Port scanning is conducted to identify which services are accessible, as each listening service presents a potential attack surface that attackers may exploit. It is crucial to know which ports are open since attackers seek applications on the network that could have vulnerabilities.
Port scanning involves sending packets to an application and monitoring for responses. This process is straightforward for TCP, as an available TCP service will always respond with a SYN/ACK packet. In contrast, detecting available UDP services is more challenging; attackers often need to send specific inputs to elicit a response, as most UDP applications will only reply if they receive the exact input required for communication.
TCP is straightforward to scan because the TCP standard specifies that systems should respond with a SYN/ACK when they receive a SYN packet. By sending a SYN packet to all 65,536 ports and recording the incoming SYN/ACK responses, we can determine which ports are open based on these replies. If no response is received, we can infer that the port is either closed or filtered, possibly by a firewall.
The presence of a SYN/ACK response on port 445 indicates that the port is open.