.svg)
In penetration testing and ethical hacking, network scanning is a critical step in understanding and assessing the security posture of a system or network. This blog explores various scanning techniques and tools, providing a comprehensive guide for both beginners and intermediate penetration testers and hackers. Let’s start from scratch by scanning, Pings.
Understanding Pings
Ping is a network utility tool that is used to test the reachability of a host on an Internet Protocol (IP) network. It also measures the round-trip time for messages sent from the originating host to a destination computer. The name "ping" comes from sonar sounds used in submarines to detect other objects in the water.
When a ping command is executed, it sends Internet Control Message Protocol (ICMP) Echo Request messages to the destination host. If the destination host is reachable, it responds with an ICMP Echo Reply. The round-trip time is then measured, giving an indication of the network latency. Let’s look at the example to understand it better, ping www.google.com
This will ping the “www.google.com” and results will be similar to those shown below, (you may see different IP address)
Ping Sweep
A ping sweep is a technique used to discover live hosts within a specific IP range. This is achieved by sending a series of ICMP Echo Requests to multiple IP addresses in succession. The goal is to identify which hosts respond, indicating their active presence on the network.
Here's a step-by-step guide on how to execute a ping sweep effectively:
1. Determine IP Range
Identify the range of IP addresses you want to scan. For example, if your network uses the subnet 192.168.1.0/24, the IP range would be 192.168.1.1 to 192.168.1.254.
2. Execute Ping Sweep
Use a command-line interface or a network scanning tool to send ICMP Echo Requests to each IP address in the specified range. The basic command for a ping sweep in a command-line interface is:
This loop sends a single ping to each IP address in the range and outputs the responses.
Another method for executing the ping sweep is, the use of fping;
If we want to perform the ping sweep for the above example, it can be done like this:
Now, let’s break it down to understand what it is doing,
-a – it is switch to store only active hosts from a given IP range, in our case, we are storing it in Active.txt
-g – to give IP range, in our case it is 192.169.1.1 to 192.168.1.254
3. Analyze Results
Review the output to identify which IP addresses responded to the ping requests. Responding addresses indicate active hosts on the network. For our example we can see the active hosts list in Active.txt file,
While ping sweeps are valuable for network administrators to identify active hosts, they can also be used for malicious purposes. Attackers may use ping sweeps as a reconnaissance technique to gather information about a network's topology and identify potential targets. Network security measures, such as firewalls and intrusion detection systems, should be in place to detect and mitigate such activities.
It's essential to use ping sweeps responsibly and only within the scope of authorized network administration activities. Unauthorized or malicious use of ping sweeps can lead to security breaches and compromise the integrity of a network.
Port Scanning
Port scanning is a crucial technique in the arsenal of a penetration tester. It involves systematically scanning a target system or network to identify open ports and services running on those ports. This information is valuable for assessing the security posture of a system, discovering potential vulnerabilities, and understanding the overall attack surfLuffy. Before we start performing port scanning, it is crucial to understand the 3-way handshake. So, let’s first take a brief look at it, and then we will move further.
3-Way Handshake
The three-way handshake is a key process used in the establishment of a TCP (Transmission Control Protocol) connection between two devices, typically computers or network devices. It ensures that both devices are ready and willing to communicate before data exchange begins.
Imagine two people meeting for the first time at a party. They want to start a conversation, but they don't know each other yet. Here's how the process unfolds,
1. Initiation (SYN)
Luffy walks up to Nami and says, "Hey, I'd like to chat with you." This is similar to the first computer sending a SYN packet to the second computer. It's an invitation to start a conversation.
2. Acknowledgment (SYN/ACK)
Nami responds, "Sure, I'm open to chatting. Let's do it." This is like the second computer acknowledging the SYN request by sending a SYN/ACK packet. It's saying, "I received your invitation, and I'm ready to communicate."
3. Confirmation (ACK)
Luffy, upon receiving the positive response, says, "Great! Nice to meet you, I'm Luffy." This is analogous to the first computer sending an ACK packet, confirming that it got the acknowledgment and introducing itself. Now, both parties are aware of each other and can communicate freely.
