Network Scanning

Network Scanning is a set of procedures for identifying live hosts, ports, and services, discovering Operating system and architecture of target system, Identifying vulnerabilities and threats in the network. Network scanning is used to create a profile of the target organization.

The purpose of each scanning process is given below:

Discovering Live Host, IP address, Open Ports.

Discover Operating System, Device Information.

Discovering Vulnerabilities

Scanning Methodology

Check for Live host:

NMAP: Ping scan checks for the live system by sending ICMP echo request packets. If a system is alive, the system responds with ICMP echo reply packet containing details of TTL, packet size etc. ICMP packet scanning via NMAP. The Nmap Security Scanner is a free and open source utility used by millions of people for network discovery, administration, inventory, and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on a network, what services (application name and version) those hosts are offering, what operating systems they are running, what type of packet filters or firewalls are in use, and more. Nmap was named “Information Security Product of the Year” by Linux Journal and Info World. It was also used by hackers in seven movies, including The Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum. Nmap runs on all major computer operating systems, plus the Amiga.

Source : NMAP

Ping Sweep: A ping sweep (also known as ICMP sweep) is a basic network scanning technique to determine which range of IP addresses map in the Live host(computer). While a single Ping is tells the user whether one specified host computer exist on the network. A ping sweep consist of ICMP ECHO send to multiple host.

Source : Ping Sweep

TCP HALF-OPEN

This is probably the most common type of port scan. This is a relatively quick scan that can potentially scan thousands of ports per second. It works this way because it does not complete the TCP handshake process. It simply sends a packet with the SYN flag set and waits for the SYN-ACK from the target and does not complete the connection.

When you initiate a TCP connection you first send a packet with the SYN (synchronize) flag set to the destination. The destination then acknowledges this synchronize request with a packet with the SYN-ACK (synchronize-acknowledge) flag set. Finally, the sender acknowledges that it got the SYN-ACK response packet by sending the destination a packet with the ACK flag set. Now, a connection is established.

By not sending the final ACK packet to the target after receiving a SYN-ACK, a connection is not established; however, you now know if the target/port is available and listening.

If you receive a RST (reset) packet back from the target, then you know that the target is active; however, the port is closed. If no response is received and you know that the target is alive, then the port is considered filtered.

TCP CONNECT

This is essentially the same as the half-open scan above but instead, we finish the handshake process and establish a connection by sending the final ACK packet. This is a much slower means of port scanning as it takes more packets to finish.

UDP

UDP scans are most common to detect DNS, SNMP and DHCP services. UDP scans work by sending a packet, which is usually empty. This can be changed or even set to a random payload for each port.

If the target responds with an ICMP unreachable error (type 3, code 3) packet, you know the port is considered closed. If it responds with an ICMP unreachable error packet with other codes, the packet is considered filtered. If no response is received at all, the port is considered open or filtered. The reason why it might be filtered is that packet filters might be in use that are blocking the communication. Version enumeration could very well help in knowing if packet filters are involved.

The problem with using any communication with UDP is that it is unreliable – it has no way of creating an established connection or synchronizing the packets like TCP does. For this reason, UDP scans are typically slow. Because you are waiting for a packet that may never come, nor do you have any real way of telling if the packet even got there in the first place, you might have to send numerous packets then wait to make sure a port is considered open or filtered.