Module 04: Scanning Networks

Objective

The objective of this lab is to conduct network scanning, port scanning, analyzing the network vulnerabilities, etc.

Network scans are needed to:

Check live systems and open ports
Identify services running in live systems
Perform banner grabbing/OS fingerprinting
Identify network vulnerabilities

Overview of Scanning Networks

Network scanning is the process of gathering additional detailed information about the target by using highly complex and aggressive reconnaissance techniques. The purpose of scanning is to discover exploitable communication channels, probe as many listeners as possible, and keep track of the responsive ones.

Types of scanning:

Port Scanning: Lists open ports and services
Network Scanning: Lists the active hosts and IP addresses
Vulnerability Scanning: Shows the presence of known weaknesses

Lab-1 - Task 1: Perform Host Discovery using Nmap

In the terminal window, type the command nmap -sn -PR [Target IP Address] (here, the target IP address is 10.10.1.22) and press Enter.
- -sn: disables port scan and -PR: performs ARP ping scan.
- -PU: performs the UDP ping scan.
- -PE: performs the ICMP ECHO ping scan.
- -PP: performs the ICMP timestamp ping scan.
Apart from the aforementioned network scanning techniques, you can also use the following scanning techniques to perform a host discovery on a target network.
- ICMP Address Mask Ping Scan: This technique is an alternative for the traditional ICMP ECHO ping scan, which are used to determine whether the target host is live specifically when administrators block the ICMP ECHO pings.
  - nmap -sn -PM [target IP address]
- TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target host, ACK response means that the host is active.
  - nmap -sn -PS [target IP address]
- TCP ACK Ping Scan: This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.
  - nmap -sn -PA [target IP address]
- IP Protocol Ping Scan: This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.
  - nmap -sn -PO [target IP address]

Lab-1 - Task 2: Perform Host Discovery using Angry IP Scanner

Angry IP Scanner is an open-source and cross-platform network scanner designed to scan IP addresses as well as ports. It simply pings each IP address to check if it is alive; then, optionally by resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.

Lab-2 - Task 1: Perform Port and Service Discovery using MegaPing

Lab-2 - Task 2: Perform Port and Service Discovery using NetScanTools Pro

Lab-2 - Task 3: Perform Port Scanning using sx Tool

The sx tool is a command-line network scanner that can be used to perform ARP scans, ICMP scans, TCP SYN scans, UDP scans and application scans such as SOCS5 scans, Docker scans and Elasticsearch scans.

Lab-2 - Task 4: Explore Various Network Scanning Techniques using Nmap

Nmap comes with various inbuilt scripts that can be employed during a scanning process in an attempt to find the open ports and services running on the ports. It sends specially crafted packets to the target host, and then analyzes the responses to accomplish its goal. Nmap includes many port scanning mechanisms (TCP and UDP), OS detection, version detection, ping sweeps, etc.

-sT: performs the TCP connect/full open scan
-v: enables the verbose output (include all hosts and ports in the output).
sS: performs the stealth scan/TCP half-open scan
-sX: performs the Xmas scan
-sM: performs the TCP Maimon scan
-sA: performs the ACK flag probe scan
-sU: performs the UDP scan
IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.
- nmap -sI -v [target IP address]
SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.
- nmap -sY -v [target IP address]
SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.
- nmap -sZ -v [target IP address]

Lab-2 - Task 5: Explore Various Network Scanning Techniques using Hping3

-A specifies setting the ACK flag
-p specifies the port to be scanned (here, 80)
-c specifies the packet count (here, 5).
-8 specifies a scan mode
-p specifies the range of ports to be scanned (here, 0-100)
-V specifies the verbose mode.
-F specifies setting the FIN flag
-P specifies setting the PUSH flag
-U specifies setting the URG flag
-S specifies setting the SYN flag

Lab-3 - Task 1: Identify the Target System’s OS with Time-to-Live (TTL) and TCP Window Sizes using Wireshark

The TTL value is recorded as 128, which means that the ICMP reply possibly came from a Windows-based machine.
The TTL value is recorded as 64, which means the ICMP reply possibly came from a Linux-based machine.

Lab-3 - Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information from the target system. In addition to Nmap commands, NSE provides scripts that reveal all sorts of useful information from the target system. Using NSE, you may obtain information such as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time of a target system, etc.

