Active Recon Scanning

Scanning Goals

Looking for specific systems and applications to target

• Find live hosts on the network
  • ICMP (ping) and/or TCP/UDP network scans
  • Doesn't always work, because it might not always respond to the ping based on the firewall protocols
• Find open ports on those live hosts
  • TCP/UDP host port scans
  • There are 65,535 ports available for TCP/UDP
  • Ports below 1,000 you need to be in root to fire up the port
• Gathering additional information on IPS/IDS and Firewalls

Finding Live Hosts: ICMP and Ping

• ICMP - Internet Control Message Protocol
  • Layer 4 protocol - carried over IP
  • Health and maintenance protocol
  • Not intended to carry user data
• Ping is the most directly used ICMP

NMAP Default Scan

• NMAP does discovery with
  • an ICMP echo request
  • a TCP SYN packet to port 443
  • a TCP ACK packet to port 80
  • and an ICMP timestamp request