When live hosts are identified, the next step is to identify which TCP and UDP services are available for each target host.
The number of ports range from 0 to 65535 for both the TCP and UDP protocol (and others like DCCP and SCTP). This range of ports are divided into three categories; the System Ports ranging from port 0 to port 1023, port 0 being reserved, the User Ports ranging from port 1024 to port 49151 and the Dynamic and/or Private Ports that range from port 49152 to 65535. System Ports are assigned by IETF process for standards-track protocols, User Ports are assigned by IANA using the "IETF Review" process, the "IESG Approval" process, or the "Expert Review" process. Dynamic Ports are not assigned. Remark that other names for these ranges are widely used, but this is what IANA uses. System Ports are often referred to as Well Known Ports and User Ports are often referred to as Registered Ports.
System ports are most commonly used and the first port scan on a target host might be limited to this range of ports. Scanning all TCP and UDP ports on several live hosts simultaneously might not just take hours but days depending on the tool used, the performance of the attackers computer and target servers, the connection speed amongst other things.
A port scan is the attempt to connect to a range or all ports on a live host to determine if a service is listening on that particular port. Several methods to accomplishing this task exists but one widely used ways is to just connect to the port and then examine the response from the target host. The respond will let you learn if the connection was accepted or not. When performing a TCP port scan, a 3-way handshake is performed and completed, if the connection succeeds.

A wide variety of tools to assist in port scanning exists
  • Nmap
  • Hping 2 and Hping 3
  • UnicornScan
  • Masscan

Common types of port scans include
  • Full Open Scan
  • Stealth Scan or Half-open Scan
  • Xmas Tree Scan
  • FIN Scan
  • NULL Scan
  • ACK Scan
  • UDP Scan