Scanning

ENG,HAZEM&ZIAD
Goal of the Scanning Phase
Why is Scanning Important in Pentesting?
Identifies live hosts, open ports, and running services.
Determines attack vectors for further exploitation.
Maps the network topology to understand infrastructure.
Helps in firewall and IDS evasion by using stealth scanning.
Detects OS versions and software versions to find
vulnerabilities.
Reduces false positives by verifying findings from
reconnaissance.
Helps assess security posture by simulating real-world
attacks.
Overview of Scanning Techniques

Types of Scanning in Penetration Testing:

Network Sweeping – Identifying active hosts in a network.
Traceroute & Path Discovery – Mapping the path to the target.
Port Scanning – Finding open ports and services.
OS Fingerprinting – Identifying the operating system.
Version Scanning – Determining service and software versions.
Vulnerability Scanning – Detecting security flaws in services.

Key Tools Used: nmap, hping3, traceroute, masscan, Nessus

Scanning Types
Network Sweeping
Definition:
Identifies active hosts within a target network.
Uses ICMP (Ping), ARP Requests, or TCP/UDP probes.
Common Tools:
nmap -sn <target> (Ping Scan)
ping, hping3
Traceroute & Path Discovery
Purpose:
Maps the path packets take to the target.
Identifies firewalls, routers, and potential choke points.
Common Tools:
traceroute (Linux) / tracert (Windows)
Scanning Types
Port Scanning
Why It Matters?
Detects open ports and services.
Determines entry points for exploitation.
Types of Port Scanning:
TCP SYN Scan (nmap -sS) – Stealthy scan
TCP Connect Scan (nmap -sT) – Full connection
UDP Scan (nmap -sU) – Finds UDP-based services
Tools:
nmap, masscan
OS Fingerprinting
Goal: Identify the target’s operating system.
Tool: (nmap -O)
Scanning Types
Version Scanning
Why It’s Important?
Identifies software versions running on open ports.
Helps in finding specific exploits for known versions.
Common Tools:
nmap -sV (Service Version Detection).
whatweb.
Vulnerability Scanning
Objective:
Detect security flaws in running services.
Automated Tools:
Nessus, Nmap NSE Scripts, Nikto.
Example Command:
nmap --script vuln <target>
Scanning Tip #1 - Always Scan IP Addresses, Not Domains

Why?
DNS Records Change: Domains can point to different IPs dynamically
(CDN, load balancing).
Subdomains May Differ: A domain can have multiple subdomains
with different security settings.
Avoiding DNS Logging: Some security solutions log DNS queries,
making your scan detectable.

Best Practice:
Use nslookup or dig to resolve the IP before scanning:
nslookup [Link]
dig [Link] +short
Scan the IP instead of the domain name to avoid inconsistencies.
Scanning Tip #2 - Handling Large-Scale Scans Efficiently

Challenges with Large Scans:

Scanning thousands/millions of IPs can be time-consuming.
Risk of overloading the network or triggering security alerts.
Solutions:
Split the target list into smaller batches.
Use parallel scanning with controlled timeouts.
Optimize nmap with these flags:
nmap -T4 --min-rate 1000 --max-retries 2 -iL [Link] -oN [Link]
Scanning Tip #3 - Speeding Up Scans with Masscan

Why Use Masscan?

Extremely fast (millions of packets per second).
Uses its own network stack, making it much quicker than nmap.
Ideal for Internet-wide or large-scale scans.
Basic Masscan Command:
masscan -p 80,443,22 --rate 100000 -iL [Link] -oG masscan_results.txt
Best Practices:
Lower the rate (--rate) to avoid getting blocked or causing network issues.
Combine masscan with nmap for deeper analysis.
Understanding the TCP 3-Way Handshake
What is a TCP 3-Way Handshake?
Before communication happens between a client and a server, they establish a connection using a
3-step process:
SYN (Synchronize) → The client sends a SYN packet to initiate a connection.
SYN-ACK (Synchronize-Acknowledge) → The server responds with a SYN-ACK to acknowledge.
ACK (Acknowledge) → The client sends an ACK, and the connection is established.
Example of a successful handshake:
Client → Server: SYN
Server → Client: SYN-ACK
Client → Server: ACK
(Connection Established)
Why is This Important for Scanning?
Some scan types (e.g., SYN scan) don’t complete the handshake to stay stealthy.
Other scan types (Full Connect Scan) complete the handshake, making them easier to detect.
Understanding the TCP 3-Way Handshake

SYN

SYN-ACK

ACK
Four Possible TCP Behaviors During Scanning
When a scanner sends a SYN or another probe to a target, the target’s response determines
whether a port is open, closed, or filtered.

1- Open Port (SYN-ACK Response)

Target responds with SYN-ACK, meaning the port is listening.
Example: A running web server on port 80.
Nmap behavior: If using SYN scan (-sS), it sends an RST to avoid full
connection.
2- Closed Port (RST Response)
Target responds with RST (Reset), meaning there’s no service running.
Example: Port 23 (Telnet) is not running.
Nmap behavior: Marks the port as closed and moves on.
Four Possible TCP Behaviors During Scanning

3- Filtered Port (No Response or ICMP Error)

No reply (packet dropped) OR firewall sends ICMP unreachable.
Example: A firewall is blocking scans on port 22 (SSH).
Nmap behavior: Marks as filtered, meaning it cannot confirm if the port is
open.
4- Unfiltered Port (Responds to Probes but Unclear State)
Target responds in a way that isn’t SYN-ACK or RST.
Example: Custom firewall rules modify the response.
Nmap behavior: May require deeper scanning (-sV, -A) to confirm the state.
UDP Scanning
How UDP Scanning Works
Unlike TCP, UDP is connectionless, meaning there is no handshake.
UDP packets are sent to a port, and the response determines its state.
Challenges of UDP Scanning:
Slower than TCP scans.
Many services don’t respond even if the port is open.
Firewalls and rate-limiting often block UDP probes.
Basic Nmap UDP Scan Command:
nmap -sU [Link]
Three Possible UDP Responses
1- Open Port(Confirmed Response)
If a valid UDP response is received, the port is considered open.
Example: A DNS server on UDP port 53 replies to a query.
Nmap behavior: Marks the port as "open" (service is responding to probes).
2- Closed (ICMP Port Unreachable Response)
If the target replies with ICMP Port Unreachable (Type 3, Code 3), the port is closed.
Example: Port 161 (SNMP) is not running.
Nmap behavior: Confirms the port is closed.
3- Open|Filtered(ICMP Error or No Reply at All)
If the response is ICMP unreachable (except Code 3) or nothing at all, the port is
filtered.
Example: Firewall blocks UDP port 123 (NTP).
Nmap behavior: Marks the port as filtered and may try retries.
Introduction to Port Scanning with Nmap
Why Use Nmap for Port Scanning?
Finds open, closed, and filtered ports.
Identifies running services and potential vulnerabilities.
Provides stealth and evasion techniques to bypass security measures.
Basic Nmap Syntax:
nmap [options] <target>
Example:
nmap -sS -p 80,443 [Link]
(Performs a stealth scan (-sS) on ports 80 & 443 of target [Link].)
Nmap Scan Types
Different Scanning Methods in Nmap:

1- TCP Connect Scan (-sT)

Completes the full 3-way handshake.
Easily detected by firewalls and IDS.
Used when SYN scan is not possible (e.g., no root privileges).
Exp: nmap -sT [Link]

2- SYN Scan (-sS) (Stealth Scan)

Sends SYN, but does not complete the handshake.
Faster and less likely to be detected.
Exp: nmap -sS [Link]
Nmap Scan Types
3- UDP Scan (-sU)
Scans UDP ports (DNS, SNMP, DHCP, etc.).
Slower than TCP scans.
Exp: nmap -sU [Link]
4- FIN, NULL, Xmas Scans (-sF, -sN, -sX)
Used to bypass firewalls by sending unusual TCP flags.
Useful against Windows vs. Unix-based systems.
Exp: nmap -sF [Link]

5- Aggressive Scan (-A)

Combines OS detection, version scanning, and traceroute.
Exp: nmap -A [Link]
Key Nmap Options
Specifying Ports in Nmap
By Default, Nmap Scans 1000 Common Ports
Use -p to specify custom ports.
When to use?
If you're targeting specific services instead of scanning all ports.
If you need a thorough scan beyond the 1,000 default ports.
Scan a specific port => nmap -p 443 [Link]
Scan a range of ports => nmap -p 20-100 [Link]
Scan multiple ports => nmap -p 80,443 [Link]
Scan all 65,535 ports => nmap -p- [Link]
Key Nmap Options
Understanding -P, -PN, and -Pn (Host Discovery Options)
Before scanning ports, Nmap checks if the target is online.
The -P options control how Nmap discovers live hosts.
1) -Pn (No Ping – Assume Host is Up)
Nmap skips host discovery and scans all targets as if they are up.
Useful when firewalls block ICMP (ping) requests.
When to use? If Nmap says "0 hosts up" but you know the target is online.
Example: nmap -Pn [Link]
2) -PS (SYN Ping – TCP SYN Probe on Specific Ports)
Sends a TCP SYN packet to a specified port to check if a host is up.
When to use? If ICMP is blocked but TCP ports (like 80/443) are allowed.
Example: nmap -PS80,443 [Link]
3) -PA (ACK Ping – TCP ACK Probe)
Sends ACK packets to detect hosts through some firewalls.
When to use? If the target firewall allows established connections.
Example: nmap -PA [Link]
Key Nmap Options
The -n Option (Skip DNS Resolution)
By default, Nmap resolves IP addresses to hostnames, which slows down scans.
The -n option disables DNS resolution, making scans faster.
Example: Scanning a subnet without DNS resolution
nmap -n [Link]/24
Example: Faster full scan without DNS resolution.
nmap -n -p- [Link]
When to use?
When scanning large networks to speed up scans.
If DNS resolution is unnecessary or blocked.
Detecting Services and Versions
Why Scan for Service Versions?
Helps identify software vulnerabilities.
Can reveal outdated or unpatched services.
Nmap Command for Service and Version Detection:
nmap -sV [Link]
(Detects running services and versions.)
Combine with OS Detection:
nmap -sV -O [Link]
(Finds OS type and services running on the host.)
Firewall and IDS Evasion Techniques
Bypass Firewalls & IDS with These Tricks:
1) Randomize Scan Timing (-T1 to -T5)
nmap -sS -T2 [Link]
(Lower T values = stealthier but slower scans.)
2) Use Decoys (-D)
nmap -sS -D RND:10 [Link]
(Makes it appear as if 10 random IPs are scanning instead of you.)
3) Scan from Spoofed Source (-S)
nmap -sS -S [Link] [Link]
(Sends packets as if they are coming from another IP.)
4) Fragment Packets (-f)
nmap -sS -f [Link]
(Breaks scan traffic into tiny packets to evade detection.)
Saving Scan Results

Exporting Nmap Results for Further Analysis

1) Save in Normal Format:
nmap -oN scan_results.txt [Link]
2) Save in Grepable Format (For Filtering Later):
nmap -oG scan_results.grep [Link]
3) Save in XML Format (For Automated Parsing):
nmap -oX scan_results.xml [Link]
Use These for Further Analysis with Tools Like grep, awk, and xmlstarlet.
Vulnerability Scanning with Nmap
What is Vulnerability Scanning?
A method to detect known security weaknesses in a system.
Helps identify misconfigurations, outdated software, and exploitable services.
Used in penetration testing and security auditing.
Why Use Nmap for Vulnerability Scanning?
Nmap includes NSE (Nmap Scripting Engine), which has scripts for detecting
vulnerabilities.
Can automate security checks and provide detailed reports.
Lightweight and faster than many commercial scanners.
Example: Basic Vulnerability Scan
nmap --script vuln [Link]
(Runs multiple vulnerability detection scripts on the target system.)
Advanced Vulnerability Scanning with Nmap Scripts
Using Specific Vulnerability Scripts
Nmap has hundreds of scripts in categories like vuln, exploit, malware, and auth.
You can run targeted vulnerability checks with specific scripts.
Example: Scan for SMB Vulnerabilities
nmap --script smb-vuln* -p 445 [Link]
(Checks for SMB-related vulnerabilities like EternalBlue.)
Example: Scan for Heartbleed (OpenSSL) Vulnerability
nmap --script ssl-heartbleed -p 443 [Link]
(Detects if a server is vulnerable to Heartbleed.)
Finding More Vulnerability Scripts
ls /usr/share/nmap/scripts | grep vuln
(Lists all available vulnerability scripts in Nmap.)
Final Tip: Always update your Nmap scripts before scanning:
nmap --script-updatedb
Introduction to Sniffing
What is Sniffing?
Sniffing is capturing and analyzing network traffic to monitor or inspect data
packets.
Used for network troubleshooting, security analysis, and penetration testing.
Can be active (MITM attack) or passive (packet capture only).
Common Use Cases:
Diagnosing network issues.
Identifying malicious activity (e.g., detecting malware traffic).
Capturing sensitive data (e.g., plaintext passwords in unencrypted traffic).
Monitoring protocol-specific vulnerabilities.
Popular Sniffing Tools:
Wireshark (GUI-based, powerful filtering and analysis).
tcpdump (CLI-based, lightweight, good for automation).
Packet Sniffing with Wireshark

What is Wireshark?
A GUI-based packet analyzer for real-time and saved captures.
Allows deep packet inspection with filtering options.
Supports live capture from network interfaces.
Basic Steps to Use Wireshark:
1️⃣ Start Wireshark and select the network interface.
2️⃣ Click Start Capture to collect packets.
3️⃣ Use filters (e.g., http, tcp, [Link]==[Link]) to focus on relevant data.
4️⃣ Analyze packets (check source, destination, payloads).
5️⃣ Stop capture and save results for later analysis.
Example Filter: Capture only HTTP traffic => http
Example Filter: Capture only traffic to/from [Link] => [Link] ==
[Link]
Packet Sniffing with tcpdump
What is tcpdump?
A command-line packet capture tool.
Faster and more lightweight than Wireshark.
Can be used for remote packet capture over SSH.
Basic Commands:
Capture all packets on an interface (e.g., eth0)
tcpdump -i eth0
Capture only TCP packets
tcpdump -i eth0 tcp
Save captured packets to a file for later analysis
tcpdump -i eth0 -w [Link]
Read a saved capture file with Wireshark
wireshark [Link]
Advanced tcpdump Options

Capture packets from a specific host

tcpdump -i eth0 host [Link]
(Filters packets to/from [Link] only.)

Filter traffic by network

tcpdump -i eth0 net [Link]/24
(Captures packets from the entire 192.168.1.x subnet.)

Filter by specific port (e.g., HTTP traffic on port 80)

tcpdump -i eth0 port 80
Advanced tcpdump Options

Filter by protocol
tcpdump -i eth0 tcp
tcpdump -i eth0 udp
tcpdump -i eth0 icmp
(Captures only TCP, UDP, or ICMP traffic.)

Use logical operators for complex filters

tcpdump -i eth0 src [Link] and dst port 443
(Captures packets where [Link] is the source and the destination is port
443.)
Advanced tcpdump Options
Save packets to a file for later analysis
tcpdump -i eth0 -w [Link]
(Stores packets in [Link], which can be opened in Wireshark.)

Read a saved packet capture file

tcpdump -r [Link]
(Replays the captured traffic from the file.)

Show packet timestamps for analysis

tcpdump -i eth0 -tttt
(Displays human-readable timestamps for easier log correlation.)

View packets in hexadecimal and ASCII format (for payload inspection)

tcpdump -i eth0 -X
(Displays both hex and ASCII representations of the packet data.)