Module 3:Scanning Networks


Scanning Networks Overview

Network scanning refers to the use of a computer network to gather information regarding computing systems. Network scanning is mainly used for security assessment, system maintenance, and also for performing attacks by hackers.

Network scanning refers to a set of procedures for identyfying hosts,ports and services in network

Network scanning is one of the components of intelligence gathering an attack uses to create a profile of the target organization

Objectives of network scanning

1.To discover live hosts,ip adress,and open ports of live hosts
2.To discover operating system and system architecture
3.To discover services running on hosts discover vulnerabilities in live hosts

TCP Communication Flags

Scanning Networks

Creating Custom Packet Using TCP Flags.

Colosoft Packet Builder enables creating custom network packets to audit networks for various attacks.

Attackers can also use it to create fragmented packets to byspass firewalls and IDS systems in a network.

CEH Scanning Methodology

Scanning Methodology

1.ICMP Scanning

Ping scan involves sending ICMP ECHO requests to a host.If hosts is live,it will return an ICMP ECHO reply

This scan is useful for locating active devices or determining if ICMP is passing through a firewall

scanning using Nmap

Ping Sweep

Ping sweep is used to determine the live hosts from a range of IP adress by sending ICMP ECHO requests to multiple hosts.If a host is live,it will return an ICMP ECHO reply.

Attackers calculate subnet masks using subnet mask calculation to identify the number of hosts presents in the subnet

Attackers then use ping sweep to create an inventory of live system in the subnet

Ping Sweep

Ping Sweep Tools

ping sweep tools

2.Check for Open Ports

SSDP Scanning

The Simple Service Discovery Protocol(SSDP)is a network protocol tht works in conjuction with UPnP to detect plug and play services available in a network

Vulnerable in UPnp may allow attackers to launch buffer overflow or DoS attack

Attcker may use UPnp SSDP M-SEARCH information discovery tools to check if the machine is vulnerable to UPnP exploits or not.

You can Use Kali Linux For SSDP Scanning

Know About Kali Linux And How To install it on VMWare

Scanning in IPv6 Networks.

1.IPv6 increasing the IP adress size from 32 bits to 128bits,to support more levels of adressing hierarchy

2.Tradional network scanning techniques will be computationally less feasible due to large serch space provided by IPv6 in subnet

3.Scanning in IPv6 network is more difficult and complex then the iPv4 and also some scanning tool do not support ping sweeps on IPv6 networks

4.attackers need to harvest IPv6 adress from the network traffic,recorded logs or Recieved from: and other heaader lines in archived email or unset news messages

5.Scanning IPv6 networks,however,offers a large number of hosts in in subnet an attacker can compromise one hosts in the subnet;attacker can probe the"all hosts"link local multicast adress.

Scanning Tool:Nmap

Network administrator can use Nmap for network inventory ,managing service upgrade shedule,and monitoring hosts or service uptime

Attacker uses Nmap to extract infromation such as live hosts on the network,services type of packet filters/firewalls operating system and OS version.

you can also use Hping in kali linux for scanning networks following commands are useful in Hping

Hping commands

Inverse TCP Flag Scanning

Attacker send TCP probe packet with TCP flag set or no flags,no response means port is open and RST means the Port is closed

Inverse flag Scanning

Xmas Scan

In Xmas scan,attackers send TCP frame to a remote device with FIN,URG,and PUSH flag set

FIN scan only with oSes with RFC-793-based TCP/Ip implimentation

It will not work against any current version of Mircosoft Windows

Xmas Scan

IDLE/IPID Header Scan

Most network listen on TCP ports such as web servers on port 80 and mall servers on port 25.Port is considered "open" if an application listen on the port

One way to determine weather a port is open is tos end a "SYN" packet to the port.

the target machine will send back a "SYN|ACK" packet if the port is open and an "RST" if the port is closed

Scanning Tools

Scanning Tools

3.Scanning Beyond IDS

IDS Evasion Techniques

1.Use Fragmented IP Packets
2.Spoof Your IP Adress when launching attack and sniff responses from server
3.Use Source routing (If possible)
4.Connect to proxy servers or compromised trojaned machines to launch attacks

