MODULE – 3 Scanning Network
As already discussed, footprinting is the first phase of hacking, in which the attacker gains
primary information about a potential target then uses this information in the scanning
phase gather more details about the target.
Topic 1 - Explain Network Scanning Concept
Scanning is the process of gathering additional detailed information about the target using
highly complex and aggressive reconnaissance techniques.
Network Scanning refers to a set of procedures used for identifying hosts, ports and services
in a network.
Network scanning is also used for discovering active machines in a network and identifying
the OS running on the target machine.
It is one of the most important phases of intelligence gathering for an attacker, which
enables him/her to create a profile of the target organization.
In the process of scanning, the attacker tries to gather information, including the specific IP
addresses that can be accessed over the network, the target’s OS and system architecture,
and the ports along with their respective services running on each computer.
1
,The purpose of scanning to discover exploitable communications channels, probe as many
listeners as possible, and track the ones that are responsive or useful to an attacker’s
particular needs.
In the scanning phase of an attack, the attacker tries to find various ways to intrude into a
target system. The attacker also tries to discover more information about the target system
to determine the presence of any configuration lapses. The attacker then uses the
information obtained to develop an attack strategy.
Types of Scanning
Port Scanning - Lists the open ports and services.
Port scanning is the process of checking the services running on the target computer by
sending a sequence of messages in an attempt to break in.
Port scanning involves connecting to or probing TCP and UDP ports of the target system to
determine whether the services are running or are in a listening state.
The listening state provides information about the OS and the application currently in use.
Sometimes, active series that are listening may allow unauthorized users to misconfigure
systems or to run software with vulnerabilities.
Network Scanning – lists the active hosts and IP addresses.
Network Scanning is a procedure for identifying active hosts on a network, either to attack
them or assess the security of the network.
Vulnerability Scanning – Show the presence of known weakness.
Vulnerability scanning is a method for checking whether a system is exploitable by
identifying its vulnerabilities.
A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a
list of common includes a list of common files with known vulnerabilities and common
exploits for a range of servers.
A vulnerability scanner may, for example, look for backup files or directory traversal
exploits. The scanning engine maintains logic for reading the exploit list, transferring the
request to the web server, and analyzing the requests to ensure the safety of the server.
These tools generally target vulnerabilities that secure host configurations can fix easily
through updated security patches and a clean web document.
NOTE:
A thief who wants to break into a house looks for access points such as doors and windows.
These are usually the house’s points of vulnerability, as they are easily accessible. When it
comes to computer systems and networks, ports are the doors and windows of a system
that an intruder uses to gain access. A general rule for computer systems is that the greater
the number of open ports on a system, the more vulnerable is the system. However, there
are cases in which a system with fewer open ports than another machine presents a much
higher level of vulnerability.
2
,Objectives of Network Scanning
The more the information at hand about a target organization, the higher are the chances of
knowing a network’s security loopholes, and, consequently, for gaining unauthorized access
to it.
Some objectives for scanning a network are as follows:
Discover the network’s live hosts, IP addresses, and open ports of the live hosts.
Using the open ports, an attacker will determine the best means of entering into the
system.
Discover the OS and system architecture of the target. This is also known as
fingerprinting. An attacker can formulate an attack strategy based on the OS’s
vulnerabilities.
Discover the services running/listening on the target system. Doing so gives the
attacker an indication of the vulnerabilities (based on the service) that can be
exploited for gaining access to the target system.
Identify specific applications or version of a particular service.
Identify vulnerabilities in any of the network systems. This helps an attacker to
compromise the target system or network through various exploits.
3
, Topic 1.1 – TCP Communication Flags
TCP Communication Flags
The TCP header contains various flags that controls the transmission of data across a TCP
connection.
Six TCP control flags (SYN, ACK, FIN, and RST) govern the establishment, maintenance, and
termination of a connection.
The other two flags (PSH and URG) provide instruction to the system.
The size of each flag is 1 bit. As there are six flags in the TCP flags section, the size of this
section is 6 bits.
When a flag value is set to “1”, that flag is automatically turned on
The following are the TCP communication Flags:
Synchronize or “SYN”: it notifies the transmission of a new sequence number. This flag
generally represents the establishment of a connection (three-way handshake) between
two hosts.
Acknowledgement or “ACK”: it confirms the receipt of the transmission and identifies the
next expected sequence number. When the system successfully receives a packet, it sets the
value of its flag to “1”, thus implying that the receiver should pay attention to it.
