Gathering information about the target machine or server is one of the crucial steps toward compromising or identifying any vulnerabilities on the machine. There are various methods to gather information on a target, but one of the most effective and commonly used is called Network Scanning. Network scanning itself is divided into multiple types. In this particular blog section, I will walk you through what network scanning is, its objectives, how it aids in reconnaissance, and how we can use the popular tool Nmap to perform network scanning with ease.
What is Network Scanning?
Network scanning is an active process to gather information on a target machine by identifying active hosts, their open ports, and the services running on those ports. In the field of ethical hacking, network scanning allows us to scan a particular target for its open ports or scan an entire network to identify active hosts. With the information gathered through network scanning, one can identify present vulnerabilities and exploit them to gain unauthorized access to the system or inject a payload into the network.
Types of Network Scanning:
There are mainly three types of network scanning:
- Host Discovery
- Port Scanning
- Vulnerability Scanning
1.Host Discovery Scanning:
In Host discovery scanning, we aim to identify active hosts over a network. By utilizing this scanning method, we can determine which IPs are active and operational within a network, along with the number of devices connected to the router or network. The primary objective of host discovery is to map out the network and determine which IPs are reachable.
The simplest technique for Host discovery is known as ping sweep, wherein an ICMP ping request is sent to individual IP addresses, and those that reply without packet loss confirm their operational status. This can be easily done using the ping command in the terminal or command prompt.
ping 192.168.29.98
Pinging 192.168.29.98 with 32 bytes of data:
Reply from 192.168.29.98: bytes=32 time=272ms TTL=64
Reply from 192.168.29.98: bytes=32 time=200ms TTL=64
Reply from 192.168.29.98: bytes=32 time=112ms TTL=64
Reply from 192.168.29.98: bytes=32 time=25ms TTL=64
Ping statistics for 192.168.29.98:zz
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 25ms, Maximum = 272ms, Average = 152ms
To perform the ping sweep we can use the nmap -sn command, that can ping the entire network specified using the CIDR notaion.
┌──(crow㉿kali)-[~]
└─$ nmap -sn 192.168.29.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-21 21:20 IST
Nmap scan report for (192.168.29.1)
Host is up (0.010s latency).
Nmap scan report for 192.168.29.12
Host is up (0.0047s latency).
Nmap scan report for 192.168.29.98
Host is up (0.0045s latency).
Nmap scan report for 192.168.29.202
Host is up (0.000081s latency).
Nmap scan report for 192.168.29.212
Host is up (0.048s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.85 seconds
In this command, Nmap sends an ICMP request to every IP address in the network range specified.
2.Port Scanning
Port scanning involves targeting an individual active machine or server and scanning for its open ports. Ports are essential for communication between machines to send and receive data. Ports are associated with specific protocols and services, and through port scanning, we aim to identify open ports that may be using outdated services vulnerable to exploitation.
Various techniques can be used for port scanning, such as TCP connect scanning, SYN scanning, UDP scanning, and ACK scanning, all of which can be performed using the Nmap tool. For example, a TCP connect scan, which is a reliable and straightforward port scanning technique, can be performed with the following command
nmap -sT 192.168.29.12
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-21 21:40 IST
Nmap scan report for 192.168.29.12
Host is up (0.0049s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
In this command, the nmap performs the TCP connect scan on the first 10000 port.
3.Vulnerability Scanning:
In vulnerability scanning, we take a more active approach to identify available vulnerabilities on the network or system. This involves scanning for known vulnerabilities in software, configurations, or missing patches. The main objective is to discover weaknesses by identifying services or applications that can be easily exploited. And there various tools such as OpenVAS, Nessus, etc., provide powerful utilities for vulnerability scanning
Top comments (0)