After footprinting and reconnaissance, scanning is the second phase of information gathering that hackers use to size up a network. Scanning is where they dive deeper into the system to look for valuable data and services in a specific IP address range.
In scanning part identify the Live system, open ports, Services, OS, Network Scan, Vulnerability scan.
Types of scanning
The transmission control protocol (TCP) was made for reliable communication. It is used for a
wide variety of protocols on the Internet and contributes toward reliable communication with the
help of the three-way handshake.
Before understanding how port scanning works, we need to understand how the TCP threeway
◾◾ The first host sends a SYN packet to the second host.
◾◾ The second host responds with a SYN/ACK packet; it indicates that the packet was received.
◾◾ The first host completes the connection by sending an acknowledgment packet.
SYN—Initiates a connection.
ACK—Acknowledges that the packet was received.
RST—Resets the connections between two hosts.
FIN—Finishes the connection.
Port Status Types
With nmap you would see one of four port status types:
Open—It means that the port is accessible and an application is listening on it.
Closed—It means that the port is inaccessible and no application is listening on it.
Filtered—It means that nmap is not able to figure out if the port is open or closed, as the packets
are being filtered, which probably means that the machine is behind a firewall.
Unfiltered—It means that the ports are accessible by nmap but it is not possible to figure out if
they are open or closed.
TCP SYN Scan
The TCP SYN scan is the default scan that runs against the target machine. It is the fastest scan.
You can tweak it to make it even faster by using the –n option, which would tell the nmap to skip
the DNS resolution.
◾◾ The source machine sends a SYN packet to port 80 in the destination machine.
◾◾ If the machine responds with SYN/ACK packet, Nmap would know that the particular port
is open on the target machine.
◾◾ The operating system would send a RST (Reset) packet in order to close the connection,
since we already know that the port is open.
◾◾ However, if there is no response from the destination after sending the SYN packet, the
nmap would know that the port is filtered.
◾◾ If you send a SYN packet and the target machine sends a RST packet, then nmap would
know that the port is closed.
Command: The command/syntax for the TCP SYN scan is as follows:
nmap –sS <target IP>
TCP Connect Scan
The TCP connect scan is similar to the SYN scan, with a slight difference in that it completes
the three-way handshake. The TCP connect scan becomes the default scan if the SYN scan is not
supported by the machine. A common reason for that could be that the machine is not privileged
to create its own RAW packet.
◾◾ The source machine sends a SYN packet at Port 80.
◾◾ The destination machine responds with a SYN/ACK.
◾◾ The source machine then sends an ACK packet to complete the three-way handshake.
◾◾ The source machine finally sends the RST packet in order to close the connection.
NULL, FIN, and XMAS Scans
NULL, FIN, and xmas scans are similar to each other. The major advantage of using these scans
for pentest is that many times they get past firewalls and IDS and can be really beneficial against
Unix-based OS as all three of these scans do not work against Windows-based operating systems,
because they send a reset packet regardless of whether the port is open or closed. The second disadvantage
is that it cannot be exactly determined if the port is open or filtered. This leaves us to
manually verify it with other scan types.
A null scan is accomplished by sending no flags/bits inside the TCP header. If no response
comes, it means that the port is open; if a RST packet is received, it means that the port is closed
nmap –sN <target Ip Address>
A FIN flag is used to close a currently open session. In a FIN scan the sender sends a FIN flag
to the target machine: if no response comes from the target machine, it means that the port is
open; if the target machine responds with a RST, it means that the port is closed.
nmap –sF <target Ip Address>
The XMAS scan sends a combination of FIN, URG, and PUSH flags to the destination. It
lightens the packet just like a Christmas tree and that is why it is called an XMAS scan. It works
just like the FIN and null scans. If there is no response, the port is open; if the target machine
responds with a RST packet, the port is closed.
nmap –sX <target Ip Address>
TCP ACK Scan
TCP ACK + Port 6969
The TCP ACK scan is not used for port scanning purposes. It is commonly used to determine
the firewall and ACL rules (access list) and whether the firewall is able to keep track of the connections
that are being made.
The way this works is that the source machine sends an acknowledge (ack) packet instead of a
syn packet. If the firewall is stateful, it would know that the there was no SYN packet being sent
and will not allow the packet to reach the destination.