Just like in the TCP three-way handshake, this process ensures that both parties are ready and willing to engage in a conversation before they start exchanging information.
Now that we know what is 3-way handshake let’s try some of the port scanning techniques using Nmap.
TCP Connect Scan
This is the most basic form of port scanning, where the scanner attempts to establish a full TCP connection with the target port. If the connection is successful, the port is considered open; otherwise, it is marked as closed.
TCP SYN Scan (Half-Open Scan)
This type of scan is more discreet as it does not complete the full TCP connection. The scanner sends a TCP SYN packet and waits for a response. If a SYN-ACK is received, the port is considered open; if a RST (reset) is received, the port is closed.
TCP FIN Scan
This scan sends a TCP FIN (finish) packet to the target port. If the port is open, it should not send a response, but if closed, it should respond with an RST packet.
TCP XMAS Scan
Similar to the FIN scan, this scan sends a packet with the FIN, URG, and PSH flags set. The behavior of the target port's response helps identify whether it is open or closed.
UDP Scan
While TCP scans focus on open ports, UDP scans are used to identify open UDP ports. UDP is connectionless, so the scanner sends a UDP packet to the target port and analyzes the response (if any) to determine openness.
Idle Scan (Zombie Scan)
This scan involves using a third-party host (a "zombie") to perform the scan without directly connecting to the target. By exploiting differences in sequence numbers, the scanner can infer the status of the target port.
The Nmap Scripting Engine
The Nmap Scripting Engine (NSE) is a powerful and flexible component of the Nmap (Network Mapper) tool that allows users to write and execute scripts to automate a wide range of tasks during network scanning. Nmap itself is a popular open-source network exploration and security auditing tool used to discover hosts and services on a computer network, creating a map of the network's structure.
The NSE extends the capabilities of Nmap by enabling users to perform tasks such as vulnerability detection, service version detection, and even exploitation, all within the context of a network scan. NSE scripts are written in the Lua programming language, which is embedded in Nmap. Users can take advantage of existing scripts or create their own to customize the scanning process.
Here are some key features and concepts related to the Nmap Scripting Engine
1. Script Categories
NSE scripts are categorized based on their functionality. Some common categories include;
2. Script Arguments
NSE scripts can accept arguments to customize their behavior. Users can pass arguments to scripts to control aspects such as target selection, output formatting, and verbosity.
3. Script Output
NSE scripts generate output that can be used to identify potential security issues, vulnerabilities, or other information about the target network. The output can be in various formats, including plain text, XML, and even interactive user interfaces.
4. Integration with Nmap Scans
NSE scripts can be integrated into Nmap scans using the `--script` option. Users can specify scripts to be executed during the scan to enhance the overall scanning process.
5. Community Contributions
The Nmap Scripting Engine benefits from contributions from the community. Users can find and share scripts on the Nmap Scripting Database (https://nmap.org/nsedoc/), which contains a collection of scripts created by Nmap users.
To use NSE scripts during a scan, you can use a command similar to the following:
Replace script-name with the name of the script or a category of scripts, and target with the target IP address or hostname.
Keep in mind that while NSE scripts can be powerful, they should be used responsibly and with proper authorization. Unauthorized scanning or exploitation of systems is against the law and ethical guidelines. Always ensure you have the right to scan and test the systems you are targeting.
Conclusion
In summary, network scanning plays a vital role in penetration testing by identifying live hosts, open ports, and vulnerabilities. Mastering techniques like ping sweeps, port scans, and utilizing the powerful Nmap Scripting Engine equips you with the tools to assess network security effectively. However, these should only be used responsibly and with proper authorization.
If you need professional assistance in conducting comprehensive penetration tests, Alphabin offers expert penetration testing services. Their experienced ethical hackers employ advanced scanning methodologies, leveraging cutting-edge tools and techniques to uncover potential vulnerabilities in your systems and networks. Trust Alphabin to provide you with a detailed report and recommended mitigation strategies to fortify your cyber defenses.
