Module 03 - Scanning Networks
Module 03 - Scanning Networks¶
Type of Scanning¶
| Term | Description |
|---|---|
| Port Scanning | Identifying open ports and services running on a target system to find potential vulnerabilities. |
| Network Scanning | Discovering active devices and their IP addresses on a network to map the network structure. |
| Vulnerability Scanning | Assessing systems for known vulnerabilities by comparing them against a database of vulnerabilities. |
TCP/IP Protocol Suite¶
| Layer | Protocols |
|---|---|
| Application Layer | HTTP, FTP, SMTP, DNS |
| Transport Layer | TCP, UDP |
| Network Layer | IP, ICMP |
| Data Link Layer | Ethernet, Wi-Fi |
| Physical Layer | Cables, Hubs, Repeaters |
TCP Communication Flags¶
| Flag | Description |
|---|---|
| SYN | Initiates a connection between two hosts. |
| ACK | Acknowledges the receipt of a packet. |
| FIN | Indicates the end of a connection. |
| RST | Resets a connection when an error occurs. |
| PSH | Pushes data to the receiving application immediately. |
| URG | Indicates that the data is urgent and should be processed immediately. |
hping3 Command Options¶
| Option | Description |
|---|---|
| -p | Specify the destination port to scan. |
| -1 | Use ICMP mode to send ICMP packets. |
| -2 | Send UDP packets to perform a UDP scan. |
| -A/--ack | Send ACK packets to perform an ACK scan. |
| -Q | Collects all TCP sequence numbers generated by target host |
| --tcp-timestamp | Set TCP timestamp for those firewalls that filter based on the presence of timestamps. |
| -8 | Use SYN Scan |
| -F | Use FIN flag |
| -P | Use PSH flag |
| -U | Use URG flag |
| --rand-dest | Select random destination ports for each packet in all subnet |
| -9 | Listen Mode, intercept all packets |
| --flood | Send packets to flood the target |
nmap Command Options¶
| Option | Description | Root Required |
|---|---|---|
| -p \<port> | Specify the destination port(s) to scan (e.g. -p 80, -p 1-1024, -p- for all). | ❌ |
| -sT | TCP Connect scan: completes the full 3-way handshake. Slower and more detectable than SYN scan. | ❌ |
| -sS | SYN (stealth) scan: sends SYN and waits for response without completing the handshake. | ✅ |
| -sU | UDP scan: probes UDP ports; slow and unreliable due to lack of responses. | ✅ |
| -sA | ACK scan: determines whether ports are filtered or unfiltered (useful for mapping firewall rules). | ✅ |
| -sN | NULL scan: sends a packet with no flags set; open/filtered ports give no response. | ✅ |
| -sF | FIN scan: sends a FIN packet; open ports ignore it, closed ports reply with RST. | ✅ |
| -sX | Xmas scan: sends FIN, PSH, and URG flags; open/filtered ports give no response. | ✅ |
| -sM | Maimon scan: sends FIN/ACK packet; used to bypass some firewalls. | ✅ |
| -sI \<zombie> | Idle (zombie) scan: uses a third-party idle host to perform a covert port scan. | ✅ |
| -sW | Window scan: similar to ACK scan but examines the TCP window field to distinguish open from closed. | ✅ |
| -sn | Ping scan (no port scan): discovers live hosts without scanning ports. | ✅ |
| -Pn | Skip host discovery; treat all hosts as online. | ❌ |
| -PS \<port> | TCP SYN ping: send SYN to specified port for host discovery. | ✅ |
| -PA \<port> | TCP ACK ping: send ACK to specified port for host discovery. | ✅ |
| -PU \<port> | UDP ping for host discovery. | ✅ |
| -PE / -PP / -PM | ICMP echo / timestamp / netmask ping for host discovery. | ✅ |
| -PO \<protocol> | IP protocol ping: send packets with specified IP protocol number for host discovery. | ✅ |
| -O | OS detection: fingerprints the target OS by analyzing network responses. | ✅ |
| -sV | Version detection: identifies services and versions running on open ports. | ❌ |
| --version-intensity \<0-9> | Set aggressiveness of version detection (0 = light, 9 = all probes). | ❌ |
| -sC | Run default NSE scripts (equivalent to --script=default). | ❌ |
| --script \<name> | Run specified NSE script(s) for advanced detection or exploitation. | ❌ |
