Network scanning is the process of gathering information about computing systems on a network. It is used mostly for assessing system security and performing maintenance, but can also be used by hackers to attack the network. Network scanning is usually the first step in active reconnaissance, where the attacker seeks to discover potentially vulnerable targets. It can include any of the following activities:
- Host discovery
- Port scanning
- Packet crafting
- Device enumeration
- Vulnerability scanning
Discovery Scanning
A discovery scan is used to find live IP addresses on a network for the purpose of revealing potential targets. Traditionally, a discovery scan was a ping sweep, sending an ICMP ECHO REQUEST to every address in the specified range. Hosts that responded were then displayed. Because most modern hosts have software firewalls that disallow ICMP, Nmap discovery scans use other methods besides just ICMP to detect live hosts.
The following table summarizes common Nmap discovery scan types.
Nmap Discovery Scan Syntax | Example | Description |
-PR | nmap -PR 192.168.1.50 | Send an ARP request to target to see if there is a response. ARPs are generally not blocked by firewalls. This is the default discovery method for any Nmap scan on an Ethernet LAN. |
-sn | nmap -sn 192.168.1.0/24 | No port scan. Discover only, using a combination of ICMP ECHO REQUEST, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request. |
-PS <portlist> | nmap -PS135 192.168.1.0/24 | Discover hosts by sending a TCP SYN to specified port(s). Default is 80. Any response (SYN ACK or RST) indicates the target is up. There can be no space between -PS and the port list. Will be followed by a port scan unless -sn is also used. |
This example uses the NSE script targets-sniffer.nse. It sniffs the network on the eth0 interface for 60 seconds, lists any new targets that it sniffs, then scans those targets.
Port Scanning
Port scanning is the process of determining which TCP and UDP ports the target is listening on. It is the first step in enumerating services that are running on the target. Port scanning can use any number of techniques. The most straightforward is to simply make a connection to the service on its listening port, using a standard TCP three-way handshake. Once the connection is made, the scanner sends a TCP RST (reset) to the server to kill the connection. The scanner logs the connection and moves on to the next port, attempting to connect to the next service. If the scanned port is UDP-based, then the scanner attempts to elicit a reaction from the listening service, which may or may not respond. UDP services are much more difficult to fingerprint, as UDP does not have a handshake process.
Port scanners can try every single port (1 through 65535) or a select subset of common ports. Most port scanners allow you to choose which ports you wish to scan. The results of a port scan can give insights into the type of computer you are connecting to, including its operating system and available services. Some ports are specific to a particular operating system. For example, TCP 135 is only seen on Microsoft computers, whereas TCP 111 is usually only seen on Linux/Unix (*nix) computers. (A notable exception is when a Windows server is running Services for Unix.) This is because they are used by their respective operating systems to map incoming client requests to the desired remote-procedure-call-based service. If you see either of these running on the other operating system, you are likely looking at a decoy. Most of the other ports can appear on either operating system if the proper service or application is installed.
The following table lists some common ports and their services.
Port Number (TCP unless otherwise specified) | Service |
21 | FTP commands |
22 | SSH |
23 | Telnet |
25 | SMTP |
53 (can be TCP or UDP) | DNS |
80 | HTTP |
88 | Kerberos |
110 | POP3 |
111 (can be TCP or UDP) | *nix portmapper |
135 | Microsoft Remote Procedure Call (RPC) |
139 | SMB (legacy) |
143 | IMAP4 |
161 (can be TCP or UDP, but only UDP is currently used) | SNMP |
162 (can be TCP or UDP, but only UDP is currently used) | SNMP traps |
389 | LDAP |
443 | HTTPS |
445 | Microsoft-ds (authentication used by SMB) |
3389 | RDP |
The following port scan examples compare a Linux machine with a Windows machine. In the Linux scan, note the existence of TCP 111, 139, and 445, and the absence of TCP 135. In the Windows scan, note the existence of TCP 135 and the absence of 111.
Linux:
Windows:
Stealth Scans
The TCP SYN scan is the original stealth scan. Because the attacker does not complete the TCP three-way handshake, the connection attempt is less likely to be logged. Here is an Nmap stealth scan example:
nmap -sS 192.167.1.50
Today, any good IDS will recognize this type of scan. Nmap has other ways to be stealthy. The following table summarizes common evasion methods used by Nmap.
