Network

Scanning
Lecture 4
Lecture Objectives
• Define the Network Scanning
• Understand the different type of scanning
• Unitize the network scanning tools.

CYB234_Lectuer#4 2
Overview of Network Scanning
▪ Network scanning refers to a set of procedures for identifying hosts,
ports, and services in a network.
▪ Network scanning is one of the components of intelligence
gathering an attacker uses to create a profile of the target
organization.
▪ Objectives of Network Scanning:
▪ To discover live hosts, IP address, and open ports of live hosts
▪ To discover operating systems and system architecture
▪ To discover services running on hosts
▪ To discover vulnerabilities in live hosts
CYB234_Lectuer#4 3
Types of Network Scanning
▪ Depending on what kind of information the scan identifies, Network Scanning can be
classified into two main categories:
• Port Scanning – detecting open ports and services running on the target.
• Network Scanning – IP addresses, Operating system details, Topology details,
trusted routers information etc
• Vulnerability scanning – scanning for known vulnerabilities or weakness in a
system

CYB234_Lectuer#4 4
Background-TCP/IP Communication

CYB234_Lectuer#4 5
Background-TCP Communication Flags
▪ TCP Communication Flags (controls transmission of data)
▪ URG (Urgent): Data contained in the packet should be processed immediately
▪ FIN (Finish): There will be no more transmissions
▪ RST (Reset): Resets a connection
▪ PSH (Push): Send all buffered data immediately
▪ ACK (Acknowledgement): Acknowledges the receipt of a packet
▪ SYN (Synchronize): Initiates a connection between hosts

CYB234_Lectuer#4 6
Scannig Methodologies
• Check for live systems: Something as simple as a ping can provide this. This gives you a
list of what’s actually alive on your network subnet.

• Check for open ports: Once you know which IP addresses are active, find what ports
they’re listening on.

• Scan for vulnerabilities: Perform a more focused look at the vulnerabilities these
machines haven’t been patched for yet [Next Lecture]

CYB234_Lectuer#4 7
Check for Live Systems
▪ The simplest and easiest way to do this is to take advantage of the Internet Control
Message Protocol (ICMP)

▪ One of the most basic steps in mapping out a network is performing an automated ping
sweep on a range of IP addresses and network blocks to determine if individual devices
or systems are alive.

▪ One of the ping sweep tools used by malicious users for the above purpose is “ping” .
▪ Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will
return an ICMP ECHO reply.
▪ This scan is useful for locating active devices or determining if ICMP is passing
through a firewall.

CYB234_Lectuer#4 8
Port Scanning
• Port scanning is the process of attempting to contact each network port on
the target system and see which ones are open.
• For example, port 161 is associated with Simple Network Management
Protocol. If an attacker detects port 161 open on the target system, he
might decide to try SNMP-related attacks.
• Even more information can be derived from a port scan. For example, ports
137, 138, and 139 are all associated with NetBIOS, a very old Windows
method of network communication, not used in Windows anymore.
• However, NetBIOS is often used for systems where Windows machines
need to communicate with Linux machines. So, discovering those ports
open reveals something about the target network.

CYB234_Lectuer#4 9
Nmap
• Network administrators can use Nmap for network inventory,
managing service upgrade schedules, and monitoring host or service
uptime.
• The most popular port scanner in the hacking and security
community is the free tool nmap
• There is a Windows version of it with a GUI that can be downloaded
from https://nmap.org/download.html.

CYB234_Lectuer#4 10
Scan Types
• Ping scan: This scan simply sends a ping to the target port. Many network administrators
block incoming ICMP packets for the purpose of stopping ping scans.
• Connect scan: This is the most reliable scan, but also the most likely to be detected. With
this type of scan a complete connection is made with the target system.
• SYN scan: This scan is very stealthy. Most systems accept SYN (Synchronize) requests. In
this scan you send a SYN packet but never respond when the system sends a SYN/ACK.
However, you only send one packet per port. This is also called the half-open scan.
• FIN scan: This scan has the FIN flag, or connection finished flag, set. This is also not an
unusual packet for systems to receive, so it is considered stealthy.
• XMAS scan: This scan has several flags turned on, like a Christmas tree with many lights
on.
• NULL scan: This scan is the opposite of the XMAS scan: no flags are turned on.
• ACK scan: This scan sends an ACK, without first having received a SYN. This is done to see
how the target responds.

