanner. The hosts that respond with SYN+ACK are the ones the attacker now knows are interesting.
Timing — nmap's -T flag
Nmap has six timing templates: -T0 (paranoid, glacially slow) through -T5 (insane, fast and noisy). The trade-off:
-T0sends one packet every 5 minutes. Beats most rate-based IDS rules. A /24 scan takes weeks.-T2— "polite" pace. Reasonable for production-traffic networks.-T3— default. Reasonable in a lab.-T4— aggressive. Good for permitted pen tests on robust networks.-T5— insane. Misses packets, triggers every alert. Used only when you don't care about being seen.
Port scanning is the recon step that turns "an IP address" into "an attack surface." A SYN scan is fast and informative; version detection turns ports into CVEs; UDP scanning finds services that TCP scans miss entirely. The scan you pick says as much about your goal — speed, stealth, completeness — as it does about the target.
From the defender's side, scanning leaves a recognizable signature. Rate-limit at the perimeter, watch for short-window flag-heavy activity, and treat any scan you can correlate to a single source as a red flag for what comes next.