| -A | Aggressive mode: enables OS detection, version detection, scripts, and traceroute. | ✅ |
| -D \<decoy1,decoy2,...> | Decoy scan: spoofs multiple source IPs to hide the real scanner among decoys. | ✅ |
| -S \<IP> | Spoof source IP address (requires knowing a route back to the real machine). | ✅ |
| -e \<interface> | Use a specific network interface. | ❌ |
| --source-port \<port> | Spoof the source port (e.g. 53 or 80 to bypass some firewalls). | ❌ |
| --traceroute | Perform a traceroute to each discovered host after scanning. | ✅ |
| -f | Fragment packets to evade packet inspection and firewalls. | ✅ |
| --mtu \<size> | Set a custom MTU for packet fragmentation. | ✅ |
| --data-length \<n> | Append random data to packets to avoid signature-based detection. | ❌ |
| --randomize-hosts | Randomize the order in which target hosts are scanned. | ❌ |
| -T\<0-5> | Timing template: 0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane. | ❌ |
| --min-rate / --max-rate | Control minimum/maximum number of packets sent per second. | ❌ |
| -oN / -oX / -oG / -oA | Output to normal / XML / greppable / all formats. | ❌ |
| -v / -vv | Increase verbosity of output. | ❌ |
| -d / -dd | Increase debug level of output. | ❌ |
| -n | Disable DNS resolution (faster scans). | ❌ |
| -R | Always perform DNS resolution. | ❌ |
| --open | Show only open ports in output. | ❌ |
| --reason | Show the reason a port is in a given state. | ❌ |
| --top-ports \<n> | Scan the top n most common ports. | ❌ |
| -6 | Enable IPv6 scanning. | ❌ |
Host Discovery Techniques¶
| Technique | Description |Advantage | Active Responses | Inactive Responses | | --- | --- | --- |---| | TCP Three-Way Handshake | Sends SYN packets to specified ports and waits for responses | Can bypass some firewalls that allow TCP traffic| TCP SYN-ACK | RST | | ARP Ping Scan | Uses ARP requests to discover hosts on a local network. Advantage: Efficient and accurate, scan large networks quickly| Efficient and accurate| ARP Reply| No response | | UDP Ping Scan | Sends UDP packets to specified ports to elicit responses | Can bypass some TCP strict firewalls that allow UDP traffic| By default Nmap use port 40125 | Can bypass some firewalls | UDP Response| Host unreachable/TTL exceeded | | ICMP Echo Ping Sweep | Sends ICMP echo requests to discover hosts | Simple and widely supported| ICMP Echo Reply| No response | | ICMP Timestamp Ping | Sends ICMP timestamp requests to discover hosts and gather timing information | Can provide additional information about the target system| ICMP Timestamp Reply | No response | | ICMP Address Mask Ping | Sends ICMP address mask requests to discover hosts and gather subnet information | Can provide information about the network configuration| ICMP Address Mask Reply | No response | | TCP SYN Ping | Sends TCP SYN packets to specified host to discover hosts | Can bypass some firewalls that allow TCP traffic. Uses default port 80 | TCP SYN-ACK | RST | | TCP ACK Ping | Sends TCP ACK packets to specified hosts to discover hosts | Can bypass some firewalls that allow TCP traffic. Uses default port 80 | TCP RST | No response | | IP Protocol Ping | Sends packets with specific IP protocol numbers to discover hosts that respond to those protocols | Can discover hosts that respond to specific protocols (e.g., ICMP, IGMP, IP-in-IP). Change DEFAULT_PROTO_PROBE_PORT_SPEC in nmap.h | Response from target protocol | No response |
Ping Sweep Tools¶
| Tool | Description |
|---|---|
| Angry IP Scanner | A fast and user-friendly tool for scanning IP addresses and ports. |
| fping | A command-line tool for performing fast ping sweeps and host discovery. |
| SolarWinds Engineering Toolset | A comprehensive suite of network management tools that includes a ping sweep feature. |
| NetScanTools Pro | A collection of network diagnostic tools, including a ping sweep utility. |
| Advanced IP Scanner | A free and easy-to-use tool for scanning local networks and discovering devices. |
