Practical Examples for Network Recon & Service Identification in C#
A hands-on guide for developers, blue teamers, and ethical hackers
High-performance scanners such as Nmap, ZMap, Masscan, and RustScan use raw-socket engines and highly optimized packet scheduling. However, many real-world environments don’t allow raw packet access — and not every project needs kernel-level scanning.
C# gives you a powerful middle-ground: fast enough to scan networks efficiently, easy enough to build quickly, and flexible enough for protocol fingerprinting and even SYN scanning with additional libraries.
This guide expands on core examples and focuses on practical usage, clarity, and ESL-friendly explanations.
Why C# is Good for Network Scanning
C# offers a strong balance of safety and control:
Benefits:
Easy async/parallel scanning with
TaskRuns cross-platform using .NET (Windows, Linux, macOS)
Safe compared to raw C socket operations
Can scale into advanced scanning using SharpPcap / PacketDotNet
Great for building internal recon tools or learning low-level networking concepts
Even if you later rebuild the tool in Rust or Go for pure speed, C# is an excellent environment for prototyping and understanding the scanning logic first.
TCP Port Probe
Simple and reliable method to determine if a port is open.
using System.Net.Sockets;
using System.Threading.Tasks;
public static async Task<bool> IsPortOpen(string host, int port, int timeoutMs = 300)
{
try
{
using var client = new TcpClient();
var connectTask = client.ConnectAsync(host, port);
if (await Task.WhenAny(connectTask, Task.Delay(timeoutMs)) == connectTask)
return client.Connected;
return false; // timeout
}
catch
{
return false;
}
}
Strengths:
Easy to implement
Great for initial probing
Confirms service availability quickly
Weaknesses:
Noisy — full TCP connection (blue teams notice it)
Banner Grabbing for Service Fingerprinting
Once you know a port is open, the next question is:
What service is running there?
using System.Text;
using System.Net.Sockets;
using System.Threading.Tasks;
public static async Task<string?> GrabBanner(string host, int port)
{
try
{
using var client = new TcpClient();
await client.ConnectAsync(host, port);
using var stream = client.GetStream();
var buffer = new byte[2048];
await Task.Delay(150); // Some services greet first
if (stream.DataAvailable)
{
var bytes = await stream.ReadAsync(buffer);
return Encoding.ASCII.GetString(buffer, 0, bytes);
}
// Generic probe for HTTP servers
var probe = Encoding.ASCII.GetBytes(”GET / HTTP/1.0\r\n\r\n”);
await stream.WriteAsync(probe);
int read = await stream.ReadAsync(buffer);
return Encoding.ASCII.GetString(buffer, 0, read);
}
catch
{
return null;
}
}
Banner grabbing helps identify:
HTTP servers (even on unusual ports)
SSH services and versions
SMTP, FTP, POP3, IMAP
Admin consoles, shadow services
Internal frameworks and products
This is the classic first step before deeper fingerprinting.
UDP Probing (for DNS, SNMP & Silent Services)
UDP is tricky. Closed ports usually remain silent.
Open ports may also remain silent.
This probe simply tests for any response.
using System.Net;
using System.Net.Sockets;
public static async Task<bool> IsUdpPortOpen(string host, int port, int timeoutMs = 400)
{
try
{
using var udp = new UdpClient();
udp.Client.ReceiveTimeout = timeoutMs;
await udp.SendAsync(new byte[0], 0, host, port);
var receiveTask = udp.ReceiveAsync();
return await Task.WhenAny(receiveTask, Task.Delay(timeoutMs)) == receiveTask;
}
catch
{
return false;
}
}
Useful for discovering:
DNS servers on port 53
SNMP devices (network, printers, switches)
VoIP/SIP gateways
ICS & OT environments
Custom internal UDP daemons
UDP mapping is noisy, but crucial for enterprise recon.
Rapid Port Scanning using Tasks
Use this when you want fast results across large port lists.
public static async Task ScanPorts(string host, int startPort, int endPort)
{
var tasks = Enumerable.Range(startPort, endPort - startPort + 1)
.Select(async port =>
{
if (await IsPortOpen(host, port))
Console.WriteLine($”Open: {port}”);
});
await Task.WhenAll(tasks);
}
Can be expanded into a real scanner with:
Banner grabbing per port
TLS certificate inspection
HTTP header fingerprinting
Rate limiting & timeout control
Multi-host scanning
This is the foundation of a lightweight C# reconnaissance tool.
Raw SYN Scanning
A SYN scan is stealthier than a TCP connect scan because it never completes the handshake.
This is how tools like nmap -sS operate.
C# cannot do this natively, but SharpPcap + PacketDotNet make it possible.
using PacketDotNet;
using SharpPcap;
public static void SendSynProbe(string targetIp, int port)
{
var devices = CaptureDeviceList.Instance;
var dev = devices[0];
dev.Open();
var ip = new IPv4Packet(dev.Interface.Addresses[0].Addr.ipAddress, IPAddress.Parse(targetIp));
var tcp = new TcpPacket(12345, port)
{
Syn = true,
WindowSize = 8192
};
ip.PayloadPacket = tcp;
dev.SendPacket(ip.Bytes);
// Listen for SYN/ACK or RST to detect state
}
Raw SYN scanning gives you:
Stealth (no full handshake)
Faster probing than TCP connect
More control over crafted packets
Perfect for building something closer to Nmap on .NET.
Final Takeaways
Network scanning is never one technique — it’s a stack of capabilities:
Use TCP probes for quick discovery
Use banner grabbing for service identification
Use UDP probes for DNS, SNMP, VoIP, and ICS systems
Use SYN scanning when stealth or speed matters
Expand with TLS parsing, HTTP signature mapping, and JSON outputs
Even these lightweight C# scripts can evolve into:
An internal corporate recon tool
A teaching platform for OSCP/OSWE learners
A mini-Nmap for .NET environments
A blue-team monitoring and asset-mapping toolkit
Small code snippets grow into serious capability.