CYB234_Lectuer#4 11
Scan Types
• Each of these scans provokes a different response on the target
machine and thus provides different information to the port scanner:
• With a FIN scan or an XMAS scan, if the target port is closed, the system sends
back an RST flag packet (RST means reset). If it is open, there is no response.
• With a SYN scan, if the port is closed, the response is an RST; if it is open, the
response is a SYN/ACK.
• ACK scans and NULL scans only work on UNIX systems.

CYB234_Lectuer#4 12
Nmap Flags
• Nmap also lets you set a number of flags (either with the command-
line version of nmap or the Windows version) that customize your
scan.
• There is also the option to set timing from. Timing involves how
quickly to send scanning packets.
• Essentially, the faster you send packets, the more likely the scan is to
be detected. The intense scan in the nmap GUI is timed as T4.

CYB234_Lectuer#4 13
 Nmap Flags
-O Detects operating system
-sP Ping scan
-sT TCP connect scan
-sW Windows scan
-sS SYN scan
-sR RPC scan
-sF FIN scan
-sL List/DNS scan -oN Normal output
-sX Xmas tree scan
-sI Idle scan -oX XML output
-sN NULL scan
-Po Don’t ping -oG Greppable output
-sU UDP scan
-PT TCP ping -oA All output
-sO Protocol scan
-PS SYN ping -T Timing
-sA ACK scan
-PI ICMP ping -T0 Paranoid
-PB TCP and ICMP ping -T1 Sneaking
-PM ICMP netmask -T2 Polite
-T3 Normal
-T4 Aggressive
-T5 Insane
CYB234_Lectuer#4 14
Nmap
• Here are some very basic nmap scans, starting with scanning a single
IP address:
nmap 192.168.1.1
• Scan a range of IP addresses:
nmap 192.168.1.1-20
• Scan to detect operating system, use TCP scan, and use sneaky speed:
nmap -O -PT -T1 192.168.1.1

CYB234_Lectuer#4 15
Port Meaning
Port Meaning
465, 993, 995; encrypted email This is just the opposite, encrypted email. Seeing one of these tells you that the
target network at least takes some basic security precautions, and that you cannot
read the emails.
161, 162; SNMP Simple Network Management Protocol is very commonly used to manage a network.
Versions 1 and 2 of SNMP were unencrypted, and you can read the traffic with a
packet sniffer. Version 3 is encrypted. But with any version, you should try default
passwords.
445; SMB Server Message Block is used by Windows operating systems running Active
Directory. So, seeing this port tells you it is a Windows domain.
88, 464; Kerberos These are used by Kerberos. If you see these, you know that the target network uses
Kerberos authentication.
3389; Remote Desktop Remote Desktop is notoriously insecure, and if you see this port open, then you have
to at least attempt to remote desktop into the system.

CYB234_Lectuer#4 16
 Port Meaning
Port Meaning
20, 21; FTP FTP is a common protocol, and often found on web servers. The interesting thing for a penetration tester is that
many FTP servers allow limited anonymous access. So if you see ports 20 and 21 are open, you might at least
attempt anonymous FTP.
23; Telnet Telnet is a command-line connection that is not secure (unlike SSH on port 22 that is encrypted). You might first
wish to try to log on to telnet. However, even if that is unsuccessful, you may wish to run a packet sniffer (which we
discuss later in this chapter) to watch traffic to that port. Administrators may be using port 23/telnet and thus
sending commands in clear text.
69; TFTP TFTP is basically limited FTP using UDP rather than TCP. This is often used with Cisco devices to retrieve digital
certificates. So, seeing this open could provide a hint that Cisco devices with digital certificates might be in use.
There are other uses of TFTP, but this is one of the most common.
137, 138, 139; NetBIOS NetBIOS is primarily used by Microsoft. If you see this and 445 (see below) then it is clear this is a Microsoft system.
25, 110, 143, 220; email These are all clear-text, unencrypted email protocols. Seeing these gives you two pieces of information. The first is
that the target network is failing to use basic security precautions, and probably has a great many other security
issues. The second is that you can run a packet sniffer and read all the emails going to and from this system.

CYB234_Lectuer#4 17
Lab4
Network Scanning