Scanning

Akhil Reddy
 • Network scanning refers to a set of procedures used
for identifying hosts, ports, and services in a
network.
• Network scanning is one of the components of
intelligence gathering which can be used by an
attacker to create a profile of the target organization.
Network
Scanning
 • To discover live hosts, IP address, and open
ports of live hosts
Objectives of
• To discover operating systems and system
Network architecture
Scanning • To discover services running on hosts
• To discover vulnerabilities in live hosts
 Types of Scanning

• Port Scanning – Lists the open ports and services. Port scanning is the process of checking the services running
on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves
connecting to or probing TCP and UDP ports of the target system to determine whether the services are running
or are in a listening state. The listening state provides information about the OS and the application currently in
use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to
run software with vulnerabilities.
• Network Scanning – Lists the active hosts and IP addresses. Network scanning is a procedure for identifying
active hosts on a network, either to attack them or assess the security of the network.
• Vulnerability Scanning – Shows the presence of known weaknesses. Vulnerability scanning is a method for
checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a
scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and
common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or
directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the
request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally
target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean
web document.
TCP Communication Flags
The following are the TCP communication
flags
• Synchronize or “SYN”: It notifies the transmission of a new sequence number. This flag generally represents the
establishment of a connection (three-way handshake) between two hosts.
• Acknowledgement or “ACK”: It confirms the receipt of the transmission and identifies the next expected
sequence number. When the system successfully receives a packet, it sets the value of its flag to “1,” thus
implying that the receiver should pay attention to it.
• Push or “PSH”: When it is set to “1,” it indicates that the sender has raised the push operation to the receiver;
this implies that the remote system should inform the receiving application about the buffered data coming from
the sender. The system raises the PSH flag at the start and end of data transfer and sets it on the last segment of a
file to prevent buffer deadlocks.
• Urgent or “URG”: It instructs the system to process the data contained in packets as soon as possible. When the
system sets the flag to “1,” priority is given to processing the urgent data first and all the other data processing is
stopped.
• Finish or “FIN”: It is set to “1” to announce that no more transmissions will be sent to the remote system and the
connection established by the SYN flag is terminated.
• Reset or “RST”: When there is an error in the current connection, this flag is set to “1” and the connection is
aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.
TCP/IP Communication
Scanning Tools
• Hping2/Hping3: Command line network scanning and packet crafting
tool for the TCP/IP protocol.
• It can be used for network security auditing, firewall testing, manual
path MTU discovery, advanced traceroute, remote OS fingerprinting,
remote uptime guessing, TCP/IP stacks auditing, etc.

Syntax: # hping <options> <Target IP address>

Scanning Tools

• Zenmap: Zenmap is the official

Nmap Security Scanner GUI. It is
a multi-platform (Linux,
Windows, Mac OS X, BSD, etc.)
free and open source application
which aims to make Nmap easy
for beginners to use while
providing advanced features for
experienced Nmap users.
 • Nmap: Nmap ("Network Mapper") is a free and open source
Scanning Tools utility for network discovery and security auditing.
Port Scanning Techniques
• Port scanning techniques are further categorized as described below. This categorization is based on the
type of protocol used for communication in the network.
Port Scanning Techniques
IDS/Firewall Evasion Techniques
Although firewalls and IDS can prevent malicious traffic (packets) from entering a network, attackers can send intended
packets to the target that evade the IDS/firewall by implementing the following techniques:
▪ Packet Fragmentation: The attacker sends fragmented probe packets to the intended target, which reassembles the
fragments after receiving all of them.
▪ Source Routing: The attacker specifies the routing path for the malformed packet to reach the intended target.
▪ Source Port Manipulation: The attacker manipulates the actual source port with the common source port to evade the
IDS/firewall.
▪ IP Address Decoy: The attacker generates or manually specifies IP addresses of decoys so that the IDS/firewall cannot
determine the actual IP address.
▪ IP Address Spoofing: The attacker changes the source IP addresses so that the attack appears to be coming from someone
else.
▪ Creating Custom Packets: The attacker sends custom packets to scan the intended target beyond the firewalls.
▪ Randomizing Host Order: The attacker scans the number of hosts in the target network in a random order to scan the
intended target that lies beyond the firewall.
▪ Sending Bad Checksums: The attacker sends packets with bad or bogus TCP/UPD checksums to the intended target.
• Proxy Servers: The attacker uses a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall
restrictions.
• Anonymizers: The attacker uses anonymizers, which allows them to bypass Internet censors and evade certain IDS and
firewall rules.
Scanning Tools for Mobile
Ping Sweep
Tools
• Angry IP Scanner: Angry IP
Scanner pings each IP address
to check if any of these
addresses are live. Then, it
optionally resolves
hostnames, determines the
MAC address, scans ports,
etc.
 Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity
depends on the number of proxies used for fetching the target application; the larger the
number of proxy servers used, the greater is the attacker’s anonymity. The proxy chaining
process is described below:
• The user requests a resource from the destination.
• A proxy client in the user’s system connects to a proxy server and passes the request to
the proxy server.
• The proxy server strips the user’s identification information and passes the request to the
next proxy server.
• This process is repeated by all the proxy servers in the chain.

Proxy • Finally, the unencrypted request is passed to the web server.

Chaining
 Configure Use
• Configure the firewall to detect and • Use intrusion detection systems and
prevent ping sweep attempts intrusion prevention systems such
instantaneously as Snort (https://www.snort.org) to
detect and prevent ping sweep
attempts

Evaluate Terminate
Ping Sweep • Carefully evaluate the type of
ICMP traffic flowing through the
enterprise networks
• Terminate the connection with any
host that is performing more than
10 ICMP ECHO requests
Countermeasures

Use Limit
• Use DMZ and allow only • Limit the ICMP traffic with Access
commands such as ICMP Control Lists (ACLs) to your ISP’s
ECHO_REPLY, HOST specific IP addresses
UNREACHABLE, and TIME
EXCEEDED in DMZ Zone
Module Summary