Stealth Option | Example | Description |
-sS | nmap -sS 192.168.1.50 | The original “stealth” scan. Send a TCP SYN. If the target responds with a SYN ACK, do not complete the handshake, but instead send a RST. This is less likely to be logged by the target. |
-sA | nmap -sA 192.168.1.0/24 | Send a TCP ACK. Used to map out firewall rulesets, determine which ports are filtered, and if a firewall is stateful or not. |
-sN | nmap -sN 192.168.1.2-10 | Send a TCP segment with no flags raised. This is not the normal state for TCP, which always has at least one flag (usually ACK) raised. Used to sneak through a non-stateful firewall. |
-sF | nmap -sF www.company.tld | Send a TCP FIN. Used to sneak through a non-stateful firewall. |
-sX | nmap -sX 192.168.1.0/24 | Send a TCP segment with FIN, PSH, and URG flags raised, thus lighting up the packet “like a Christmas tree.” This is an illogical combination. Used to sneak through a non-stateful firewall. |
-Pn | nmap -Pn -p- 192.168.1.0/24 | Skip discovery. Assume all hosts are online for port scan. Useful if targets have their firewall up and only offer services on unusual ports. |
-sI <zombie> <target> | nmap -sI -Pn -p- zombie.middle.tld www.company.tld | Conduct a blind TCP port scan (idle scan). No packets are sent directly from your attacker machine to the target. Uses a “zombie” (middle man) host to obtain information about open ports on the target. You have to spend some time identifying a machine that can act as a zombie. Once you locate a good zombie, you can reuse it for more scans. |
-b <FTP relay> <FTP target> | nmap -v -b name:password@old-ftp-server.company.tld ftp-target-server.company.tld -Pn | Conduct an FTP bounce scan. Exploit FTP proxy connections in which a user asks a “middle man” FTP server to send files to another FTP server. Because of widespread abuse, the FTP relay feature has been disabled by most vendors. |
-T <0 – 5> | nmap 192.168.1.0/24 -T 2 | Use different timing templates to throttle the speed of your queries to make the scan less noticeable. Choose from T0 (slowest) to T5 (fastest). Nmap also refers to these speeds as paranoid, sneaky, polite, normal, aggressive, and insane, respectively. T0 and T1 are best for IDS evasion, but are VERY slow. T5 has been reported to be unstable because it is too fast. T4 is the recommended choice for a fast scan that is still stable. T3 is the default. |
-f | nmap -f 192.168.1.50 | Split packets (including pings) into 8-byte fragments to make it harder for packet filtering firewalls and intrusion detection to detect the purpose of packets. MTU is the maximum fragment size. |
-D [decoy1, decoy2, decoy3, etc.] <target> | nmap -D 192.168.1.10 192.168.1.15 192.168.1.30 192.138.1.50 | Used to mask a port scan by using decoys. Creates bogus packets “from” the decoys so the actual attacker “blends in” with the crowd. It looks like both the decoys and the actual attackers are performing attacks. In this example, 192.168.1.50 is the target. The other IPs are the decoys. |
-e <interface> | nmap -e eth0 192.168.1.50 | Specify the interface Nmap should use. |
-S <spoofed source address> | nmap -e eth0 -S www.google.com 192.168.1.50 | Spoofs the source address. Might not return results since the target will try to respond to the fake address. Can be used to confuse IDS or target administrator. Often used with -e or -Pn. May throw binding errors. Spoofed attack should be validated by Wireshark capture on the target. This example makes it appear to target 192.168.1.50 that www.google.com is trying to scan it. |
–spoof-mac [vendor type | MAC address] | nmap -sT -PN –spoof-mac apple 192.168.1.50 nmap -sT -PN –spoof-mac B7:B1:F9:BC:D4:56 192.168.1.50 | Use a bogus source hardware address (also known as Media Access Control or MAC address). You can specify a random MAC based on vendor, or explicitly specify the MAC address. The first example creates a random Apple hardware address. Note: Do not mistake “MAC” for Macintosh. |
–source-port <portnumber> | nmap –source-port 53 192.168.1.36 | Use a specific source port number (spoof source port) to fool packet filters configured to trust that port. Same as -g <portnumber> option. |
–randomize-hosts | nmap –randomize-hosts 192.168.1.1-100 | Randomize the order of the hosts being scanned. |
–proxies <proxy:port, proxy:port…> | nmap –proxies http://192.168.1.30:8080,http://192.168.1.90:8008 192.168.1.50 | Relay TCP connections through a chain of HTTP or SOCKS4 proxies. Especially useful on the Internet. This example conducts an Nmap scan against target 192.168.1.50 through two proxies, 192.168.1.30 and 192.168.1.90. |
Full Scans
A full scan is one in which as much detail as possible is collected about the target. This can include scanning all ports, interrogating services for versions, footprinting the operating system, etc. This can be used with either TCP or UDP, though UDP will take considerably longer as the scanner must wait to time out if no response is received on that port. Full scans produce the most results, but are also the “noisiest” and the most likely to be detected. Common ways to evade detection include randomizing the IP addresses and ports, and slowing the scan down. Here are some Nmap full scan examples:
nmap -p- 192.168.1.0/24
nmap -p1-65535 www.technoherder.com
nmap -sU -p1-65535 192.168.1.50
Note: Some also use the term “full scan” to refer to a TCP connect scan nmap -sT <target>, in which the three-way handshake is completed.
