Description

This curriculum spans the technical and operational complexity of port scanning as practiced in multi-phase security assessments, comparable to the scoping and execution of internal network testing programs across hybrid environments.

Module 1: Fundamentals of Port Scanning and Network Discovery

Selecting between TCP connect scans and SYN scans based on firewall evasion requirements and network stack logging policies.
Configuring scan timeouts to balance accuracy against network disruption in high-latency environments.
Determining appropriate source ports to use when bypassing simple ACLs that permit established traffic from common client ports.
Deciding whether to perform active ARP scanning on local subnets or rely on DNS and routing table enumeration.
Managing TTL values in probe packets to detect network hops and infer topology without triggering alerts.
Handling fragmented IP packets during scanning to test for firewall reassembly weaknesses while avoiding detection.

Module 2: Scan Technique Selection and Performance Tuning

Choosing between UDP and TCP scanning based on service prevalence and firewall statefulness in the target environment.
Adjusting packet pacing (e.g., –min-rate and –max-rtt-timeout in Nmap) to avoid overwhelming network links or IDS rate thresholds.
Implementing parallel host and port scanning while managing concurrent socket exhaustion on the scanning host.
Using idle scanning (zombie hosts) to obfuscate source IP in regulated environments where attribution must be minimized.
Disabling DNS resolution during large-scale scans to reduce noise and prevent logging on external name servers.
Optimizing scan order (e.g., most common ports first) to prioritize findings in time-constrained engagements.

Module 3: Evasion and Anti-Forensics in Port Scanning

Randomizing scan source ports to mimic legitimate client behavior and bypass stateful inspection rules.
Fragmenting TCP headers across multiple IP packets to test for inconsistent firewall reassembly logic.
Using decoy scans (--decoy in Nmap) to dilute log attribution, while ensuring decoy hosts are not actively monitored.
Manipulating TCP window sizes to fingerprint host-based firewalls or infer OS types from responses.
Rotating MAC addresses in local network scans to avoid switch port logging and port security triggers.
Timing scan intervals to mimic legitimate traffic patterns and avoid correlation by SIEM time-series analysis.

Module 4: Integration with Vulnerability Assessment Workflows

Mapping open ports to known vulnerability databases (e.g., CVE, CPE) using version detection banners from service probes.
Correlating scan results with configuration management databases (CMDB) to identify unauthorized or rogue services.
Automating scan execution within CI/CD pipelines to validate containerized services before deployment.
Filtering out expected open ports using approved service lists to reduce false positives in compliance reporting.
Triggering authenticated vulnerability scans only on hosts with specific ports (e.g., SSH, WinRM) open.
Scheduling incremental vs. full port scans based on change management windows and system criticality.

Module 5: Regulatory Compliance and Legal Boundaries

Documenting scan authorization scope to exclude third-party systems and prevent accidental CFAA violations.
Configuring scans to avoid prohibited techniques (e.g., FIN scans) in environments governed by contractual red team agreements.
Restricting scan intensity in PCI DSS environments to prevent disruption of cardholder data systems.
Generating time-stamped scan logs for audit trails to demonstrate due diligence in SOX or HIPAA assessments.
Validating scan source IP inclusion in customer-provided allowlists for cloud-hosted workloads.
Withholding exploit attempts during scanning phases in compliance with engagement rules of engagement (RoE).

Module 6: Toolchain Configuration and Automation

Customizing Nmap NSE scripts to extract version details from non-standard service banners on non-default ports.
Integrating Masscan output with Nmap for deep service analysis after high-speed initial discovery.
Developing Python scripts to parse and normalize scan results across multiple tool formats (XML, JSON, CSV).
Setting up recurring scans using cron or Jenkins with error handling for network timeouts and host unreachability.
Encrypting scan result storage and transmission when handling data subject to GDPR or CCPA.
Version-controlling scan configurations in Git to track changes and enable reproducible assessments.

Module 7: Reporting, Triage, and Stakeholder Communication

Filtering out transient scan artifacts (e.g., port flapping) to prevent unnecessary remediation tickets.
Classifying findings by business impact (e.g., internet-facing vs. internal-only services) in executive summaries.
Providing raw scan data to SOC teams while delivering redacted summaries to non-technical stakeholders.
Highlighting ports associated with default credentials or known exploits in remediation prioritization.
Correlating port activity with netflow data to distinguish listening services from active connections.
Archiving scan baselines to measure configuration drift and track closure of open ports over time.

Module 8: Advanced Scanning in Segmented and Cloud Environments

Deploying distributed scan agents in multi-VPC AWS environments to reduce cross-region latency and egress costs.
Using VPC flow logs to validate scan reachability and detect security group blocking behavior.
Adjusting scan techniques in SDN environments where microsegmentation enforces per-workload policies.
Scanning through jump hosts using SSH tunneling while maintaining source accountability for logging.
Identifying shadow IT by scanning RFC1918 ranges in cloud environments not managed by central IT.
Testing east-west firewall rules in data centers by initiating scans from within trusted subnets.