Module: Scanning

After footprinting and reconnaissance, scanning is the second phase of information gathering that hackers use to size up a network. Scanning is where they dive deeper into the system to look for valuable data and services in a specific IP address range.

In scanning part identify the Live system, open ports, Services, OS, Network Scan, Vulnerability scan.

Types of scanning

The transmission control protocol (TCP) was made for reliable communication. It is used for a

wide variety of protocols on the Internet and contributes toward reliable communication with the

help of the three-way handshake.

Before understanding how port scanning works, we need to understand how the TCP threeway

handshake works.




◾◾ The first host sends a SYN packet to the second host.

◾◾ The second host responds with a SYN/ACK packet; it indicates that the packet was received.

◾◾ The first host completes the connection by sending an acknowledgment packet.

TCP Flags

SYN—Initiates a connection.

ACK—Acknowledges that the packet was received.

RST—Resets the connections between two hosts.

FIN—Finishes the connection.

Port Status Types

With nmap you would see one of four port status types:

Open—It means that the port is accessible and an application is listening on it.

Closed—It means that the port is inaccessible and no application is listening on it.

Filtered—It means that nmap is not able to figure out if the port is open or closed, as the packets

are being filtered, which probably means that the machine is behind a firewall.

Unfiltered—It means that the ports are accessible by nmap but it is not possible to figure out if

they are open or closed.


The TCP SYN scan is the default scan that runs against the target machine. It is the fastest scan.

You can tweak it to make it even faster by using the –n option, which would tell the nmap to skip

the DNS resolution.

◾◾ The source machine sends a SYN packet to port 80 in the destination machine.

◾◾ If the machine responds with SYN/ACK packet, Nmap would know that the particular port

is open on the target machine.

◾◾ The operating system would send a RST (Reset) packet in order to close the connection,

since we already know that the port is open.

◾◾ However, if there is no response from the destination after sending the SYN packet, the

nmap would know that the port is filtered.

◾◾ If you send a SYN packet and the target machine sends a RST packet, then nmap would

know that the port is closed.

Command: The command/syntax for the TCP SYN scan is as follows:

nmap –sS <target IP>

TCP Connect Scan

The TCP connect scan is similar to the SYN scan, with a slight difference in that it completes

the three-way handshake. The TCP connect scan becomes the default scan if the SYN scan is not

supported by the machine. A common reason for that could be that the machine is not privileged

to create its own RAW packet.

◾◾ The source machine sends a SYN packet at Port 80.

◾◾ The destination machine responds with a SYN/ACK.

◾◾ The source machine then sends an ACK packet to complete the three-way handshake.

◾◾ The source machine finally sends the RST packet in order to close the connection.

NULL, FIN, and XMAS Scans

NULL, FIN, and xmas scans are similar to each other. The major advantage of using these scans

for pentest is that many times they get past firewalls and IDS and can be really beneficial against

Unix-based OS as all three of these scans do not work against Windows-based operating systems,

because they send a reset packet regardless of whether the port is open or closed. The second disadvantage

is that it cannot be exactly determined if the port is open or filtered. This leaves us to

manually verify it with other scan types.


A null scan is accomplished by sending no flags/bits inside the TCP header. If no response

comes, it means that the port is open; if a RST packet is received, it means that the port is closed

or filtered.


nmap –sN <target Ip Address>

FIN Scan

A FIN flag is used to close a currently open session. In a FIN scan the sender sends a FIN flag

to the target machine: if no response comes from the target machine, it means that the port is

open; if the target machine responds with a RST, it means that the port is closed.


nmap –sF <target Ip Address>


The XMAS scan sends a combination of FIN, URG, and PUSH flags to the destination. It

lightens the packet just like a Christmas tree and that is why it is called an XMAS scan. It works

just like the FIN and null scans. If there is no response, the port is open; if the target machine

responds with a RST packet, the port is closed.


nmap –sX <target Ip Address>


TCP ACK + Port 6969

The TCP ACK scan is not used for port scanning purposes. It is commonly used to determine

the firewall and ACL rules (access list) and whether the firewall is able to keep track of the connections

that are being made.

The way this works is that the source machine sends an acknowledge (ack) packet instead of a

syn packet. If the firewall is stateful, it would know that the there was no SYN packet being sent

and will not allow the packet to reach the destination.


The IDLE scan is a very effective and stealthy scanning technique. The idea behind the IDLE

scan is to introduce a zombie to scan another host. This technique is stealthy because the victim

host would receive packets from the zombie host and not the attacker host. In this way, the victim

would not be able to figure out where the scan originated.