Enumeration
Enumeration is the process of using various techniques that query a device or service for information about its configuration and resources. It is a common step in active reconnaissance and crucial to penetration testing. Once you have connected to a host, you can interrogate it for details that will reveal additional attack vectors. The outcome of enumeration can often be used to directly exploit the system and penetrate deeper into the network. Often, enumeration can be done remotely. Although some enumeration can be done without a credential, it is usually much more successful if you can first log in. In many cases, the credential can be that of an average user, and need not be privileged. Techniques that perform enumeration can help you discover information that includes, but is not limited to:
- Operating system details
- User and group names
- Email addresses and contact information
- Password hashes (and sometimes passwords)
- Host names, domain information, and IP addresses
- Volumes and shares
- Services
- Policies and audit settings
- Configuration settings
- Routing, MAC, and neighbor tables
- Installed applications
- Patch levels
- Components and drivers
- Printers and print jobs
- Running processes
- Registry keys
- Event log records
- DNS and SNMP information
Packet Crafting
Packet crafting involves altering a normal IP packet before transmitting it on a network. Common use cases are to test firewall rules, evade intrusion detection, or cause a denial of service. For example, you could raise unusual TCP flags to see if a firewall allows the packet. Or, you could fragment a packet so that its malicious signature is not recognized by an IDS. If denial of service is your goal, you could create fragmented packets that cannot be reassembled, thus consuming all of a target’s CPU time or even causing a kernel panic (“blue screen of death”). The goal in all cases is to use as few packets as possible to achieve the desired result.
Packet crafting involves four stages:
- Packet assembly—create the packet to be sent.
- Packet editing—modify the contents of a created or captured packet.
- Packet play—send/resend a packet on the network.
- Packet decoding—capture and analyze traffic generated by Packet Play. Typically, a packet analyzer such as Wireshark is used for this stage.
Depending on the tool you use, the first three stages can all be performed by the same command. You can craft your packet(s) using the command line, GUI, or script options. A number of hacking tools (including Metasploit) use packet crafting techniques as part of the attack. Some popular packet crafting tools include Hping/Hping3, Nping, Ostinato, Scap, Libcrafter, Yersinia, packETH, Colasoft Packet Builder, and Bit-Twist.
Network Mapping
Network mapping is the process of discovering devices on a network in an effort to visualize the network and create a logical topology map. It uses active probing to gather information such as MAC and IP addresses, ports and services, operating systems, device types, virtual machines, host names, and even protocols running on the network. Mapping identifies subnets and how devices are interconnected. Scanning with a tool such as Nmap is the first and most basic step to creating a network map. Other methods include interrogating ARP caches, routing and MAC tables, and Cisco Discovery Protocol (CDP) neighbor tables. Many mapping tools have additional functionality. They use Windows Management Instrumentation (WMI) or SNMP to enumerate information from hosts, including hardware and service status, interface statistics, installed applications, patch levels, user names and groups, and critical events.
Having a topology map of the network is valuable to the pen tester because it informs your choice of tools and strategies. For example, you cannot conduct an ARP scan or spoof MAC addresses on a remote network without direct access to that network. You may have to make routing choices based on link speed and protocols used on the various segments. If you are firewalking or crafting packets that manipulate the IP packet Time-to-Live (TTL), you would want to change that value to reflect the anticipated number of hops (routers) between you and the target.
Most network mappers only scan the immediate subnet by default. You may have to manually add additional subnets. Many tools allow you to specify a “seed device” such as a router or multilayer switch which can provide knowledge of the various subnets. You typically have to provide a user name and password for the scanner to log into the device to make such queries.
There are many free and commercial network mapping tools. Most of the paid versions provide free trials. Some mappers interface with drawing applications such as Microsoft Visio to create professional-looking diagrams. Popular network mappers include SolarWinds, Intermapper, WhatsUp Gold, PRTG, Spiceworks, and Nmap.
Guidelines for Scanning Networks
Here are some guidelines you can use when scanning networks:
- Use OSINT or other starting knowledge of the target network to determine the base address of your scan.
- Determine the amount of detail you want to discover, such as IP addresses, ports, services, versions, host names, operating systems, device status, etc., and select a tool that is capable of delivering the desired information.
- Start with a discovery scan that uses multiple techniques (not just ICMP ECHO REQUEST).
- Manually add known networks or use a shorter subnet mask to include multiple subnets in a single scan.
- Set a scan speed that balances performance with stability.
- Use slower scan speeds to be “polite” and not create too much “noise” on the network.
- Use the slowest scan speeds to evade detection by an IDS.
- Add or include a port scan to identify listening ports on discovered hosts.
- If desired, use tools that can interrogate ports, grab banners, and use specially crafted packets to identify operating system and service versions.
- If desired, use tools that can interrogate device ARP caches, router route tables, switch MAC tables, and other sources for additional network information.
- If desired, use WMI and/or SNMP to interrogate devices for service- or component-specific information.
- If a standardized diagram is desired, export the scan output and import it into a professional drawing application such as Microsoft Visio.
- Use Google to quickly find examples and tool guidance; recognize that some online guidance will be outdated.