-A: to perform an aggressive scan.
-O: performs the OS discovery.
--script: specifies the customized script

Lab-3 - Task 3: Perform OS Discovery using Unicornscan

-I specifies an immediate mode
-v specifies a verbose mode.
The scan results appear, displaying the open TCP ports along with a TTL value of 64. As shown in the screenshot, the ttl value acquired after the scan is 64; hence, the OS is possibly a Linux-based machine (Google Linux, Ubuntu, Parrot, or Kali). Using this information, attackers can formulate an attack strategy based on the OS of the target system.

Lab-4 - Task 1: Scan beyond IDS/Firewall using various Evasion Techniques

Nmap CMDs:

-f switch is used to split the IP packet into tiny fragment packets.
-g or --source-port option to perform source port manipulation.
-mtu: specifies the number of Maximum Transmission Unit (MTU) (here, 8 bytes of packets).
-D: performs a decoy scan.
RND: generates a random and non-reserved IP addresses (here, 10).
--spoof-mac 0 represents randomizing the MAC address
-sT: performs the TCP connect/full open scan
-Pn is used to skip the host discovery.

Lab-4 - Task 2: Create Custom Packets using Colasoft Packet Builder to Scan beyond the IDS/Firewall

Lab-4 - Task 3: Create Custom UDP and TCP Packets using Hping3 to Scan beyond the IDS/Firewall

Hping3 is a scriptable program that uses the TCL language, whereby packets can be received and sent via a binary or string representation describing the packets.

hping3 CMDs:

--udp specifies sending the UDP packets to the target host
--rand-source enables the random source mode
--data specifies the packet body size.
-S specifies the TCP SYN request on the target machine
-p specifies assigning the port to send the traffic
-c is the count of the packets sent to the target machine.
-flood: performs the TCP flooding.

Lab-5 - Task 1: Scan a Target Network using Metasploit

Hacker's Mantra:A hacker does for love what others would not do for money. - Laura Creighton

PreviousModule 03: Enumeration NextModule 05: Vulnerability Analysis

Was this helpful?

Module 04: Scanning Networks

Objective

The objective of this lab is to conduct network scanning, port scanning, analyzing the network vulnerabilities, etc.

Network scans are needed to:

Check live systems and open ports
Identify services running in live systems
Perform banner grabbing/OS fingerprinting
Identify network vulnerabilities

Overview of Scanning Networks

Types of scanning:

Port Scanning: Lists open ports and services
Network Scanning: Lists the active hosts and IP addresses
Vulnerability Scanning: Shows the presence of known weaknesses

Lab-1 - Task 1: Perform Host Discovery using Nmap

In the terminal window, type the command nmap -sn -PR [Target IP Address] (here, the target IP address is 10.10.1.22) and press Enter.
- -sn: disables port scan and -PR: performs ARP ping scan.
- -PU: performs the UDP ping scan.
- -PE: performs the ICMP ECHO ping scan.
- -PP: performs the ICMP timestamp ping scan.
Apart from the aforementioned network scanning techniques, you can also use the following scanning techniques to perform a host discovery on a target network.
- ICMP Address Mask Ping Scan: This technique is an alternative for the traditional ICMP ECHO ping scan, which are used to determine whether the target host is live specifically when administrators block the ICMP ECHO pings.
  - nmap -sn -PM [target IP address]
- TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target host, ACK response means that the host is active.
  - nmap -sn -PS [target IP address]
- TCP ACK Ping Scan: This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.
  - nmap -sn -PA [target IP address]
- IP Protocol Ping Scan: This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.
  - nmap -sn -PO [target IP address]

Lab-1 - Task 2: Perform Host Discovery using Angry IP Scanner

Angry IP Scanner ()
SolarWinds Engineer’s Toolset ()
NetScanTools Pro ()
Colasoft Ping Tool ()
Visual Ping Tester ()
OpUtils ()

Lab-2 - Task 1: Perform Port and Service Discovery using MegaPing

is a toolkit that provides essential utilities for Information System specialists, system administrators, IT solution providers, and individuals. It is used to detect live hosts and open ports of the system in the network, and can scan your entire network and provide information such as open shared resources, open ports, services/drivers active on the computer, key registry entries, users and groups, trusted domains, printers, etc. You can also perform various network troubleshooting activities with the help of integrated network utilities such as DNS lookup name, DNS list hosts, Finger, host monitor, IP scanner, NetBIOS scanner, ping, port scanner, share scanner, traceroute, and Whois.

Lab-2 - Task 2: Perform Port and Service Discovery using NetScanTools Pro

is an integrated collection of utilities that gathers information on the Internet and troubleshoots networks for Network Professionals. With the available tools, you can research IPv4/IPv6 addresses, hostnames, domain names, e-mail addresses, and URLs on the target network.

