Simplify security with our comprehensive web app vulnerability scanner, AlphaScanner!🚀 Explore more.
Blog Details Shape

Network Scanning: All You Need to Know

Ayush Mania
By
Ayush Mania
  • Apr 2, 2024
  • Clock
    4 min read
Network Scanning: All You Need to Know
Contents
Join 1,241 readers who are obsessed with testing.
Consult the author or an expert on this topic.

In penetration testing and ethical hacking, network scanning is a critical step in understanding and assessing the security posture of a system or network. This blog explores various scanning techniques and tools, providing a comprehensive guide for both beginners and intermediate penetration testers and hackers. Let’s start from scratch by scanning, Pings.

Understanding Pings

Ping is a network utility tool that is used to test the reachability of a host on an Internet Protocol (IP) network. It also measures the round-trip time for messages sent from the originating host to a destination computer. The name "ping" comes from sonar sounds used in submarines to detect other objects in the water.

When a ping command is executed, it sends Internet Control Message Protocol (ICMP) Echo Request messages to the destination host. If the destination host is reachable, it responds with an ICMP Echo Reply. The round-trip time is then measured, giving an indication of the network latency. Let’s look at the example to understand it better,  ping www.google.com

This will ping the “www.google.com” and results will be similar to those shown below, (you may see different IP address)

Ping result

Ping Sweep

A ping sweep is a technique used to discover live hosts within a specific IP range. This is achieved by sending a series of ICMP Echo Requests to multiple IP addresses in succession. The goal is to identify which hosts respond, indicating their active presence on the network.

Here's a step-by-step guide on how to execute a ping sweep effectively:

1. Determine IP Range

Identify the range of IP addresses you want to scan. For example, if your network uses the subnet 192.168.1.0/24, the IP range would be 192.168.1.1 to 192.168.1.254.

2. Execute Ping Sweep

Use a command-line interface or a network scanning tool to send ICMP Echo Requests to each IP address in the specified range. The basic command for a ping sweep in a command-line interface is:

for i in {1..254}; do ping -c 1 192.168.1.$i | grep "bytes from"; done
Copied!

This loop sends a single ping to each IP address in the range and outputs the responses.

Another method for executing the ping sweep is, the use of fping;

If we want to perform the ping sweep for the above example, it can be done like this:

fping -a -g 192.168.1.1 192.168.1.254 > Active.txt
Copied!

Now, let’s break it down to understand what it is doing,

-a – it is switch to store only active hosts from a given IP range, in our case, we are storing it in Active.txt
-g – to give IP range, in our case it is 192.169.1.1 to 192.168.1.254

3. Analyze Results

Review the output to identify which IP addresses responded to the ping requests. Responding addresses indicate active hosts on the network. For our example we can see the active hosts list in Active.txt file,

Result from previous step

While ping sweeps are valuable for network administrators to identify active hosts, they can also be used for malicious purposes. Attackers may use ping sweeps as a reconnaissance technique to gather information about a network's topology and identify potential targets. Network security measures, such as firewalls and intrusion detection systems, should be in place to detect and mitigate such activities.

It's essential to use ping sweeps responsibly and only within the scope of authorized network administration activities. Unauthorized or malicious use of ping sweeps can lead to security breaches and compromise the integrity of a network.

Port Scanning

Port scanning is a crucial technique in the arsenal of a penetration tester. It involves systematically scanning a target system or network to identify open ports and services running on those ports. This information is valuable for assessing the security posture of a system, discovering potential vulnerabilities, and understanding the overall attack surfLuffy. Before we start performing port scanning, it is crucial to understand the 3-way handshake. So, let’s first take a brief look at it, and then we will move further.

3-Way Handshake

The three-way handshake is a key process used in the establishment of a TCP (Transmission Control Protocol) connection between two devices, typically computers or network devices. It ensures that both devices are ready and willing to communicate before data exchange begins.

