What does Scanning Network mean?
Scanning a network is a crucial phase in the process of information gathering and vulnerability assessment within the field of cybersecurity. It involves actively probing a network or a system to identify open ports, services, and potential vulnerabilities. Network scanning provides valuable insights into the target's configuration and security posture and helps both security professionals and malicious actors to understand the potential attack surface.
Here are the key components and objectives of network scanning:
- Port Scanning: Port scanning is a fundamental part of network scanning. It involves systematically checking each network port on a target system to determine which ports are open and which services are running on those ports. Open ports can be entry points for attackers, and identifying them is crucial for security assessment.
- Service Identification: After determining which ports are open, network scanners attempt to identify the services or applications running on these ports. This information is essential because different services may have different vulnerabilities, and knowing the exact services in use helps in vulnerability assessment.
- Operating System Detection: Some network scanning tools can also attempt to detect the operating system of the target host based on various characteristics, such as the way it responds to network requests. This information helps attackers or security professionals tailor their attack or assessment strategies.
- Vulnerability Assessment: Once open ports, services, and the target's operating system are identified, security professionals can use this information to assess potential vulnerabilities. They may then use this data to patch or secure the system or network against known weaknesses.
- Enumeration: Network scanning can also involve active enumeration, where attackers or security professionals gather additional information about the target network or system, such as usernames, shares, or other resources that may be exposed or accessible.
Netdiscover is a tool used to inspect your network ARP traffic, or find network addresses using auto scan mode, which will scan for common local networks.
netdiscover -i eth0netdiscover -i eth0 -P -r 192.168.1.0/24
-i : network interface (eth0)
-P : Show results
-r : Range (192.168.1.0/24)
- nmap -Pn -sS -A -vv <Target_IP>/<Subnet> -oA <Filename>
- -Pn: Disable ping
- -sS: SYN scan
- -A: Aggressive Scan
- -oA: Normal_XML and Grepable format all at once
- -vv: Verbose
- nmap -sn -PR <Target IP>
- -sn: Disable port scan
- -PR: ARP ping scan
- nmap -sn -PU <Target IP>
- -PU: UDP ping scan
- nmap -sn -PE <Target IP or IP Range>
- -PE: ICMP ECHO ping scan
- nmap -sn -PP <Target IP>
- -PP: ICMP timestamp ping scan
- nmap -sn -PM <Target IP>
- -PM: ICMP address mask ping scan
- nmap -sn -PS <Target IP>
- -PS: TCP SYN Ping scan
- nmap -sn -PA <Target IP>
- -PA: TCP ACK Ping scan
- nmap -sn -PO <Target IP>
- -PO: IP Protocol Ping scan
xsltproc <nmap-output.xml> -o <nmap-output.html>
{% embed url="https://angryip.org/download/#windows" %}
Ports are used to identify a single network process, to make sure the transport layer know what the destination process is.
<IP>:<Port>pair identifies a process on a network. For example:192.168.13.2:80- 1024 well-known ports are used for the most common services: 0-1023. They are assigned by IANA in this registry.
- A
daemonis a program that runs a service. Its configuration can be changed, so the service listening port can be changed in order to make recognition harder. - Server-Client applications know which port to use because the TCP/UDP header contains two fields for the source/destination ports.
| Port | Service |
|---|---|
| 21 | FTP |
| 22 | SSH |
| 23 | Telnet |
| 25 | SMTP |
| 80 | HTTP |
| 110 | POP3 |
| 137, 138, 139 | NetBIOS |
| 143 | IMAP |
| 443 | HTTPS (HTTP over SSL) |
| 1433-1434 | Microsoft Sql Server |
| 3306 | MySQL |
| 3389 | RDP (Terminal Server) |
.png)
💻 Check listening ports and TCP connections on a host with the commands below:
| Command | Operating System |
|---|---|
|
Linux |
netstat -ano |
Windows |
|
*nix / Mac OS X |
Linux
.png)
.png)
Windows
.png)
- TCPView tool from Microsoft Sysinternals shows detailed listings of all TCP and UDP connections.