4
As already discussed, footprinting is the first phase of hacking, in which the attacker gains
primary information about a potential target then uses this information in the scanning
phase gather more details about the target.
Topic 1 - Explain Network Scanning Concept
Scanning is the process of gathering additional detailed information about the target using
highly complex and aggressive reconnaissance techniques.
Network Scanning refers to a set of procedures used for identifying hosts, ports and services
in a network.
Network scanning is also used for discovering active machines in a network and identifying
the OS running on the target machine.
It is one of the most important phases of intelligence gathering for an attacker, which
enables him/her to create a profile of the target organization.
In the process of scanning, the attacker tries to gather information, including the specific IP
addresses that can be accessed over the network, the target’s OS and system architecture,
and the ports along with their respective services running on each computer.
1
,The purpose of scanning to discover exploitable communications channels, probe as many
listeners as possible, and track the ones that are responsive or useful to an attacker’s
particular needs.
In the scanning phase of an attack, the attacker tries to find various ways to intrude into a
target system. The attacker also tries to discover more information about the target system
to determine the presence of any configuration lapses. The attacker then uses the
information obtained to develop an attack strategy.
Types of Scanning
Port Scanning - Lists the open ports and services.
Port scanning is the process of checking the services running on the target computer by
sending a sequence of messages in an attempt to break in.
Port scanning involves connecting to or probing TCP and UDP ports of the target system to
determine whether the services are running or are in a listening state.
The listening state provides information about the OS and the application currently in use.
Sometimes, active series that are listening may allow unauthorized users to misconfigure
systems or to run software with vulnerabilities.
Network Scanning – lists the active hosts and IP addresses.
Network Scanning is a procedure for identifying active hosts on a network, either to attack
them or assess the security of the network.
Vulnerability Scanning – Show the presence of known weakness.
Vulnerability scanning is a method for checking whether a system is exploitable by
identifying its vulnerabilities.
A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a
list of common includes a list of common files with known vulnerabilities and common
exploits for a range of servers.
A vulnerability scanner may, for example, look for backup files or directory traversal
exploits. The scanning engine maintains logic for reading the exploit list, transferring the
request to the web server, and analyzing the requests to ensure the safety of the server.
These tools generally target vulnerabilities that secure host configurations can fix easily
through updated security patches and a clean web document.
NOTE:
A thief who wants to break into a house looks for access points such as doors and windows.
These are usually the house’s points of vulnerability, as they are easily accessible. When it
comes to computer systems and networks, ports are the doors and windows of a system
that an intruder uses to gain access. A general rule for computer systems is that the greater
the number of open ports on a system, the more vulnerable is the system. However, there
are cases in which a system with fewer open ports than another machine presents a much
higher level of vulnerability.
2
,Objectives of Network Scanning
The more the information at hand about a target organization, the higher are the chances of
knowing a network’s security loopholes, and, consequently, for gaining unauthorized access
to it.
Some objectives for scanning a network are as follows:
Discover the network’s live hosts, IP addresses, and open ports of the live hosts.
Using the open ports, an attacker will determine the best means of entering into the
system.
Discover the OS and system architecture of the target. This is also known as
fingerprinting. An attacker can formulate an attack strategy based on the OS’s
vulnerabilities.
Discover the services running/listening on the target system. Doing so gives the
attacker an indication of the vulnerabilities (based on the service) that can be
exploited for gaining access to the target system.
Identify specific applications or version of a particular service.
Identify vulnerabilities in any of the network systems. This helps an attacker to
compromise the target system or network through various exploits.
3
, Topic 1.1 – TCP Communication Flags
TCP Communication Flags
The TCP header contains various flags that controls the transmission of data across a TCP
connection.
Six TCP control flags (SYN, ACK, FIN, and RST) govern the establishment, maintenance, and
termination of a connection.
The other two flags (PSH and URG) provide instruction to the system.
The size of each flag is 1 bit. As there are six flags in the TCP flags section, the size of this
section is 6 bits.
When a flag value is set to “1”, that flag is automatically turned on
The following are the TCP communication Flags:
Synchronize or “SYN”: it notifies the transmission of a new sequence number. This flag
generally represents the establishment of a connection (three-way handshake) between
two hosts.
Acknowledgement or “ACK”: it confirms the receipt of the transmission and identifies the
next expected sequence number. When the system successfully receives a packet, it sets the
value of its flag to “1”, thus implying that the receiver should pay attention to it.
4