| OpUtils | A collection of network utilities, including a ping sweep tool, for Windows. |
Port and Service Discovery¶
List of Commonly Used Ports¶
| Service | Port | TCP/UDP | Description |
|---|---|---|---|
| echo | 7 | TCP/UDP | Echo service |
| discard | 9 | TCP/UDP | Discard service |
| systat | 11 | TCP/UDP | System status service |
| daytime | 13 | TCP/UDP | Daytime service |
| netstat | 15 | TCP/UDP | Network status service |
| qotd | 19 | TCP/UDP | Quote of the Day service |
| chargen | 19 | TCP/UDP | Character generator service (obsolete) |
| ftp-data | 20 | TCP | FTP data transfer |
| ftp | 21 | TCP | FTP control |
| ssh | 22 | TCP | Secure Shell |
| telnet | 23 | TCP | Telnet remote login |
| smtp | 25 | TCP | Simple Mail Transfer Protocol |
| time | 37 | TCP/UDP | Time service — synchronizes clocks between network hosts. |
| rlp | 39 | TCP/UDP | Resource Location Protocol — locates resources on a network. |
| domain | 53 | TCP/UDP | Domain Name System — translates domain names to IP addresses. |
| sql*net | 66 | TCP/UDP | Oracle SQL*Net — used for Oracle database client-server communication. |
| bootps | 67 | UDP | Bootstrap Protocol Server — provides IP configuration to clients (DHCP predecessor). |
| bootpc | 68 | UDP | Bootstrap Protocol Client — receives IP configuration from a BOOTP/DHCP server. |
| tftp | 69 | UDP | Trivial File Transfer Protocol — simple file transfer with no authentication. |
| gopher | 70 | TCP | Gopher — distributed document retrieval protocol, predecessor of HTTP. |
| finger | 79 | TCP | Finger — retrieves information about users on a remote system. |
| www-http | 80 | TCP/UDP | Hypertext Transfer Protocol — used for unencrypted web traffic. |
| www-https | 443 | TCP | HTTP Secure — encrypted web traffic using TLS/SSL. |
| kerberos | 88 | TCP/UDP | Kerberos — network authentication protocol using tickets. |
| pop2 | 109 | TCP | Post Office Protocol v2 — legacy protocol for retrieving email from a server. |
| pop3 | 110 | TCP | Post Office Protocol v3 — widely used protocol for retrieving email from a server. |
| sunrpc | 111 | TCP/UDP | Sun Remote Procedure Call — used by NFS and other RPC-based services. |
| auth/ident | 113 | TCP/UDP | Authentication/Ident Protocol — identifies the user owning a TCP connection. |
| audionews | 114 | TCP/UDP | Audio News Multicast — used for audio news broadcasting over a network. |
| nntp | 119 | TCP | Network News Transfer Protocol — used for reading and posting Usenet articles. |
| ntp | 123 | UDP | Network Time Protocol — synchronizes clocks of networked computers. |
| netbios-ns | 137 | TCP/UDP | NetBIOS Name Service — resolves NetBIOS names to IP addresses. |
| netbios-dgm | 138 | TCP/UDP | NetBIOS Datagram Service — connectionless NetBIOS communication. |
| netbios-ssn | 139 | TCP/UDP | NetBIOS Session Service — connection-oriented NetBIOS communication (SMB). |
| imap | 143 | TCP/UDP | Internet Message Access Protocol — retrieves and manages email on a server. |
| sql-net | 150 | TCP/UDP | SQL-NET — used for SQL database network communication. |
| sqlsrv | 156 | TCP/UDP | SQL Service — alternative port for SQL database services. |
| snmp | 161 | TCP/UDP | Simple Network Management Protocol — monitors and manages network devices. |
| snmp-trap | 162 | TCP/UDP | SNMP Trap — receives unsolicited alerts from managed network devices. |
| cmip-man | 163 | TCP/UDP | CMIP Manager — used by the Common Management Information Protocol manager. |
| cmip-agent | 164 | TCP/UDP | CMIP Agent — used by the Common Management Information Protocol agent. |
| irc | 194 | TCP/UDP | Internet Relay Chat — real-time text messaging and chat protocol. |
| at-rtmp | 201 | TCP/UDP | AppleTalk Routing Table Maintenance Protocol — manages AppleTalk routing tables. |
| at-nbp | 202 | TCP/UDP | AppleTalk Name Binding Protocol — maps AppleTalk resource names to addresses. |
| at-3 | 203 | TCP/UDP | AppleTalk Zone Information Protocol — manages AppleTalk zones. |
| at-echo | 204 | TCP/UDP | AppleTalk Echo Protocol — verifies connectivity between AppleTalk nodes. |
| at-5 | 205 | TCP/UDP | AppleTalk — reserved AppleTalk protocol port. |
| at-zis | 206 | TCP/UDP | AppleTalk Zone Information Socket — distributes zone information in AppleTalk networks. |
| at-7 | 207 | TCP/UDP | AppleTalk — reserved AppleTalk protocol port. |
| at-8 | 208 | TCP/UDP | AppleTalk — reserved AppleTalk protocol port. |
| ipx | 213 | TCP/UDP | Internetwork Packet Exchange — Novell's network layer protocol. |
| imap3 | 220 | TCP/UDP | IMAP version 3 — deprecated version of the Internet Message Access Protocol. |
| aurp | 387 | TCP/UDP | AppleTalk Update Routing Protocol — used for routing between AppleTalk networks. |
| netware-ip | 396 | TCP/UDP | Novell NetWare over IP — encapsulates IPX/SPX packets within IP datagrams. |
| rmt | 411 | TCP/UDP | Remote Tape — used for remote magnetic tape drive access. |
| kerberos-ds | 445 | TCP/UDP | Kerberos-DS — alternative Kerberos authentication over SMB/DS port. |
| isakmp | 500 | UDP | Internet Security Association and Key Management Protocol — used in IPsec VPNs for key exchange (IKE). |
| fcp | 510 | TCP | FirstClass Protocol — used by FirstClass collaborative software. |
| exec | 512 | TCP | Remote Process Execution (rexec) — executes commands on a remote host. |
| comsat/biff | 512 | UDP | Comsat/Biff — notifies users of new mail arrival. |
| login | 513 | TCP | Remote Login (rlogin) — provides remote login capability (insecure, replaced by SSH). |
| who | 513 | UDP | Who daemon — provides information about currently logged-in users. |
| shell | 514 | TCP | Remote Shell (rsh) — executes commands on a remote host without password (insecure). |
| syslog | 514 | UDP | System Logging Protocol — forwards log messages to a centralized log server. |
| printer | 515 | TCP/UDP | Line Printer Daemon — manages print jobs on a network printer. |
| talk | 517 | TCP/UDP | Talk Protocol — allows two users to communicate interactively. |
| ntalk | 518 | UDP | Network Talk — improved version of Talk supporting multiple interfaces. |
| netnews | 532 | TCP/UDP | Readnews — used for accessing Usenet newsgroups. |
| uucp | 540 | TCP/UDP | Unix-to-Unix Copy Protocol — transfers files and executes commands between Unix systems. |
| klogin | 543 | TCP/UDP | Kerberos Login — Kerberos-authenticated remote login (rlogin replacement). |
| kshell | 544 | TCP/UDP | Kerberos Shell — Kerberos-authenticated remote shell (rsh replacement). |
| ekshell | 545 | TCP | Kerberos Encrypted Shell — encrypted Kerberos remote shell. |
| pcserver | 600 | TCP | PC Server — used by ECD (Energy Calculation daemon) and other services. |
| mount | 635 | UDP | NFS Mount Protocol — used to mount remote NFS file systems. |
| pcnfs | 640 | UDP | PC Network File System — lightweight NFS authentication for PC clients. |
| bwnfs | 650 | UDP | BW-NFS — used for NFS-based communication by some BSD systems. |
| flexlm | 744 | TCP/UDP | FlexLM License Manager — manages floating software licenses. |
| kerberos-adm | 749 | TCP/UDP | Kerberos Administration — used for Kerberos KDC administration tasks. |
| kerberos | 750 | TCP/UDP | Kerberos v4 — legacy Kerberos version 4 authentication port. |
| kerberos_master | 751 | TCP/UDP | Kerberos Master — used for Kerberos master database propagation. |
| krb_prop | 754 | TCP | Kerberos Slave Propagation — propagates Kerberos database to slave KDCs. |
| applix | 999 | UDP | Applix — used by Applix data access services. |
| socks | 1080 | TCP/UDP | SOCKS Proxy — proxy protocol for routing TCP/UDP traffic through a firewall. |
| kpop | 1109 | TCP | Kerberos POP — Kerberos-authenticated Post Office Protocol. |
| ms-sql-s | 1433 | TCP/UDP | Microsoft SQL Server — main port for Microsoft SQL Server database connections. |
| ms-sql-m | 1434 | TCP/UDP | Microsoft SQL Server Monitor — used for SQL Server Browser service and instance discovery. |
| pptp | 1723 | TCP/UDP | Point-to-Point Tunneling Protocol — VPN tunneling protocol used by Microsoft. |
