Category: Scanning

Posted on by

Network scanning guide for beginners

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about Network Scanning. Network Scanning is the second stage in a Penetration Test and is the first step where an Ethical Hacker directly interacts with the target network.

What is Network Scanning?

Network scanning is the technique in which the target network is scanned for LIVE systems (Active Systems), open ports and vulnerabilities. Network Scanning is of three types.

They are,

  1. LIVE Host Scanning or Host Scanning.
  2. Port Scanning.
  3. Vulnerability Scanning.

LIVE Host Scanning

In LIVE Host Scanning, a range of IP addresses (obtained earlier from Network Footprinting) are scanned for LIVE systems or active systems (systems that are turned on) as a system that is shut down is safe from hacking. Network Scanning can be done manually but when we have to scan an entire range of IP addresses, it is best to use a network scanner.

How do network scanners detect if a system is LIVE or not? Although, they use a variety of methods to scan for LIVE systems, one of the most common method any network scanner uses is Ping.

Ping is a network diagnostic tool that helps users determine if a destination system is active or not. Ping works by sending a “echo request” to the target destination IP. If the destination system is LIVE, it will send a “echo reply” message. Ping is available in both Windows and Linux systems. It works by using ICMP (Internet Control Message Protocol).

In LIVE Host Scanning, a range of IP addresses (obtained earlier from Network Footprinting) are scanned for LIVE systems or active systems (systems that are turned on) as a system that is shut down is safe from hacking.

Network Scanning can be done manually but when we have to scan an entire range of IP addresses, it is best to use a network scanner.

How do network scanners detect if a system is LIVE or not? Although, they use a variety of methods to scan for LIVE systems, one of the most common method any network scanner uses is Ping.

Ping is a network diagnostic tool that helps users determine if a destination system is active or not. Ping works by sending a “echo request” to the target destination IP. If the destination system is LIVE, it will send a “echo reply” message. Ping is available in both Windows and Linux systems. It works by using ICMP (Internet Control Message Protocol)

Apart from Ping, Network scanners also use ARP scanning to determine if a system is LIVE or not.

2. Port Scanning

A port is a virtual point where all network connection start and end. Ports are software based virtual addresses where all network connections start and end. Each service is given one separate port and it is managed by the computer’s Operating System. Given below are some important port numbers and services associated with them.

Just like Host scanners, Port scanners are used to perform port scanning. NMAP is the most popular and versatile port scanner. But how does port scanning work. A port scanning sends a TCP or UDP network packet to a specific port to enquire about its status. Learn about Port scan results here. Attackers use various techniques of port scanning before coming to a conclusion about a particular port of interest. Learn about various port scanning techniques here.

3. Vulnerability Scanning

Vulnerability scanning identifies vulnerabilities in network, applications and services. A Vulnerability scanner use a database to compare details about version of software running on target system to detect and identify vulnerabilities. This database used by vulnerability scanner has common programming bugs, default credentials, default configurations, common username & passwords etc.

Posted on by 2 Comments

Complete guide to Nmap port scanner

Hello, aspiring ethical hackers. This blogpost is a complete guide for using Nmap (Network Mapper). It is a popular and open source utility used for port scanning and network discovery by network administrators and pen testers. It uses real IP packets in novel ways to determine the LIVE hosts on the networks, open ports, the services they are running, type of firewalls in use etc. It is available for all major operating systems like Linux, Windows and Mac OSX.

We are using it on Kali Linux where it is installed by default. Let’s begin with how to specify targets while scanning.

Target specification

1. nmap -iL <input filename>

This option reads targets from a specific file. Let’s create a file named alpha with a few newline separated or tab-limited or space separated IP addresses using vi on Desktop.

Then, move to Desktop directory and type the command as shown below. It scans the four IP addresses listed in our file.

2. nmap -iR <number of hosts>

This option is used to specify random hosts to scan. Nmap generates its own targets to scan. The <number of hosts>argument tells nmap the number of IP’s to generate. Let’s type command as shown below.We can see that it generated five random targets to scan. The scan failed to determine route to the generated IP addresses because my system is not connected to Internet. Why didn’t it generate any internal IP addresses? Because in this scan private, multicast and unallocated address ranges are automatically skipped.

3. nmap <IP address/dir>

This option is used to scan the entire subnet. Assuming you know CIDR let’s type the command as shown below to scan eight IP addresses from 10.10.10.1 to 10.10.10.8 and see the result below.

4. nmap [targets] -exclude[targets]

This option specifies a comma separated list of targets to be excluded from the scan even if they are part of overall network range we specify. For example, in our previous scan we saw that one host 10.10.10.2( which is the system I am working on) is alive. Now I decided to exclude that host and another host from the scan. So I type the command as shown in the image given below and press “Enter”. We can see that nmap has only scanned six IP addresses.

5. nmap [targets] -excludefile[file name]

Now what if the subnet was very big and there are more number of hosts to be excluded from the scan. The above option helps us to achieve this. Remember the file “alpha”( with four IP addresses) we created. Now let’s specify nmap to quit scanning the hosts listed in the file. Type the command as shown below. We can see that it scanned only four hosts in the subnet.

6. nmap [target1 target2 target3]

This option specifies nmap to scan multiple targets separated by space. Type the command shown below . We can see the result below.

Scan types

Nmap is equipped with a variety of scans to detect open ports and services on the target system. Learn about Nmap’s various port scan techniques here.

Scan results

Nmap classifies the ports it scans into six categories. They are open, closed, filtered, unfiltered, open/filtered and closed/unfiltered. In which cases does Nmap classify a port as one of the above. Learn in port scan results of Nmap.