In addition to the discovery capabilities that have already been mentioned, the hping3 command can also be used to perform a TCP port scan:

1. To perform a port scan with hping3, we need to use the --scan mode with an integer value to indicate the port number to be scanned:

2. In the example provided, a SYN scan was performed against the TCP port 80 of the IP address indicated. The -S option identifies the TCP flags activated in the packet sent to the remote system. The table indicates the attributes of the packet received in response. As indicated by the output, a SYN+ACK response was received, thereby indicating that port 80 is open on the target host. Additionally, we can scan multiple ports by passing a comma-delimited series of port numbers, as follows:

3. In the scan output provided, you can see that the results are only displayed if a SYN+ACK response is received. Note that the response associated with the SYN request sent to the port 443 is not displayed. As indicated in the output, we can view all of the responses by increasing the verbosity with the -v option. Additionally, a sequential range of ports can be scanned by passing the first and last port address values separated with dash notation, as follows:

4. In the example provided, the 100-port scan was sufficient to identify several services on the Metasploitable2 system. However, to perform a scan of all possible TCP ports, all of the possible port address values need to be scanned. The portions of the TCP header that define the source and destination port addresses are both 16 bits in length, and each bit can retain a value of 1 or 0. As such, there are 2¹⁶, or 65,536 possible TCP port addresses. For the total possible address space to be scanned, a port range of 0 to 65535 needs to be supplied, as follows: