Skip to content

Module 03 - Scanning Networks

Module 03 - Scanning Networks

Type of Scanning

Term Description
Port Scanning Identifying open ports and services running on a target system to find potential vulnerabilities.
Network Scanning Discovering active devices and their IP addresses on a network to map the network structure.
Vulnerability Scanning Assessing systems for known vulnerabilities by comparing them against a database of vulnerabilities.

TCP/IP Protocol Suite

Layer Protocols
Application Layer HTTP, FTP, SMTP, DNS
Transport Layer TCP, UDP
Network Layer IP, ICMP
Data Link Layer Ethernet, Wi-Fi
Physical Layer Cables, Hubs, Repeaters

TCP Communication Flags

Flag Description
SYN Initiates a connection between two hosts.
ACK Acknowledges the receipt of a packet.
FIN Indicates the end of a connection.
RST Resets a connection when an error occurs.
PSH Pushes data to the receiving application immediately.
URG Indicates that the data is urgent and should be processed immediately.

hping3 Command Options

Option Description
-p Specify the destination port to scan.
-1 Use ICMP mode to send ICMP packets.
-2 Send UDP packets to perform a UDP scan.
-A/--ack Send ACK packets to perform an ACK scan.
-Q Collects all TCP sequence numbers generated by target host
--tcp-timestamp Set TCP timestamp for those firewalls that filter based on the presence of timestamps.
-8 Use SYN Scan
-F Use FIN flag
-P Use PSH flag
-U Use URG flag
--rand-dest Select random destination ports for each packet in all subnet
-9 Listen Mode, intercept all packets
--flood Send packets to flood the target

nmap Command Options

Option Description Root Required
-p \<port> Specify the destination port(s) to scan (e.g. -p 80, -p 1-1024, -p- for all).
-sT TCP Connect scan: completes the full 3-way handshake. Slower and more detectable than SYN scan.
-sS SYN (stealth) scan: sends SYN and waits for response without completing the handshake.
-sU UDP scan: probes UDP ports; slow and unreliable due to lack of responses.
-sA ACK scan: determines whether ports are filtered or unfiltered (useful for mapping firewall rules).
-sN NULL scan: sends a packet with no flags set; open/filtered ports give no response.
-sF FIN scan: sends a FIN packet; open ports ignore it, closed ports reply with RST.
-sX Xmas scan: sends FIN, PSH, and URG flags; open/filtered ports give no response.
-sM Maimon scan: sends FIN/ACK packet; used to bypass some firewalls.
-sI \<zombie> Idle (zombie) scan: uses a third-party idle host to perform a covert port scan.
-sW Window scan: similar to ACK scan but examines the TCP window field to distinguish open from closed.
-sn Ping scan (no port scan): discovers live hosts without scanning ports.
-Pn Skip host discovery; treat all hosts as online.
-PS \<port> TCP SYN ping: send SYN to specified port for host discovery.
-PA \<port> TCP ACK ping: send ACK to specified port for host discovery.
-PU \<port> UDP ping for host discovery.
-PE / -PP / -PM ICMP echo / timestamp / netmask ping for host discovery.
-PO \<protocol> IP protocol ping: send packets with specified IP protocol number for host discovery.
-O OS detection: fingerprints the target OS by analyzing network responses.
-sV Version detection: identifies services and versions running on open ports.
--version-intensity \<0-9> Set aggressiveness of version detection (0 = light, 9 = all probes).
-sC Run default NSE scripts (equivalent to --script=default).
--script \<name> Run specified NSE script(s) for advanced detection or exploitation.
-A Aggressive mode: enables OS detection, version detection, scripts, and traceroute.
-D \<decoy1,decoy2,...> Decoy scan: spoofs multiple source IPs to hide the real scanner among decoys.
-S \<IP> Spoof source IP address (requires knowing a route back to the real machine).
-e \<interface> Use a specific network interface.
--source-port \<port> Spoof the source port (e.g. 53 or 80 to bypass some firewalls).
--traceroute Perform a traceroute to each discovered host after scanning.
-f Fragment packets to evade packet inspection and firewalls.
--mtu \<size> Set a custom MTU for packet fragmentation.
--data-length \<n> Append random data to packets to avoid signature-based detection.
--randomize-hosts Randomize the order in which target hosts are scanned.
-T\<0-5> Timing template: 0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane.
--min-rate / --max-rate Control minimum/maximum number of packets sent per second.
-oN / -oX / -oG / -oA Output to normal / XML / greppable / all formats.
-v / -vv Increase verbosity of output.
-d / -dd Increase debug level of output.
-n Disable DNS resolution (faster scans).
-R Always perform DNS resolution.
--open Show only open ports in output.
--reason Show the reason a port is in a given state.
--top-ports \<n> Scan the top n most common ports.
-6 Enable IPv6 scanning.

Host Discovery Techniques

| Technique | Description |Advantage | Active Responses | Inactive Responses | | --- | --- | --- |---| | TCP Three-Way Handshake | Sends SYN packets to specified ports and waits for responses | Can bypass some firewalls that allow TCP traffic| TCP SYN-ACK | RST | | ARP Ping Scan | Uses ARP requests to discover hosts on a local network. Advantage: Efficient and accurate, scan large networks quickly| Efficient and accurate| ARP Reply| No response | | UDP Ping Scan | Sends UDP packets to specified ports to elicit responses | Can bypass some TCP strict firewalls that allow UDP traffic| By default Nmap use port 40125 | Can bypass some firewalls | UDP Response| Host unreachable/TTL exceeded | | ICMP Echo Ping Sweep | Sends ICMP echo requests to discover hosts | Simple and widely supported| ICMP Echo Reply| No response | | ICMP Timestamp Ping | Sends ICMP timestamp requests to discover hosts and gather timing information | Can provide additional information about the target system| ICMP Timestamp Reply | No response | | ICMP Address Mask Ping | Sends ICMP address mask requests to discover hosts and gather subnet information | Can provide information about the network configuration| ICMP Address Mask Reply | No response | | TCP SYN Ping | Sends TCP SYN packets to specified host to discover hosts | Can bypass some firewalls that allow TCP traffic. Uses default port 80 | TCP SYN-ACK | RST | | TCP ACK Ping | Sends TCP ACK packets to specified hosts to discover hosts | Can bypass some firewalls that allow TCP traffic. Uses default port 80 | TCP RST | No response | | IP Protocol Ping | Sends packets with specific IP protocol numbers to discover hosts that respond to those protocols | Can discover hosts that respond to specific protocols (e.g., ICMP, IGMP, IP-in-IP). Change DEFAULT_PROTO_PROBE_PORT_SPEC in nmap.h | Response from target protocol | No response |

Ping Sweep Tools

Tool Description
Angry IP Scanner A fast and user-friendly tool for scanning IP addresses and ports.
fping A command-line tool for performing fast ping sweeps and host discovery.
SolarWinds Engineering Toolset A comprehensive suite of network management tools that includes a ping sweep feature.
NetScanTools Pro A collection of network diagnostic tools, including a ping sweep utility.
Advanced IP Scanner A free and easy-to-use tool for scanning local networks and discovering devices.
OpUtils A collection of network utilities, including a ping sweep tool, for Windows.

Port and Service Discovery

List of Commonly Used Ports

Service Port TCP/UDP Description
echo 7 TCP/UDP Echo service
discard 9 TCP/UDP Discard service
systat 11 TCP/UDP System status service
daytime 13 TCP/UDP Daytime service
netstat 15 TCP/UDP Network status service
qotd 19 TCP/UDP Quote of the Day service
chargen 19 TCP/UDP Character generator service (obsolete)
ftp-data 20 TCP FTP data transfer
ftp 21 TCP FTP control
ssh 22 TCP Secure Shell
telnet 23 TCP Telnet remote login
smtp 25 TCP Simple Mail Transfer Protocol
time 37 TCP/UDP Time service — synchronizes clocks between network hosts.
rlp 39 TCP/UDP Resource Location Protocol — locates resources on a network.
domain 53 TCP/UDP Domain Name System — translates domain names to IP addresses.
sql*net 66 TCP/UDP Oracle SQL*Net — used for Oracle database client-server communication.
bootps 67 UDP Bootstrap Protocol Server — provides IP configuration to clients (DHCP predecessor).
bootpc 68 UDP Bootstrap Protocol Client — receives IP configuration from a BOOTP/DHCP server.
tftp 69 UDP Trivial File Transfer Protocol — simple file transfer with no authentication.
gopher 70 TCP Gopher — distributed document retrieval protocol, predecessor of HTTP.
finger 79 TCP Finger — retrieves information about users on a remote system.
www-http 80 TCP/UDP Hypertext Transfer Protocol — used for unencrypted web traffic.
www-https 443 TCP HTTP Secure — encrypted web traffic using TLS/SSL.
kerberos 88 TCP/UDP Kerberos — network authentication protocol using tickets.
pop2 109 TCP Post Office Protocol v2 — legacy protocol for retrieving email from a server.
pop3 110 TCP Post Office Protocol v3 — widely used protocol for retrieving email from a server.
sunrpc 111 TCP/UDP Sun Remote Procedure Call — used by NFS and other RPC-based services.
auth/ident 113 TCP/UDP Authentication/Ident Protocol — identifies the user owning a TCP connection.
audionews 114 TCP/UDP Audio News Multicast — used for audio news broadcasting over a network.
nntp 119 TCP Network News Transfer Protocol — used for reading and posting Usenet articles.
ntp 123 UDP Network Time Protocol — synchronizes clocks of networked computers.
netbios-ns 137 TCP/UDP NetBIOS Name Service — resolves NetBIOS names to IP addresses.
netbios-dgm 138 TCP/UDP NetBIOS Datagram Service — connectionless NetBIOS communication.
netbios-ssn 139 TCP/UDP NetBIOS Session Service — connection-oriented NetBIOS communication (SMB).
imap 143 TCP/UDP Internet Message Access Protocol — retrieves and manages email on a server.
sql-net 150 TCP/UDP SQL-NET — used for SQL database network communication.
sqlsrv 156 TCP/UDP SQL Service — alternative port for SQL database services.
snmp 161 TCP/UDP Simple Network Management Protocol — monitors and manages network devices.
snmp-trap 162 TCP/UDP SNMP Trap — receives unsolicited alerts from managed network devices.
cmip-man 163 TCP/UDP CMIP Manager — used by the Common Management Information Protocol manager.
cmip-agent 164 TCP/UDP CMIP Agent — used by the Common Management Information Protocol agent.
irc 194 TCP/UDP Internet Relay Chat — real-time text messaging and chat protocol.
at-rtmp 201 TCP/UDP AppleTalk Routing Table Maintenance Protocol — manages AppleTalk routing tables.
at-nbp 202 TCP/UDP AppleTalk Name Binding Protocol — maps AppleTalk resource names to addresses.
at-3 203 TCP/UDP AppleTalk Zone Information Protocol — manages AppleTalk zones.
at-echo 204 TCP/UDP AppleTalk Echo Protocol — verifies connectivity between AppleTalk nodes.
at-5 205 TCP/UDP AppleTalk — reserved AppleTalk protocol port.
at-zis 206 TCP/UDP AppleTalk Zone Information Socket — distributes zone information in AppleTalk networks.
at-7 207 TCP/UDP AppleTalk — reserved AppleTalk protocol port.
at-8 208 TCP/UDP AppleTalk — reserved AppleTalk protocol port.
ipx 213 TCP/UDP Internetwork Packet Exchange — Novell's network layer protocol.
imap3 220 TCP/UDP IMAP version 3 — deprecated version of the Internet Message Access Protocol.
aurp 387 TCP/UDP AppleTalk Update Routing Protocol — used for routing between AppleTalk networks.
netware-ip 396 TCP/UDP Novell NetWare over IP — encapsulates IPX/SPX packets within IP datagrams.
rmt 411 TCP/UDP Remote Tape — used for remote magnetic tape drive access.
kerberos-ds 445 TCP/UDP Kerberos-DS — alternative Kerberos authentication over SMB/DS port.
isakmp 500 UDP Internet Security Association and Key Management Protocol — used in IPsec VPNs for key exchange (IKE).
fcp 510 TCP FirstClass Protocol — used by FirstClass collaborative software.
exec 512 TCP Remote Process Execution (rexec) — executes commands on a remote host.
comsat/biff 512 UDP Comsat/Biff — notifies users of new mail arrival.
login 513 TCP Remote Login (rlogin) — provides remote login capability (insecure, replaced by SSH).
who 513 UDP Who daemon — provides information about currently logged-in users.
shell 514 TCP Remote Shell (rsh) — executes commands on a remote host without password (insecure).
syslog 514 UDP System Logging Protocol — forwards log messages to a centralized log server.
printer 515 TCP/UDP Line Printer Daemon — manages print jobs on a network printer.
talk 517 TCP/UDP Talk Protocol — allows two users to communicate interactively.
ntalk 518 UDP Network Talk — improved version of Talk supporting multiple interfaces.
netnews 532 TCP/UDP Readnews — used for accessing Usenet newsgroups.
uucp 540 TCP/UDP Unix-to-Unix Copy Protocol — transfers files and executes commands between Unix systems.
klogin 543 TCP/UDP Kerberos Login — Kerberos-authenticated remote login (rlogin replacement).
kshell 544 TCP/UDP Kerberos Shell — Kerberos-authenticated remote shell (rsh replacement).
ekshell 545 TCP Kerberos Encrypted Shell — encrypted Kerberos remote shell.
pcserver 600 TCP PC Server — used by ECD (Energy Calculation daemon) and other services.
mount 635 UDP NFS Mount Protocol — used to mount remote NFS file systems.
pcnfs 640 UDP PC Network File System — lightweight NFS authentication for PC clients.
bwnfs 650 UDP BW-NFS — used for NFS-based communication by some BSD systems.
flexlm 744 TCP/UDP FlexLM License Manager — manages floating software licenses.
kerberos-adm 749 TCP/UDP Kerberos Administration — used for Kerberos KDC administration tasks.
kerberos 750 TCP/UDP Kerberos v4 — legacy Kerberos version 4 authentication port.
kerberos_master 751 TCP/UDP Kerberos Master — used for Kerberos master database propagation.
krb_prop 754 TCP Kerberos Slave Propagation — propagates Kerberos database to slave KDCs.
applix 999 UDP Applix — used by Applix data access services.
socks 1080 TCP/UDP SOCKS Proxy — proxy protocol for routing TCP/UDP traffic through a firewall.
kpop 1109 TCP Kerberos POP — Kerberos-authenticated Post Office Protocol.
ms-sql-s 1433 TCP/UDP Microsoft SQL Server — main port for Microsoft SQL Server database connections.
ms-sql-m 1434 TCP/UDP Microsoft SQL Server Monitor — used for SQL Server Browser service and instance discovery.
pptp 1723 TCP/UDP Point-to-Point Tunneling Protocol — VPN tunneling protocol used by Microsoft.
nfs 2049 TCP/UDP Network File System — enables file sharing between Unix/Linux hosts over a network.
eklogin 2105 TCP Kerberos Encrypted Login — encrypted version of Kerberos rlogin.
rkinit 2108 TCP Kerberos Remote Kinit — used for remote Kerberos ticket initialization.
kx 2111 TCP Kerberos X — used for Kerberos-authenticated X Window System sessions.
kauth 2120 TCP Kerberos Authorization — used for Kerberos authorization sub-protocol.
lyskom 4894 TCP LysKOM — conference system and messaging protocol used by the LysKOM server.
sip 5060 TCP Session Initiation Protocol (TCP) — sets up and manages VoIP and multimedia sessions.
sip 5060 UDP Session Initiation Protocol (UDP) — sets up and manages VoIP and multimedia sessions.
x11 6000–6063 TCP/UDP X Window System — graphical display protocol for remote desktop rendering on Unix/Linux.
irc 6667 TCP Internet Relay Chat (standard) — default port for IRC server communication.
raw/JetDirect 9100 TCP Raw printing/JetDirect — used for direct printing to network printers.

TO DO pagina 340