Class 2 ‐ Network Scanning - Justin-Boyd/Ethical-Hacking-Class GitHub Wiki
Network Scanning Definition
Network Scanning
- A crucial reconnaissance step.
- Mapping the network structure.
- Collecting crucial information about a network.
- Identifying devices on the network.
- Gathering as much as possible intelligence is essential to identify vulnerabilities and weaponize accordingly.
Scan Discovery Benefits
- Services
- Hosts
- Fingerprints
- Open Ports
- By scanning a network, an attacker can identify its structure and vulnerabilities.
Nmap Overview
Nmap Tool
- Network Mapper
- Flexible scanning tool.
- Can monitor host or service uptime.
- Uses raw IP packets.
- Can use scripts.
- A free open-source utility for network discovery and security auditing.
Nmap
- Used to craft network packets.
- Can be used to scan entire networks.
- Different scans reveal different types of network-related information.
TCP Flags
-
SYN - Starts synchronization for a new connection.
-
ACK - Acknowledges data reception.
-
PSH - Instructs to send the buffered data.
-
URG - Indicates an urgent packet that needs to be processed immediately.
-
RST - Disconnects upon an error.
-
FIN - Marks the end of communication.
-
It is important to understand TCP flags for a better understanding of how NMAP works.
Nmap Scanning Types
Scan Types
- Half Open
- Connect
- FIN Scan
- UDP Scan
- Note that these are not the only Nmap methods that perform scans. Nmap includes other scan types as well.
Command Flags
$ nmap [flag] [param] [IP address]
- -sT - Full TCP scan
- -p - Scan for specific ports
- -6 - Enable IPV6 scan
- -O - Enable OS detection
- -sU - UDP port scan
- -Pn - Don’t check if the host is up via ping
- -sS - Enable ‘stealth‘ scan
- In the case of a SYN request, if the answer is RST, the host is up but the port is closed. If the port is open, the answer will be SYN-ACK.
Fingerprinting
- Nmap can perform fingerprinting to detect services.
- Uses the same scanning types as those mentioned previously.
Nmap Fingerprinting
- Nmap can identify specific versions.
- It can intercept and analyze special crafted objects to expose information about a service.
- Nmap can also perform OS detection.
Filtered Ports
- If a conclusive answer cannot be determined, it will be considered filtered.
- If there is no response from a port, it will be considered filtered.
Firewall & IDS Evasion
- Proxies
- Timing -T flag
- Fragmentation -f flag
- Decoys -D flag
- Nmap has other functionalities that can help attackers bypass firewalls and IDS.
Nmap Scripting Engine
- Powerful and flexible features.
- Can work with automation.
- Uses scripts to execute scans.
- Located at /usr/share/nmap/scripts/
NSE Utilization
- NSE web server enumeration.
- Scripts can be run using: --script <filename / category>
- Nmap --script -help provides information to help use a script properly.
Script Run Control
- Prerule
- Hostrule
- Portrule
- Postrule
- Rules that determine when a script will run are defined in the script’s file.
Additional Tools
Netdiscover Overview
- Uses the Address Resolution Protocol.
- Dedicated to networks without DHCP.
- Sends ARP requests over the network.
- Sniffs ARP replies.
Netdiscover
- Netdiscover displays sniffed IP and MAC addresses.
- It starts an active ARP scan to identify live hosts.
- It can also identify the host vendor by analyzing the MAC address.
Masscan Overview
- Internet scale scans.
- Can send 10 million packets per second.
- Uses asynchronous transmission.
- Considered a less reliable scanner.
Masscan
- Masscan performs large scale scans on thousands of IPs in seconds.
- Mainly used for macro scans of large networks.
Zenmap Overview
- Nmap’s GUI version.
- Has the same functionality as Nmap.
- Easy to use for beginners.
- Scans can be saved as profiles for reuse.
Zenmap
- Zenmap has several preconfigured scan options.
- It enables creation of customized profile scans.
- It features visualization presentations of topologies and host details.