| nfs | 2049 | TCP/UDP | Network File System — enables file sharing between Unix/Linux hosts over a network. |
| eklogin | 2105 | TCP | Kerberos Encrypted Login — encrypted version of Kerberos rlogin. |
| rkinit | 2108 | TCP | Kerberos Remote Kinit — used for remote Kerberos ticket initialization. |
| kx | 2111 | TCP | Kerberos X — used for Kerberos-authenticated X Window System sessions. |
| kauth | 2120 | TCP | Kerberos Authorization — used for Kerberos authorization sub-protocol. |
| lyskom | 4894 | TCP | LysKOM — conference system and messaging protocol used by the LysKOM server. |
| sip | 5060 | TCP | Session Initiation Protocol (TCP) — sets up and manages VoIP and multimedia sessions. |
| sip | 5060 | UDP | Session Initiation Protocol (UDP) — sets up and manages VoIP and multimedia sessions. |
| x11 | 6000–6063 | TCP/UDP | X Window System — graphical display protocol for remote desktop rendering on Unix/Linux. |
| irc | 6667 | TCP | Internet Relay Chat (standard) — default port for IRC server communication. |
| raw/JetDirect | 9100 | TCP | Raw printing/JetDirect — used for direct printing to network printers. |
TCP Scanning¶
| Scan Type | Description | Advantages | Disadvantages | Open port Response | Closed port Response |
|---|---|---|---|---|---|
| TCP Connect Scan | Completes the full TCP three-way handshake to determine if a port is open. | Works on all systems, no special privileges required. | Easily detected by firewalls and intrusion detection systems (IDS). | TCP SYN-ACK | TCP RST |
| SYN (Stealth) Scan or Half-Open Scan | Sends a SYN packet and waits for a response without completing the handshake. Send a RST after receiving a SYN-ACK to avoid completing the connection. | Faster and less detectable than a full connect scan. | May be blocked by firewalls that filter SYN packets. | TCP SYN-ACK | TCP RST |
TCP Inverse Scanning¶
| Scan Type | Description | Advantages | Disadvantages | Open port Response | Closed port Response |
|---|---|---|---|---|---|
| Inverse TCP Flag Scans (FIN, URG, PSH) | Sends packets with specific TCP flags (e.g., FIN, URG, PSH) to elicit responses based on RFC 793 behavior. | Can bypass some firewalls and IDS that only monitor SYN packets. | Less reliable, as some systems may not respond according to RFC 793. Requires super-user privileges. | No response (open/filtered) | TCP RST |
| NULL Scan | Sends a packet with no flags set to elicit responses based on RFC 793 behavior. | Can bypass some firewalls and IDS that only monitor SYN packets. | Less reliable, as some systems may not respond according to RFC 793. Requires super-user privileges. | No response (open/filtered) | TCP RST |
| Xmas Scan | Type of inverse TCP scan. Sends a packet with FIN, PSH, and URG flags set to elicit responses based on RFC 793 behavior. | Can bypass some firewalls and IDS that only monitor SYN packets. | Less reliable, as some systems may not respond according to RFC 793. Requires super-user privileges. | No response (open/filtered) | TCP RST |
| Maimon Scan | Type of inverse TCP scan. Sends a packet with FIN and ACK flags set to elicit responses based on RFC 793 behavior. | Can bypass some firewalls and IDS that only monitor SYN packets. | Less reliable, as some systems may not respond according to RFC 793. Requires super-user privileges. | No response (open/filtered) | TCP RST |
TCP ACK Flag Probe Scan¶
It analyze the header information (TTL, Window size) to determine if ports are open or closed. | Scan Type | Description | Advantages | Disadvantages | Open port Response | Closed port Response | | --- | --- | --- | --- | --- | --- | | TTL-Based ACK Flag Probe Scan | Sends TCP ACK packets to elicit responses based on TTL values. Open ports may respond with a TTL value lower than 64, while closed ports may respond with a TTL value greater than 64. | Can provide additional information about the target system's operating system based on TTL values. | Less reliable, as some systems may not respond according to expected TTL values. Requires super-user