SYN/FIN Scanning Using IP Fragments

Its not a new scanning method but modification of earlier methods

The TCP header is split into serval packets so that the packet filters are not able to detect what the packets intend to do


4.Banner Grabbing

Banner grabbing or OS fingerprinting is the method to determine the operating system on a remote target system.There are two type of banner grabbing.Active and Passive

Identifying the os on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on the system to further carry out additional attack

Active Banner Grabbing

1.Specially crafted packets are sent sen to note Os and responce are noted
2.The response are then compared with Databse to determine the OS
3.Response from different OSes varies due to differences in TCP/IP stack IMplimentation

Passive Banner Grabbing

Banner grabbing error message

Error message provide information such as type of server,tye of OS and ssl tools used by remote system

Sniffing the network traffic

Capturing and analyzing target enables attacker to determine the OS used by the remote system

Banner grabbing page extensions

Looking for an extension in URL may assist in determining the application version

Banner Grabbing Tools

2.ID server

Hiding File Extension From Web Pages

1.File extension reveqal information about uderlying server technology that an attacker can utilize to launch attack

2.hide extension to mask the web technology

3.Chnge application mapping such as .asp with .htm or .foo,etc to disguise the identity of the server

4.Apache Users can Use mod_negotiation directives

5.IIs users use tools such as page Xchanger to manage the file extension

5.Scan For Vulnerability

Vulnerability Scanning

vulnerabilities scanning identifies vulnerabilities and weakness of the system and network in order to determine how a system cann be exploited

1.Network vulnerability
2.Ope port and running service
3.Application and service vulnerability
4.Application and service configuration

Vulnerability Scanning Tools

QUAlys FreeScan

Network Vulnerability Scanning Tools

Vulnerability Scanners

6.Draw Network Digram

Network digram

Drawing Targets Network Digram gives valueable information about the network and its architecture to an attacker

Network digram shows logical or physical petch to a potenstial target

Network digram

Network discovery Tools:OpManagaer and Network View


OpManagaeris network monitoring software that offers advance fault performance managment dunctionality across crital it resourses such as routers,WLAN links,switchers,firewalls,VoIP call Paths,Physical servers etc.


NetworkView is a network discovery and managment tools for windows
Discovery TCP/IP nodes and router using DNS,SNMP,ports,NetBIOS,and WMI

Network Mapping And Discovry Tools

mapping tools

7.Prepare Proxies

Proxy Servers

To hide the source ip adress so that they can hack withot any legal corollary

To mask the actual source of the attack by imersonating a fake source adress of the proxy

To remotly access intranet and other website resources that are normally off limits

To intrupt all the requests sent by a user and transmit them to third destination,hence victims will only be able to identify the proxy server adress

Attackers chain multiple proxy servers to avoid detction

Proxy Chaining

1.User request to resource from the destination

2.proxy clients at the users system conects to a proxy server and passes the request to proxy server

3.the proxy server strips the users identification information and passes the request to next proxy server

4.This process is repeated by all the proxy servers in the chain

5.all the end unencrypted request is passed to the web server.

Proxy Tools

1.Proxy Switcher
2.Proxy Workbench

Proxy tools

proxy tools

8.Scanning Pen Testing

Pen testing network for scanning vulnerabilities determines the network's security posrture by identifying live system,discovering open ports,assosiating services and grabbing system banners to simulate a network hacking attempt

The penetration testing report will help system administrator to

pen testing

pen Testing

Check for the live hosts using tools such as Nmap,AngryIpScanner,SolarWinds
,Enginnerstoolset,colasoft ping tools,etc.

check for open ports using tools such as Nmap,netscan toolspro,SuperScan PRTG Network Monitor,Net Tools,etc.

Perform banner grabbing /Os fingerprint using tools such as telenet, netcraft,ID serve ,etc

Scan for vulnerabilities using tools such as Nessus,GFI LANGuard,SAINT,Cora,Impact professional etc.