The IDLE scan is a very effective and stealthy scanning technique. The idea behind the IDLE
scan is to introduce a zombie to scan another host. This technique is stealthy because the victim
host would receive packets from the zombie host and not the attacker host. In this way, the victim
would not be able to figure out where the scan originated.
However, there are some prerequisites for launching the idle scan, which are as follows:
1. Finding a good candidate whose IP ID sequence is incremental and recording its IP ID.
2. The host should be IDLE on the network.
ICMP – The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.
# ping 192.168.0.1
A traceroute uses a TTL (time to live) field from the IP header, and it increments the IP packet
in order to determine where the system is. The time to live value decreases every time it reaches a
hop on the network (i.e. router to server is one hop).
There are three different types of traceroutes:
1. ICMP traceroute (which is used in Windows by default)
2. TCP traceroute
3. UDP traceroute
Microsoft Windows by default uses ICMP traceroute; however, after a few hops, you will get a
timeout, which indicates that there might be a device like IDS or firewall that is blocking ICMP
From this image you can see that the ICMP echo requests are timed out after seven requests.
Many devices are configured to block ICMP traceroutes. This is where we try TCP or UDP traceroutes,
also known as layer 4 traceroutes. TCP traceroute is by default available in Backtrack as well as Kali linux.
just use the following command:
# apt-get install tcptraceroute
From the command line, you would need to issue the following command:
# tcptraceroute www.google.com
Linux also has a traceroute utility, but unlike Windows, it uses UDP protocol for the traceroute.
In Windows, the command for traceroute is “tracrt”. In, Linux, it’s “tracroute”.
Tools for scanning
Superscan3.0 – windows base tools to gather information about the target on the network to scan.
AngryIPscanner – Both available for Linux and windows
NMAP – tool is used to identify the target server likeOS, open ports, service, vulnerability of the individual server.
Zenmap – Graphical version of Nmap
To see your gateway IP in terminal Kali Linux – # route -n
To check open ports in your server – # netstat -an
# netstat -ano – give the list off ports and PID (process ID)
Through Task manager to terminate any PID regarding port for unnecessary connection establishing.
Scanning your target network through NMAP
The timing technique is one of the best techniques to evade firewalls/IDS. The idea behind this
technique is to send the packets gradually, so they do not end up being detected by firewalls/IDS.
In nmap we can launch a timing scan by specifying the T command followed by a number ranging
from 0 to 5. Increasing the values from T0 to T5 would increase the speed of the scan.
open a terminal in kali Linux FOLLOW THE STEPS TO PERFORM SCANNING-
# Nmap –help (to check the other options regarding Nmap)
# Nmap -A -T4 -r 192.168.0.1/24
# Nmap -A -T4 -r 192.168.0.1/24 -D Local IP (attacker IP)
# Nmap -A -T4 -r 192.168.0.1/24 -oG <name of the file>
# Nmap -A -T4 -r 192.168.0.1/24 > <name of the file>
-D to hide your IP to be detected by the IDS of the victim’s PC
-oG <name of the file> after scanning to create a file for storing the data output.
> to specify the file.
For scanning purpose, we target the gateway IP off the target network mainly the router.
We can either use Nmap scripts to scan our network there are different types of scripts for network or host scanning. For Nmap scripts location – /usr/share/Nmap/scripts in kali Linux directory.
Or you can search by locate command in Linux – # locate *.nse * is to specific target to search. nse is the extension of Nmap scripts.
Advanced Network Technique
Nessus – is a proprietary vulnerability scanner developed by Tenable Network Security.
https://www.tenable.com/products/nessus-home – to registering to nessus Home addition
To install nessus on kali Linux follow the commands-
# dpkg -i -Path of the nessus debian packet-
# – You can start Nessus Scanner by typing /etc/init.d/nessusd start
start/status/stop – function
#- Then go to https://DarkLucifer:8834/ to configure your scanner
To check the target network having a firewall between the host and the server.
In that case we use hping3 in kali Linux – to check the traffic
#traceroute – is used to see where the traffic coming from or analyzing the traffic follow on the network or detection of firewall in the network.
If firewall of the target blocking the scanning so we can try hping3 to check the related ports checking for.
# hping3 –scan 80,443 -S -t 11 <HOST>
-S syn scan
-t 11 TTL value of the network
–scan – specific ports
PING – Ping is a basic Internet program that allows a user to verify that a particular IP address exists and can accept requests.