privileges. | TCP ACK with TTL <= 64 (open) | TCP ACK with TTL > 64 (closed) | | Window-Based ACK Flag Probe Scan | Sends TCP ACK packets to elicit responses based on TCP window size. Open ports may respond with a non-zero window size, while closed ports may respond with a zero window size. | Can provide additional information about the target system's operating system based on window size. | Less reliable, as some systems may not respond according to expected window sizes. Requires super-user privileges. | TCP ACK with non-zero window size (open) | TCP ACK with zero window size (closed). No response/ICMP unreachable error = filtered port |
Other Scanning Techniques¶
| Scan Type | Description | Advantages | Disadvantages | Open port Response | Closed port Response |
|---|---|---|---|---|---|
| BSD Networking Code | Some BSD-based systems (e.g., FreeBSD, OpenBSD) do not respond to FIN, NULL, or Xmas scans according to RFC 793, making these scans less effective against such systems. | Can bypass some firewalls and IDS that only monitor SYN packets. | Less reliable against BSD-based systems that do not respond according to RFC 793. Requires super-user privileges. | No response (open/filtered) | No response (closed) |
IDLE/PID Scan¶
This scan use a Zombie System to perform the scan, it analyze the IPID field in the IP header to determine if ports are open or closed. These are the steps: 1. Choose a "Zombie" and probe its IPID to get a baseline value using a SYN/ACK, it replies with a RST and the IPID X. 2. Send a SYN with spoofed source IP address (the Zombie's IP) of the target to the port being scanned on the target system. 2.1. If the port is open, the target will reply with a SYN/ACK to the Zombie, which will reply with a RST and increment its IPID to X+1. 2.2. If the port is closed, the target will reply with a RST to the Zombie, which will not increment its IPID and remain at X. 3. Probe the Zombie's IPID again to determine if it has incremented, which indicates whether the target port is open or closed. If the IPID is X+2, it indicates that the port is open (one increment for the SYN/ACK response and one for the RST response). If the IPID is X+1, it indicates that the port is closed (only one increment for the RST response). If the IPID remains at X, it may indicate that the port is filtered or that the Zombie is not responding to probes.
UDP Scanning¶
| Scan Type | Description | Advantages | Disadvantages | Open port Response | Closed port Response |
|---|---|---|---|---|---|
| UDP Scan | Sends UDP packets to specified ports to elicit responses. Open ports may respond with an application-specific response or no response, while closed ports typically respond with an ICMP "Port Unreachable" message. | Can bypass some firewalls that allow UDP traffic. | Slower and less reliable than TCP scans due to lack of responses from open ports. Requires super-user privileges for raw socket access. | Application-specific response or no response | ICMP "Port Unreachable" message |
| UDP RECVFROM() and WRITE() Scanning | Uses the recvfrom() and write() system calls to send UDP packets and analyze responses. Open ports may respond with application-specific responses, while closed ports typically result in no response or an ICMP "Port Unreachable" message. | Can provide more detailed information about open UDP services based on application-specific responses. Works better targeting Windows OS | Slower and less reliable than TCP scans due to lack of responses from open ports. Requires super-user privileges for raw socket access. | Application-specific response | No response or ICMP "Port Unreachable" message |
SCTP INIT Scan¶
Stream Control Transmission Protocol (SCTP) is a transport layer protocol that provides features such as multi-homing and multi-streaming. The SCTP INIT scan sends SCTP INIT packets to elicit responses based on SCTP behavior. Open ports may respond with an SCTP INIT ACK, while closed ports may respond with an SCTP ABORT or no response.