Lab-2 - Task 3: Perform Port Scanning using sx Tool

Lab-2 - Task 4: Explore Various Network Scanning Techniques using Nmap

-sT: performs the TCP connect/full open scan
-v: enables the verbose output (include all hosts and ports in the output).
sS: performs the stealth scan/TCP half-open scan
-sX: performs the Xmas scan
-sM: performs the TCP Maimon scan
-sA: performs the ACK flag probe scan
-sU: performs the UDP scan
IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.
- nmap -sI -v [target IP address]
SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.
- nmap -sY -v [target IP address]
SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.
- nmap -sZ -v [target IP address]

Lab-2 - Task 5: Explore Various Network Scanning Techniques using Hping3

is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. Using Hping, you can study the behavior of an idle host and gain information about the target such as the services that the host offers, the ports supporting the services, and the OS of the target.

-A specifies setting the ACK flag
-p specifies the port to be scanned (here, 80)
-c specifies the packet count (here, 5).
-8 specifies a scan mode
-p specifies the range of ports to be scanned (here, 0-100)
-V specifies the verbose mode.
-F specifies setting the FIN flag
-P specifies setting the PUSH flag
-U specifies setting the URG flag
-S specifies setting the SYN flag

Lab-3 - Task 1: Identify the Target System’s OS with Time-to-Live (TTL) and TCP Window Sizes using Wireshark

is a network protocol analyzer that allows capturing and interactively browsing the traffic running on a computer network. It is used to identify the target OS through sniffing/capturing the response generated from the target machine to the request-originated machine. Further, you can observe the TTL and TCP window size fields in the captured TCP packet. Using these values, the target OS can be determined.

The TTL value is recorded as 128, which means that the ICMP reply possibly came from a Windows-based machine.
The TTL value is recorded as 64, which means the ICMP reply possibly came from a Linux-based machine.

Lab-3 - Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

-A: to perform an aggressive scan.
-O: performs the OS discovery.
--script: specifies the customized script

Lab-3 - Task 3: Perform OS Discovery using Unicornscan

is a Linux-based command line-oriented network information-gathering and reconnaissance tool. It is an asynchronous TCP and UDP port scanner and banner grabber that enables you to discover open ports, services, TTL values, etc. running on the target machine. In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result.

-I specifies an immediate mode
-v specifies a verbose mode.
The scan results appear, displaying the open TCP ports along with a TTL value of 64. As shown in the screenshot, the ttl value acquired after the scan is 64; hence, the OS is possibly a Linux-based machine (Google Linux, Ubuntu, Parrot, or Kali). Using this information, attackers can formulate an attack strategy based on the OS of the target system.

Lab-4 - Task 1: Scan beyond IDS/Firewall using various Evasion Techniques

Nmap CMDs:

-f switch is used to split the IP packet into tiny fragment packets.
-g or --source-port option to perform source port manipulation.
-mtu: specifies the number of Maximum Transmission Unit (MTU) (here, 8 bytes of packets).
-D: performs a decoy scan.
RND: generates a random and non-reserved IP addresses (here, 10).
--spoof-mac 0 represents randomizing the MAC address
-sT: performs the TCP connect/full open scan
-Pn is used to skip the host discovery.

Lab-4 - Task 2: Create Custom Packets using Colasoft Packet Builder to Scan beyond the IDS/Firewall

is a tool that allows you to create custom network packets to assess network security. You can also select a TCP packet from the provided templates and change the parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet. In addition to building packets, the Colasoft Packet Builder supports saving packets to packet files and sending packets to the network.

Lab-4 - Task 3: Create Custom UDP and TCP Packets using Hping3 to Scan beyond the IDS/Firewall

Hping3 is a scriptable program that uses the TCL language, whereby packets can be received and sent via a binary or string representation describing the packets.

hping3 CMDs:

--udp specifies sending the UDP packets to the target host
--rand-source enables the random source mode
--data specifies the packet body size.
-S specifies the TCP SYN request on the target machine
-p specifies assigning the port to send the traffic
-c is the count of the packets sent to the target machine.
-flood: performs the TCP flooding.

Lab-5 - Task 1: Scan a Target Network using Metasploit

is a tool that provides information about security vulnerabilities in the target organization’s system, and aids in penetration testing and IDS signature development. It facilitates the tasks of attackers, exploit writers, and payload writers. A major advantage of the framework is the modular approach, that is, allowing the combination of any exploit with any payload.

Hacker's Mantra:A hacker does for love what others would not do for money. - Laura Creighton

PreviousModule 03: Enumeration NextModule 05: Vulnerability Analysis

Was this helpful?