Last Updated on by ICT Byte
Network Scanning Concepts
- Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network.
- Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization.
Objectives of Network Scanning
- To discover IP address and open ports of live hosts
- To discover operating systems and system architecture
- To discover services running on hosts
- To discover vulnerabilities in live hosts
Scanning Techniques
Check for Live Systems
# Checking for Live Systems – ICMP Scanning
- Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply.
- This scan is useful for locating active devices or determining if ICMP is passing through a firewall.
Ping Sweep
- Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply.
- Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet.
- Attackers then use ping sweep to create an inventory of live systems in the subnet.
ICMP Message Types
Check for Open Ports
# SSDP Scanning
- The Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with UPnP to detect plug and play devices available in a network.
- Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks.
- SSDP uses User Datagram Port (UDP) on port 1900
- It uses Multicast Address of 239.255.255.250
SSDP Scanning
Network Scanning Tools
NMAP
- Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
- Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions.
- Reference: https://nmap.org/book/
Zenmap
Angry IP Scanner
hping3
- hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.
- Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc.
- Hping3 Example Link : https://www.kali.org/tools/hping3/
- Example
Scanning Beyond IDS and Firewall
- It’s about Evaluating the Security measures of the Perimeter devices such as Firewall and IDS.
- Our Job is not to Hack here. It’s all about verifying things are in the proper place or not.
- Verify by scanning beyond the Firewall and IDS.
- If we are successful in scanning the Target Machine ports with various techniques then IDS and Firewall need to be taken care of.
- Use NMAP, a tool from kali Linux for scanning the target network.
- Example : https://securiumsolutions.org/scanning-beyond-ids-and-firewall/
- Example
# Decoy Scanning: It’s a type of scan where we use multiple decoys(Duplicate IPs) to fool the firewall, that it will get confused from which machine it is receiving the Packets.
Command
nmap -D RND:10 <target ip>
nmap -D IP1,IP2,IP3,IP4,IP5,IP6 <spave><target ip>
# Idle Scanning or Zombie Scanning: Idle Scanning is a technique where attackers can make use of another Device also along with it while scanning. The Target machine will get confused that it is receiving the packets from the Zombie Machine.
Command
nmap –Pn <target ip>
Banner Grabbing
- Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive.
- Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on a system to further carry out additional attacks
- Example :
#nmap -O 10.0.1.201
#nmap –sV 10.0.1.201
#whatweb http://192.168.0.11
Scan for Vulnerability
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited.
- Network vulnerabilities
- Open ports and running services
- Application and services vulnerabilities
- Application and services configuration errors
Tools for Vulnerability Scan
# Vulnerability Scanning Tools
- Nessus
- GFI LanGuard
- Qualys Free Scan
# Network Vulnerability Scanner
- MBSA (Microsoft Baseline Security Analyzer)
- OpenVAS
- Nexpose
Draw Network Diagrams
- Drawing target’s network diagram gives valuable information about the network and its architecture to an attacker.
- Network diagram shows logical or physical path to a potential target.