However, there are some prerequisites for launching the idle scan, which are as follows:

1. Finding a good candidate whose IP ID sequence is incremental and recording its IP ID.

2. The host should be IDLE on the network.

ICMP – The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.

# ping

A traceroute uses a TTL (time to live) field from the IP header, and it increments the IP packet

in order to determine where the system is. The time to live value decreases every time it reaches a

hop on the network (i.e. router to server is one hop).

There are three different types of traceroutes:

1. ICMP traceroute (which is used in Windows by default)

2. TCP traceroute

3. UDP traceroute

ICMP Traceroute

Microsoft Windows by default uses ICMP traceroute; however, after a few hops, you will get a

timeout, which indicates that there might be a device like IDS or firewall that is blocking ICMP

echo requests.

From this image you can see that the ICMP echo requests are timed out after seven requests.

TCP Traceroute

Many devices are configured to block ICMP traceroutes. This is where we try TCP or UDP traceroutes,

also known as layer 4 traceroutes. TCP traceroute is by default available in Backtrack as well as Kali linux.

just use the following command:

# apt-get install tcptraceroute


 From the command line, you would need to issue the following command:

# tcptraceroute

UDP Traceroute

Linux also has a traceroute utility, but unlike Windows, it uses UDP protocol for the traceroute.

In Windows, the command for traceroute is “tracrt”. In, Linux, it’s “tracroute”.



Tools for scanning

Superscan3.0 – windows base tools to gather information about the target on the network to scan.

AngryIPscanner – Both available for Linux and windows

NMAP – tool is used to identify the target server likeOS, open ports, service, vulnerability of the individual server.

Zenmap – Graphical version of Nmap

To see your gateway IP in terminal Kali Linux – # route -n

To check open ports in your server – # netstat -an

# netstat -ano – give the list off ports and PID (process ID)

Through Task manager to terminate any PID regarding port for unnecessary connection establishing.

Scanning your target network through NMAP

Timing Technique

The timing technique is one of the best techniques to evade firewalls/IDS. The idea behind this

technique is to send the packets gradually, so they do not end up being detected by firewalls/IDS.

In nmap we can launch a timing scan by specifying the T command followed by a number ranging

from 0 to 5. Increasing the values from T0 to T5 would increase the speed of the scan.

◾◾ T0—Paranoid

◾◾ T1—Sneaky

◾◾ T2—Polite

◾◾ T3—Normal

◾◾ T4—Aggressive

◾◾ T5—Insane

open a terminal in kali Linux FOLLOW THE STEPS TO PERFORM SCANNING-

# Nmap –help (to check the other options regarding Nmap)

# Nmap -A -T4 -r

# Nmap -A -T4 -r -D Local IP (attacker IP)

# Nmap -A -T4 -r -oG <name of the file>

# Nmap -A -T4 -r > <name of the file>

-D to hide your IP to be detected by the IDS of the victim’s PC

-oG <name of the file> after scanning to create a file for storing the data output.

> to specify the file.

For scanning purpose, we target the gateway IP off the target network mainly the router.

We can either use Nmap scripts to scan our network there are different types of scripts for network or host scanning. For Nmap scripts location – /usr/share/Nmap/scripts in kali Linux directory.

Or you can search by locate command in Linux – # locate *.nse   * is to specific target to search. nse is the extension of Nmap scripts.

Advanced Network Technique

Nessus – is a proprietary vulnerability scanner developed by Tenable Network Security.      – to registering to nessus Home addition

To install nessus on kali Linux follow the commands-

# dpkg -i -Path of the nessus debian packet-

# – You can start Nessus Scanner by typing /etc/init.d/nessusd start

start/status/stop – function

#- Then go to https://DarkLucifer:8834/ to configure your scanner

To check the target network having a firewall between the host and the server.

In that case we use hping3 in kali Linux – to check the traffic

#traceroute – is used to see where the traffic coming from or analyzing the traffic follow on the network or detection of firewall in the network.

If firewall of the target blocking the scanning so we can try hping3 to check the related ports checking for.

# hping3 –scan 80,443 -S -t 11 <HOST>

-S syn scan

-t 11 TTL value of the network

–scan – specific ports

PING – Ping is a basic Internet program that allows a user to verify that a particular IP address exists and can accept requests.


Please enter your comment!
Please enter your name here