June 20, 2026

Scanning: The Second Stage of Penetration Testing — Turning Information into Opportunities

“Reconnaissance tells me where to look. Scanning tells me where to strike.”

Ariel404

3 min read

In my previous article, I discussed Reconnaissance, the first phase of penetration testing, where the goal is to gather as much information as possible about a target. But collecting information is only half the battle. Once I know what I'm dealing with, the next step is to identify vulnerabilities and map out the target's infrastructure. This is where Scanning, the second phase of penetration testing, comes into play.

Scanning helps me answer questions like:

  • Which systems are alive?
  • What ports are open?
  • Which services are running?
  • Are there any known vulnerabilities?

Think of reconnaissance as finding a house, while scanning is checking every door and window to see which ones are unlocked.

-> What is Scanning?

Scanning is the process of actively interacting with a target system to discover its network structure, services, and potential weaknesses. Unlike passive reconnaissance, scanning involves sending packets to the target and analyzing the responses.

The main objective is to gather technical information that can be used during the exploitation phase.

Types of Scanning

1. Network Scanning

The first thing I want to know is which devices are connected to the network. Network scanning identifies active hosts and helps create a map of the target environment.

Common information gathered includes:

  • Active IP addresses
  • Host availability
  • Network topology

A simple ping sweep using Nmap:

nmap -sn 192.168.1.0/24

This command checks which hosts are alive without performing a port scan.

2. Port Scanning

Every service on a computer communicates through ports. If a port is open, it means a service is listening for connections.

Some common ports include:

21 — FTP

22 — SSH

25 — SMTP

53 — DNS

80 — HTTP

443 — HTTPS

I often use Nmap for port scanning:

nmap <target-ip>

This reveals open ports and the services running on them.

A more detailed scan:

nmap -sV <target-ip>

The -sV flag detects service versions, which is crucial for identifying outdated software.

3. Vulnerability Scanning

After identifying services, the next step is checking whether they have known vulnerabilities.Vulnerability scanning compares discovered software versions against databases of publicly known security flaws.

Popular tools include:

  • Nmap NSE scripts
  • Nessus
  • OpenVAS

For example:

nmap --script vuln <target-ip>

This runs vulnerability detection scripts against the target.

It's important to remember that vulnerability scanners only identify potential issues. Manual verification is always necessary because false positives can occur.

4. Web Application Scanning

If the target hosts a website, I also perform web application scanning to identify security flaws.

Common issues include:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Directory Traversal
  • Security Misconfigurations
  • Outdated software versions

Some popular tools are:

  • Burp Suite
  • OWASP ZAP
  • Nikto
  • Gobuster

Directory enumeration example:

gobuster dir -u http://target.com -w wordlist.txt

This helps discover hidden directories and files.

-> Common Scanning Techniques

1.TCP Connect Scan

Completes the full TCP handshake to determine whether a port is open.

Pros:

  • Reliable

Cons:

  • Easily detected by security systems.

2.SYN Scan

Also called a half-open scan.Instead of completing the connection, it sends a SYN packet and analyzes the response.

Advantages:

  • Faster
  • One of the most commonly used Nmap scanning methods.

Example:

nmap -sS <target-ip>

3.UDP Scan

Some services operate over UDP instead of TCP.

Examples:

  • DNS
  • SNMP
  • DHCP

Example:

nmap -sU <target-ip>

UDP scanning can be slower because many systems don't respond to closed UDP ports.

-> Popular Scanning Tools

1.Nmap

The most widely used network scanner.

Features:

  • Host discovery
  • Port scanning
  • Service detection
  • OS fingerprinting
  • Vulnerability scripts

2.Nessus

A commercial vulnerability scanner that identifies thousands of known security issues.

3.OpenVAS

An open-source vulnerability assessment tool with a large vulnerability database.

4.Nikto

A web server scanner that checks for:

  • Dangerous files
  • Outdated software
  • Default configurations
  • Common vulnerabilities

5.Burp Suite

An essential toolkit for web application security testing.

It helps identify:

  • Authentication flaws
  • XSS
  • SQL Injection
  • Session management issues

-> Challenges During Scanning

Scanning isn't always straightforward. Security mechanisms can make the process difficult.

Some common obstacles include:

  • Firewalls
  • Intrusion Detection Systems (IDS)
  • Intrusion Prevention Systems (IPS)
  • Rate limiting
  • Filtered ports
  • Network segmentation

Ethical penetration testers must work within the agreed scope and avoid generating unnecessary traffic that could disrupt services.

-> Best Practices I Follow

Whenever I perform scanning during a lab or authorized assessment, I try to:

✔ Define the target scope clearly.

✔ Start with less intrusive scans.

✔ Identify active hosts before scanning ports.

✔ Verify vulnerabilities manually.

✔ Document every finding.

✔ Respect rate limits and authorization boundaries.

-> Why Scanning Matters

Scanning bridges the gap between reconnaissance and exploitation.

Without scanning, I would only know that a target exists. With scanning, I understand:

  • What services are running.
  • Which ports are open.
  • What software versions are installed.
  • Which vulnerabilities may exist.
  • Which attack paths are worth investigating.

In many ways, scanning transforms raw information into actionable intelligence.

-> Final Thoughts

Scanning is one of the most exciting stages of penetration testing because it's where information starts to reveal potential weaknesses. However, effective scanning isn't about launching every tool available — it's about understanding the target, choosing the right techniques, and interpreting the results carefully.

As someone learning cybersecurity, I've realized that mastering scanning isn't just about memorizing Nmap commands or vulnerability scanners. It's about developing a systematic approach to discovering and analyzing attack surfaces while staying ethical and responsible.

In the next phase of penetration testing, the information gathered through reconnaissance and scanning becomes the foundation for Gaining Access (Exploitation), where identified vulnerabilities are tested in a controlled and authorized manner.

Because in penetration testing, the better you understand the target, the smarter your next move becomes.

Happy Hacking ! 🎀💋