Imagine two people meeting for the first time at a party. They want to start a conversation, but they don't know each other yet. Here's how the process unfolds,

1. Initiation (SYN)

Luffy walks up to Nami and says, "Hey, I'd like to chat with you." This is similar to the first computer sending a SYN packet to the second computer. It's an invitation to start a conversation.

2. Acknowledgment (SYN/ACK)

Nami responds, "Sure, I'm open to chatting. Let's do it." This is like the second computer acknowledging the SYN request by sending a SYN/ACK packet. It's saying, "I received your invitation, and I'm ready to communicate."

3. Confirmation (ACK)

Luffy, upon receiving the positive response, says, "Great! Nice to meet you, I'm Luffy." This is analogous to the first computer sending an ACK packet, confirming that it got the acknowledgment and introducing itself. Now, both parties are aware of each other and can communicate freely.

Just like in the TCP three-way handshake, this process ensures that both parties are ready and willing to engage in a conversation before they start exchanging information.

Now that we know what is 3-way handshake let’s try some of the port scanning techniques using Nmap.

TCP Connect Scan

This is the most basic form of port scanning, where the scanner attempts to establish a full TCP connection with the target port. If the connection is successful, the port is considered open; otherwise, it is marked as closed.

TCP SYN Scan (Half-Open Scan)

This type of scan is more discreet as it does not complete the full TCP connection. The scanner sends a TCP SYN packet and waits for a response. If a SYN-ACK is received, the port is considered open; if a RST (reset) is received, the port is closed.

TCP FIN Scan

This scan sends a TCP FIN (finish) packet to the target port. If the port is open, it should not send a response, but if closed, it should respond with an RST packet.

TCP XMAS Scan

Similar to the FIN scan, this scan sends a packet with the FIN, URG, and PSH flags set. The behavior of the target port's response helps identify whether it is open or closed.

UDP Scan

While TCP scans focus on open ports, UDP scans are used to identify open UDP ports. UDP is connectionless, so the scanner sends a UDP packet to the target port and analyzes the response (if any) to determine openness.

Idle Scan (Zombie Scan)

This scan involves using a third-party host (a "zombie") to perform the scan without directly connecting to the target. By exploiting differences in sequence numbers, the scanner can infer the status of the target port.

The Nmap Scripting Engine

The Nmap Scripting Engine (NSE) is a powerful and flexible component of the Nmap (Network Mapper) tool that allows users to write and execute scripts to automate a wide range of tasks during network scanning. Nmap itself is a popular open-source network exploration and security auditing tool used to discover hosts and services on a computer network, creating a map of the network's structure.

The NSE extends the capabilities of Nmap by enabling users to perform tasks such as vulnerability detection, service version detection, and even exploitation, all within the context of a network scan. NSE scripts are written in the Lua programming language, which is embedded in Nmap. Users can take advantage of existing scripts or create their own to customize the scanning process.

Here are some key features and concepts related to the Nmap Scripting Engine

1. Script Categories

NSE scripts are categorized based on their functionality. Some common categories include;

Categories Description
Default Scripts that are run by default during a scan.
Discovery Scripts to discover information about hosts and services.
Vulnerability Scripts that check for known vulnerabilities.
Brute Scripts that perform brute-force attacks.
Exploit Scripts that attempt to exploit vulnerabilities.

2. Script Arguments

NSE scripts can accept arguments to customize their behavior. Users can pass arguments to scripts to control aspects such as target selection, output formatting, and verbosity.

3. Script Output

NSE scripts generate output that can be used to identify potential security issues, vulnerabilities, or other information about the target network. The output can be in various formats, including plain text, XML, and even interactive user interfaces.

4. Integration with Nmap Scans 

NSE scripts can be integrated into Nmap scans using the `--script` option. Users can specify scripts to be executed during the scan to enhance the overall scanning process.

5. Community Contributions

The Nmap Scripting Engine benefits from contributions from the community. Users can find and share scripts on the Nmap Scripting Database (https://nmap.org/nsedoc/), which contains a collection of scripts created by Nmap users.