- nmap -sT -v <Target IP>
- -sT: TCP connect/full open scan
- -v: Verbose output
- nmap -sS -v <Target IP>
- -sS: Stealth scan/TCP hall-open scan
- nmap -sX -v <Target IP>
- -sX: Xmax scan
- nmap -sM -v <Target IP>
- -sM: TCP Maimon scan
- nmap -sA -v <Target IP>
- -sA: ACK flag probe scan
- nmap -sU -v <Target IP>
- -sU: UDP scan
- nmap -sI -v <Target IP>
- -sI: IDLE/IPID Header scan
- nmap -sY -v <Target IP>
- -sY: SCTP INIT Scan
- nmap -sZ -v <Target IP>
- -sZ: SCTP COOKIE ECHO Scan
- nmap -sV -v <Target IP>
- -sV: Detect service versions
- nmap -A -v <Target IP>
- -A: Aggressive scan
Other Nmap useful flags
- -sN: null scan
- -sC: enable script scanning
- -T: enable timing options
- -o: output options
- -O: enable OS detection
- --script: specifies a script
- -f: fragment packets
- -g or --source-port: source port manipulation
- -mtu: Maximum Transmission Unit
- -p: port(s) to scan
- -D: decoy scan
- -D RND: generates random & non-reserved IPs
- -d: increase debugging level
hping3 --scan 1-3000 -S 10.10.10.10
--scan parameter defines the port range to scan and –S represents SYN flag.
Pinging the target using HPing3:
hping3 -c 3 10.10.10.10
-c 3 means that we only want to send three packets to the target machine.
UDP Packet Crafting
hping3 10.10.10.10 --udp --rand-source --data 500
TCP SYN request
hping3 -S 10.10.10.10 -p 80 -c 5
-S will perform TCP SYN request on the target machine, -p will pass the traffic through which port is assigned, and -c is the count of the packets sent to the Target machine.
HPing flood
hping3 10.10.10.10 --flood
Basically ping a machine from different operating systems and capture the packets from wireshark. we can check the ICMP packets, viewing the details of IPV4 packets and check the TTL [ time to live] values.
- Open Wireshark and start capture
- Ping a target machine
- Stop capture
- Filter protocol ICMP
- Check TTL value in the Network Layer (3) details.
| Operating System | Default TTL Value (in Seconds) |
|---|---|
| Windows | 128 |
| MacOS | 64 |
| Linux | 64 |
| Android/iOS | 64 |
| FreeBSD | 64 |
- nmap -A -v <Target IP>
- -A: Aggressive scan
- nmap -O -v <Target IP>
- -O: OS discovery
- nmap –script smb-os-discovery.nse <Target IP>
- -–script: Specify the customized script
- smb-os-discovery.nse: Determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (Port 445 or 139)
service postgresql start && msfconsole -q #start postgresql service and msfconsole
msfdb init #initialize msfdb
db_status #check if postgresql is connected to msf
db_nmap -Pn -sS -A -oX Test 10.10.10.0/24
hosts #display IP hosts
use scanner/smb/smb_version
show options #set RHOSTS, set THREADS 100use scanner/smb/smb_version
show options
set RHOSTS 10.10.10.8-16
set THREADS 100
run
hosts #Type hosts again and os_flavor will be visible{% embed url="https://blog.clusterweb.com.br/?p=1297" %}
{% embed url="https://hackertarget.com/nikto-tutorial/" %}
{% embed url="https://geekflare.com/nikto-webserver-scanner/" %}
{% embed url="https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-5-creating-custom-wordlist-with-cewl-0158855/" %}
{% embed url="https://medium.com/tech-zoom/dirb-a-web-content-scanner-bc9cba624c86" %}
{% embed url="https://www.hackingarticles.in/comprehensive-guide-on-dirb-tool/" %}
https://www.youtube.com/watch?v=K78YOmbuT48
https://www.youtube.com/watch?v=SS991k5Alp0
https://www.youtube.com/watch?v=MtyhOrBfG-E
https://www.youtube.com/watch?v=sQ4TtFdaiRA
https://www.youtube.com/watch?v=BTGP5sZfJKY