<h1>Introduction to Scanning</h1>

General Scanning Concepts

After identifying the target system and performing the initial reconnaissance as discussed in the previous post about Footprinting or Reconnaissance, it’s time to begin searching for an entry point into the target system.

Keep in mind that the scanning itself is not the actual intrusion, but an extended form of reconnaissance in which we learn more about the target, including information about operating systems, services, and any configuration lapses. The information gleaned from this reconnaissance helps us select strategies for the attack on the target system or network.

This is just an overview of network scanning and provides an insight into various techniques that can be used to check for live systems and open ports. There are many scanning techniques and all should be used as steps that an ethical hacker should follow during the penetration testing process to perform the security assessment of the target.

As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. This information is then used in the scanning phase in order to gather more details on the target.

Scanning is the process of gathering additional detailed information by using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. It is one of the most important phases of intelligence gathering for an attacker because it enables the creation of the target organization’s security profile. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s operating systems and system architecture, and the services running on each computer.

Types of Scanning

The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and keep track of the ones that are responsive or useful to the attacker’s specific needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more about the target system to find out if there are any configuration lapses in it. The attacker then uses the information obtained during the scan to develop an attack strategy.

Network Scanning

Network scanning is a procedure for identifying active hosts on a network, either to attack them or to assess the security of the network.

Basically, it lists IP addresses.

Port Scanning

Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports on the target system to determine if the services are running or are in a listening state. The listening state provides information about the operating system and the application currently in use. Sometimes, active services that are listening may allow unauthorized user access to misconfigured systems or to run software with vulnerabilities.

It lists open ports and services

Vulnerability Scanning

Vulnerability scanning is a method used to check whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the Web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily, updated security patches, and a clean Web document.

Shows the presence of known weaknesses.

Vulnerability Scanning vs Compliance Management

A compliance check scans the target and returns results based on the level of the target’s compliance with the standards selected for the scan. This allows an administrator to see if the organization’s systems are configured in accordance with the legal and required standards.

On the other hand, a vulnerability scan offers information pertaining to the existence of known vulnerabilities. However, the lack of vulnerabilities does not mean a server is configured correctly. Having knowledge of how a server is configured, how it is patched, and which vulnerabilities it has can help to prioritize systems for mitigating risk.

Scanning Techniques

Scanning is the process of gathering information about systems that are "alive" and responding on the network. Port scanning techniques help an attacker to identify the open ports on a targeted server or host. Administrators often use port scanning techniques to verify security policies of their networks, whereas attackers use them to identify running services on a host with the intent of compromising the network.

A general rule for computer systems is that the more the number of open ports on a system, the more vulnerable is the system. However, there are cases, in which a system has fewer open ports compared to another machine, but the open ports present a much higher level of vulnerability.

The first step in scanning networks is to check for live systems. I will show you how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools.

The next step in the scanning process involves checking for open ports in the discovered live systems. Sometimes users unknowingly keep unnecessary open ports on their systems and it might be possible to exploit of such open ports to launch attacks. I will also show you the tools and techniques used by an attacker to do so.

Once the open ports are identified, the final step is to find vulnerabilities associated with the applications or services running in those ports. I’ll introduce you to some free but very powerful and reliable tools used to find the target’s vulnerabilities.

Scanning techniques are further split into three categories as shown below; this is according to the type of protocol used for communication at the transport layer of the network.

Scanning ICMP Network Services:

• ICMP Scanning
• Ping Sweep
• ICMP Echo Scanning

Scanning TCP Network Services:

• Open TCP Scanning Methods
• TCP Connect Full Open Scan
• Stealth TCP Scanning Methods
• Half-open Scan
• Inverse TCP Flag Scanning
• Xmas Scan
• FIN Scan
• NULL Scan
• ACK Flag Probe Scanning
• Third Party and Spoofed TCP Scanning Methods
• IDLE IP ID Header Scanning

Scanning UDP Network Services:

• UDP Scanning

Scanning Tools

These tools scan and identify live hosts, open TCP/UDP ports, running services on a target network, location-info, and NetBIOS info. Information obtained from these tools will assist an ethical hacker in creating the profile of the target organization and in finding entry points to the network. More advanced and specialized scanning tools will find system vulnerabilities and possible remediations.

Network/Port Scanning Tools

All these tools are multi-functional so there is no sense in separating the two different categories.

Nmap

Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of firewalls, operating systems, and OS versions.

It is the de facto standard tool for most security professionals.

Hping3

Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions.

Unicornscan

While Nmap is the most widely used port scanner for pentesters and hackers, it does have some shortcomings. First, it doesn't do OS fingerprinting very well. Second, it can be relatively slow; and lastly, it uses the TCP/IP stack of the underlying operating system for sending packets making easy for the target to determine the attacker's OS.

Unicornscan is an asynchronous network stimulus delivery/response recording tool. Meaning it sends out broken/unorganized/fragmented packets (without a regular pattern unlike other port scanning tools) to a host and waits for the target’s response. After getting the response the TTL value is calculated for each port and thereby identifying the operating system. For example, if the TTL=128, the operating system is Windows and so on.

Pentesters use this tool when regular port scanning doesn’t work as the target might have enabled port scanning detection or has enabled IDS/IPS or honeypots. One cool feature of Unicornscan is that it uses different threads to send out packets and to receive them, unlike other port scanners.

Masscan

Large ranges are a pain to scan, but this is where Masscan comes into play. Similar to Nmap (it even has similar flags), Masscan uses its own custom TCP/IP stack for speed and efficiency. Internally, it uses asynchronous transmissions and it’s very flexible, allowing arbitrary port and address ranges. This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.

There are many other network scanning tools out there, some are listed below:

• Advanced Port Scanner (www.advanced-port-scanner.com]
• Angry IP Scanner (angryip.org)
• MegaPing (www.magnetosoft.com)
• NetScanTools Pro (www.netscantools.com)

Vulnerability Scanning Tools

Every day, security researchers and hackers discover new vulnerabilities, augmenting the tens of thousands of known holes in applications, services, operating systems, and firmware.

Vulnerability assessment enables recognizing, categorizing and characterizing the security holes among computers, network infrastructure, software, and hardware systems.

Vulnerability scanners automate security auditing and can play a vital part in your IT security by scanning your network and websites for different security risks. These scanners are also capable of generating a prioritized list of those you should patch, and they also describe the vulnerabilities and provide steps on how to remediate them. It is also possible for some to even automate the patching process.

OpenVAS

The Open Vulnerability Assessment Scanner is a free full-featured vulnerability scanner that relies on tests feed with a long history and daily updates. OpenVAS serves as a central service that provides tools for both vulnerability scanning and vulnerability management.

OpenVAS is a complete vulnerability assessment tool that is used to spot issues related to security in the servers and other devices of the network. The scanner will look for an IP address and check for any open service by scanning through the open ports, misconfiguration, and vulnerabilities in the existing facilities.

Zed Attack Proxy

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications during its developing and testing stages and is both flexible and extensible.

ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.

Nikto

Nikto is a simple, open-source web server scanner that examines a webserver for thousands of vulnerabilities and other known issues. It is very easy to use and does everything itself, without much instructions.

Also, it's one of the most widely used website vulnerabilities tools in the industry, and is extremely effective. However, it's not stealthy at all. Any site with an intrusion-detection system or other security measures in place will detect that it's being scanned. Initially designed for security testing, stealth was never a concern.

There are many other vulnerability scanners, some are listed below:

• Nessus (www.tenable.com)
• Tripwire IP360 (www.tripwire.com)
• Nexpose (www.rapid7.com)

Next post: Setting up a Virtual Hacking Lab