Courses / HDNA Ethical Hacking Course

4. Network Scanning

Last Edit: 20-05-2024

Network scanning and enumeration are crucial steps in the reconnaissance phase of penetration testing and ethical hacking. These processes involve identifying live hosts, open ports, services, and the underlying operating systems on a target network. By gathering this information, security professionals can map out the network's structure, identify potential vulnerabilities, and devise strategies for further exploitation.

Importance of Network Scanning and Enumeration

  1. Identifying Live Hosts: Detecting active devices on a network is the first step in understanding the target environment. It helps in narrowing down the focus to systems that are actually reachable and exploitable.

  2. Discovering Open Ports and Services: Open ports and the services running on them are potential entry points for attackers. Identifying these can reveal applications and services that might be vulnerable to attacks.

  3. Determining Operating Systems: Understanding the operating systems of target machines helps in selecting appropriate exploits and attack vectors. Different OSs have different vulnerabilities and security mechanisms.

  4. Mapping the Network Topology: Visualizing the network layout and the relationships between devices aids in planning an effective attack strategy. It can reveal critical paths and chokepoints within the network.

  5. Uncovering Vulnerabilities: Network scanning and enumeration can reveal misconfigurations, outdated software, and unpatched vulnerabilities that can be exploited to gain unauthorized access or escalate privileges.

Tools and Techniques

Several tools and techniques are used for network scanning and enumeration. Here are some popular tools and examples of how to use them:

  1. Nmap (Network Mapper)
    • Nmap is a versatile and widely-used tool for network discovery and security auditing. It can perform various types of scans to identify live hosts, open ports, services, and operating systems.

    Basic Host Discovery (aka "ping scan"):
    • Command:

      nmap -sn 192.168.1.0/24

    • Result:
      Starting Nmap 7.91 ( https://nmap.org ) at 2024-05-19 12:00 UTC
      Nmap scan report for 192.168.1.1
      Host is up (0.0010s latency).
      Nmap scan report for 192.168.1.2
      Host is up (0.0011s latency).
      Nmap scan report for 192.168.1.5
      Host is up (0.0012s latency).
      Nmap done: 256 IP addresses (3 hosts up) scanned in 3.22 seconds

    Port Scanning:
    • Command
    • Scan all ports: nmap -p 1-65535 192.168.1.1 or nmap -p- 192.168.1.1
    • Scan a specific range (here from 1 to 1234): nmap -p 1-1234 192.168.1.1
    • Scan a single port (here 21): nmap -p 21 192.168.1.1
       
    • Example Result:
      Starting Nmap 7.91 ( https://nmap.org ) at 2024-05-19 12:05 UTC
      Nmap scan report for 192.168.1.1
      Host is up (0.00097s latency).
      Not shown: 65530 closed ports
      PORT STATE SERVICE
      22/tcp open ssh
      80/tcp open http
      443/tcp open https
      3306/tcp open mysql
      8080/tcp open http-proxy
      Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds

    Service Version Detection:
    • Command:
      nmap -sV 192.168.1.1
       
    • Result:
      Starting Nmap 7.91 ( https://nmap.org ) at 2024-05-19 12:10 UTC
      Nmap scan report for 192.168.1.1
      Host is up (0.00097s latency).
      PORT STATE SERVICE VERSION
      22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
      80/tcp open http Apache httpd 2.4.38 ((Debian))
      443/tcp open ssl/http Apache httpd 2.4.38 ((Debian))
      3306/tcp open mysql MySQL 5.7.31-0ubuntu0.16.04.1
      8080/tcp open http-proxy
      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

      Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds

    Operating System Detection:
    • Command:
      nmap -O 192.168.1.1
       
    • Result:
      Starting Nmap 7.91 ( https://nmap.org ) at 2024-05-19 12:15 UTC
      Nmap scan report for 192.168.1.1
      Host is up (0.00097s latency).
      Device type: general purpose
      Running: Linux 3.X|4.X
      OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
      OS details: Linux 3.10 - 4.11
      Nmap done: 1 IP address (1 host up) scanned in 6.52 seconds

  2. Masscan:
    • Masscan is known for its speed and is capable of scanning large networks very quickly. It uses a syntax similar to Nmap but is optimized for performance.

    Basic Scan:
    • Command:
      masscan 192.168.1.1/32 -p0-65535 --max-rate 100000 
       
    • Result:
      Starting masscan 1.3.2 at 2024-05-20 12:57:47 GMT
      Initiating SYN Stealth Scan
      Scanning 1 hosts [65535 ports/host]
      Discovered open port 22/tcp on 192.168.1.1
      Discovered open port 80/tcp on 192.168.1.1
      Discovered open port 443/tcp on 192.168.1.1
       
  3. Netcat (nc):
    • Netcat is a versatile networking utility used for reading from and writing to network connections. It's often referred to as the "Swiss-army knife" of networking tools.

    • Command:
      nc -v 192.168.1.1 80
       
    • Result:
      Connection to 192.168.1.1 80 port [tcp/http] succeeded!
      GET / HTTP/1.1
      Host: 192.168.1.1

      HTTP/1.1 200 OK
      Date: Wed, 19 May 2024 12:25:00 GMT
      Server: Apache/2.4.38 (Debian)

Question Answer the question below to validate the course and earn easy points:

What Nmap command would you use to perform service version detection on the host with IP address 192.168.1.1?