Network Recon Tutorial – Ports, Services & Safe Scanning

What is Network Reconnaissance?

Network reconnaissance (recon) is the process of discovering systems and the services they expose. Think of each open port as a door into an application (web server, database, SSH). Recon is how defenders verify what’s exposed and attackers look for weak spots. This tutorial shows how to read a basic scan result and what findings usually mean in the real world.

Ports & Services — Quick Primer

Ports

Numbers (0–65535) that identify “doors” to services. Common ones: 22/ssh, 80/http, 443/https, 3306/mysql, 3389/rdp.

States

open (accepting connections), closed (no service), filtered (firewall blocks/obscures).

Services

The application listening on a port. Banner or version info (e.g., OpenSSH 8.9) helps assess risk.

Sample Scan Output (nmap)

Here’s a simplified, safe example you’ll analyze in the challenge.

# Command (for illustration only): # nmap -sS -sV -Pn -p 22,80,443,3306 X.X.X.X Starting Nmap 7.93 ( https://nmap.org ) at 2025-08-16 12:00 IST Nmap scan report for demo-host (X.X.X.X) Host is up (0.031s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9 (protocol 2.0) 80/tcp open http nginx 1.20.2 443/tcp open https nginx 1.20.2 (TLS 1.2) 3306/tcp filtered mysql Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

Note: This is a static, educational example — do not scan systems you don’t own or lack permission to test.

How to Read This

22/tcp open ssh

Remote shell access. If exposed to the internet, enforce strong auth (keys), disable passwords, and use rate limiting.

80/tcp open http → 443/tcp https

Plain HTTP should redirect to HTTPS. Check TLS and headers (HSTS, CSP) on 443.

3306/tcp filtered mysql

Database not directly reachable (good). Keep it private; expose via app layer or VPN only.

Common Risks & Defender Actions

Exposed Admin Services

SSH/RDP open to the world invites brute-force and credential-stuffing. Mitigate: key-based auth, VPN, allow-lists, MFA where supported.

Outdated Software

Old versions may have known CVEs. Mitigate: patch, auto-update, vulnerability scanning, WAF for web.

Unnecessary Exposure

Services left open “temporarily” become permanent risk. Mitigate: close unused ports, segment networks, least privilege.

Mini Glossary

Banner

Text a service sends on connect (e.g., version). Useful for identification.

Enumeration

Digging deeper after recon: versions, auth methods, directories, etc.

Attack Surface

All reachable entry points (ports, endpoints, creds). Recon maps the surface.

Quick Checklist

Inventory: which hosts are reachable?
Ports: which are open, closed, filtered?
Services: what versions are running?
Exposure: should a service be public?
Controls: firewall, VPN, auth, patches in place?

Ready to practice? Try the Network Recon Challenge

Network Recon Tutorial: Ports, Services & Safe Scanning