Linux 101 : Basic port scan using Netcat

The basic form of port scanning to know whether a port is open or closed, is establishing a full connection to that port.

According to the TCP protocol, a full connection is when a three-way handshake is established.

The below diagram illustrates that mechanism:

The three-way handshake so the two hosts can agree on the different parameters of a TCP connection before sending any data.

As we can see in the above diagram the "computer A" sends a SYN packet to the "Server A" on a specific port. 
If the port is open, "Server A" sends a SYN-ACK packet, then the "Computer A" sends an ACK packet, after that step the connection is established.

A full connection involving a three-way handshake to connect to a remote port - as described above - can be achieved using the netcat tool.

The below command scans a wide range of ports - 2500-2600 - for the host  - -, using netcat:

Below is a short description of the above parameters:
  • -w : is the connection timeout window in seconds.
  • -n : tells netcat not to perform any DNS lookups - use only IPs -.
  • -v : verbose mode, to display more information that usual.
  • -z  : tells netcat that no data will be sent over this connection - that it is only for scanning purposes -.
The UDP protocol on the other hand doesn't save any data about its state - it is stateless -, there is no three-way handshake involved. 

To perform a scan on the UDP ports - 200-250 - of a machine - - , we use the below command:

  • -u : tells netcat that its a UDP scan.


Leave as a comment: