Scanning Fundamentals

 Scanning is a process of actively gathering information about the target with the intent of determining the various services, process, open ports, a live host, Os, version running on the system. This phase involves sending specially crafted packets to the victim in order to know insights about the system environment and configuration.D uring this process, it induces traffic into the network in order to reveal details about the target. The key findings in this process are listed below:

1. Live Host(Ping Sweep)
2. Open Ports
3. OS architecture & Services
4. Version
5. Banners
6. Routing & Ip blocks
7. DNS Enumeration & Firewalls
8. Network Architecture & VPN Services
9. Authentication Mechanism & Configuration
10. Web Server & Subdomain

•  Types of Scan
• Network Scan
• Vulnerability Scan
• Port Scan

 

• Scanning  Techniques

   1.)Ping: Ping stands for Packet Information Gopher. It is used for determining presence of a live host on the remote system and helps to verify troubleshoot issues. Ping is also called ICMP Scanning because it is uses ICMP(Internet Control Message Protocol) messages for determining host on the network. The ping uses type 8 request for sending or testing network diagnostics and helps to determine the IP address of the system. In order to determine whether system is live or not it sends ICMP echo-request to victim machine and if the server is responding to message in form of ICMP-echo reply then the host is said to live or is responding to attacker request. Ping can blocked by the server as it can be disabled or packets may be dropped by firewalls. Generally we use ping sweeps in order to determine live hosts present on the networks and also we can use a utility called fping in order to ping sweeps on the remote networkeg) Syntax: ping <ip address or hostname>   2)Port Scan:Port is a logical endpoint for 2 way communication between two different computers or it is used to identify the network process on the device. It can be used to access remote services running on the computer.Port Scan is process of sending specially crafted packets in order to determine services running on remote host by analyzing response.There are 65536 ports present on a device.So for a port to be open there must be service running on that port .The actual concept behind the Port Scan is that the attacker sends specially crafted packets with different flags on the packet.A flag determines to handle the connection and also information to be interpreted by the server.There are differnt types of port scan that enables us to determine service and os running on the system.

1. TCP Connect Scan
2. Stealth Scan
3. Xmas Scan
4. Null Scan
5. Idle Scan
6. Ack Scan
7. Fin Scan
8. Udp Scan

•   Tools that can be used to determine port status on remote host are Nmap,Angry IP Scanner,Metasploit,Nessus

eg)Nmap TCP Connect Scan:Syntax- nmap -v  -sT  <ip address or hostname>   3.) Operating  System Detection: Operating System detection is key as it helps to determine type of exploits to be used and approach required by the pentester in order to comprise a device.The os detection can help us to determine user list,groups,hidden shares,process on the remote system.The os detection methods can be Active or Passing depending on the approach of the pentest.Active Scanning involves sending specially crafted packets and analyzing the the response against the database to determine the OS type and architecture.Passive detection mainly works by analyzing network traffic by comparing ip id values,ip ttl values,tcp window size,http header etc. Commonly used tool used for scanning is nmap.Syntax: nmap -v -O <ip address or hostname>  4.) Banner Grabbing: It is method which used in determining the type of service ,version,daemon running on the remote host.Banner grabbing is used to connect to remote host and anlayze service by   capturing the banner after banner is send by the server.The common utility used is telnet,opensslclient,netcat,ncat.httprint etc.The banner grabbing can disabled or the server can change the output or information send about the particular service running on the system.Syntax: telnet <ip address or hostname>GET / HTTP/1.1   (HTTP Banner Grabbing)5.) Service Detection: Service is defined as daemon or system related background program that is being running on the system and waiting for input in order to process the request for process or program.Service detection helps the attacker to know about service running on the system and also helps the pentester to exploit the system.The attacker can also analyse version of the service and gather information about dofferent ports and system services that being running.The exploitation of the machine depends upon on the type of service runnning so it is neccessary for hacker to gather this information to crafting the payload into the service and gaining access to the system.Syntax: nmap -sV <ip address or hostname>6.)DNS Enumeration:DNS stands for Domain Name System is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names.It is used to transalte domain names to ip address so that a particular resource can identified or can be fetched from requesting server.DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems.The tools that can used for this purpose is nslookup(Name-Server Lookup),dig etc.Syntax: nslookupset type=record type<ip address or hostname>