To use NSE scripts during a scan, you can use a command similar to the following:

nmap --script script-name target
Copied!

Replace script-name with the name of the script or a category of scripts, and target with the target IP address or hostname.

Keep in mind that while NSE scripts can be powerful, they should be used responsibly and with proper authorization. Unauthorized scanning or exploitation of systems is against the law and ethical guidelines. Always ensure you have the right to scan and test the systems you are targeting.

Conclusion

In summary, network scanning plays a vital role in penetration testing by identifying live hosts, open ports, and vulnerabilities. Mastering techniques like ping sweeps, port scans, and utilizing the powerful Nmap Scripting Engine equips you with the tools to assess network security effectively. However, these should only be used responsibly and with proper authorization.

If you need professional assistance in conducting comprehensive penetration tests, Alphabin offers expert penetration testing services. Their experienced ethical hackers employ advanced scanning methodologies, leveraging cutting-edge tools and techniques to uncover potential vulnerabilities in your systems and networks. Trust Alphabin to provide you with a detailed report and recommended mitigation strategies to fortify your cyber defenses.

Something you should read...

Frequently Asked Questions

What is the purpose of a ping sweep, and how can it be executed?
FAQ ArrowFAQ Minus Arrow

A ping sweep is a technique used to discover live hosts within a specific IP range. It is executed by sending ICMP Echo Request packets to multiple IP addresses in succession, with the goal of identifying which hosts respond, indicating their active presence on the network. The blog provides step-by-step instructions and commands (e.g., using a for loop or the fping tool) to perform a ping sweep effectively.

What is the three-way handshake, and why is it important to understand before performing port scanning?
FAQ ArrowFAQ Minus Arrow

The three-way handshake is a crucial process in establishing a TCP connection between two devices. It ensures that both devices are ready and willing to communicate before data exchange begins. Understanding the three-way handshake is essential because many port scanning techniques, such as TCP Connect Scan and TCP SYN Scan, rely on this process to determine whether a port is open or closed.

What are the different types of port scanning techniques covered in the blog, and how do they differ?
FAQ ArrowFAQ Minus Arrow

The blog covers several port scanning techniques, including TCP Connect Scan, TCP SYN Scan, TCP FIN Scan, TCP XMAS Scan, UDP Scan, and Idle Scan (Zombie Scan). These techniques differ in how they attempt to determine the status of a port (open or closed) and their level of stealthiness or intrusiveness. For example, TCP SYN Scan is more discreet than TCP Connect Scan, and the Idle Scan involves using a third-party host to perform the scan.

What is the Nmap Scripting Engine (NSE), and how can it be used for network scanning?
FAQ ArrowFAQ Minus Arrow

The Nmap Scripting Engine (NSE) is a powerful component of the Nmap tool that allows users to write and execute scripts to automate various tasks during network scanning. NSE scripts can perform tasks such as vulnerability detection, service version detection, and even exploitation. The blog explains different script categories, script arguments, script output, integration with Nmap scans, and community contributions. It also provides an example command for using NSE scripts during a scan.

About the author

Ayush Mania

Ayush Mania

Ayush Mania, an offensive security specialist at Alphabin, specializes in securing web applications and servers.

With his expertise in penetration testing and red teaming, he leverages diverse security techniques to identify and fix vulnerabilities.

A passionate learner, Ayush enjoys collaborating to achieve shared goals.

More about the author

Discover vulnerabilities in your  app with AlphaScanner 🔒

Try it free!Blog CTA Top ShapeBlog CTA Top Shape
Join 1,241 readers who are obsessed with testing.
Consult the author or an expert on this topic.
Join 1,241 readers who are obsessed with testing.
Consult the author or an expert on this topic.

Discover vulnerabilities in your app with AlphaScanner 🔒

Try it free!Blog CTA Top ShapeBlog CTA Top Shape
Pro Tip Image

Pro-tip

Related article:

Related article:

Related article: