What is Network Scanning

Gathering information about the target machine or server is one of the crucial steps toward compromising or identifying any vulnerabilities on the machine. There are various methods to gather information on a target, but one of the most effective and commonly used is called Network Scanning. Network scanning itself is divided into multiple types. In this particular blog section, I will walk you through what network scanning is, its objectives, how it aids in reconnaissance, and how we can use the popular tool Nmap to perform network scanning with ease.

What is Network Scanning?

Network scanning is an active process to gather information on a target machine by identifying active hosts, their open ports, and the services running on those ports. In the field of ethical hacking, network scanning allows us to scan a particular target for its open ports or scan an entire network to identify active hosts. With the information gathered through network scanning, one can identify present vulnerabilities and exploit them to gain unauthorized access to the system or inject a payload into the network.

Types of Network Scanning:
There are mainly three types of network scanning:

1. Host Discovery
2. Port Scanning
3. Vulnerability Scanning

1.Host Discovery Scanning:

In Host discovery scanning, we aim to identify active hosts over a network. By utilizing this scanning method, we can determine which IPs are active and operational within a network, along with the number of devices connected to the router or network. The primary objective of host discovery is to map out the network and determine which IPs are reachable.

The simplest technique for Host discovery is known as ping sweep, wherein an ICMP ping request is sent to individual IP addresses, and those that reply without packet loss confirm their operational status. This can be easily done using the ping command in the terminal or command prompt.

ping 192.168.29.98                                                                                                                                        
Pinging 192.168.29.98 with 32 bytes of data:          
Reply from 192.168.29.98: bytes=32 time=272ms TTL=64
Reply from 192.168.29.98: bytes=32 time=200ms TTL=64
Reply from 192.168.29.98: bytes=32 time=112ms TTL=64  
Reply from 192.168.29.98: bytes=32 time=25ms TTL=64                                                                                                                           
Ping statistics for 192.168.29.98:zz
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),                                                                
Approximate round trip times in milli-seconds:                                                                              
Minimum = 25ms, Maximum = 272ms, Average = 152ms

To perform the ping sweep we can use the nmap -sn command, that can ping the entire network specified using the CIDR notaion.

┌──(crow㉿kali)-[~]
└─$ nmap -sn 192.168.29.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-21 21:20 IST
Nmap scan report for (192.168.29.1)
Host is up (0.010s latency).
Nmap scan report for 192.168.29.12
Host is up (0.0047s latency).
Nmap scan report for 192.168.29.98
Host is up (0.0045s latency).
Nmap scan report for 192.168.29.202
Host is up (0.000081s latency).
Nmap scan report for 192.168.29.212
Host is up (0.048s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.85 seconds

In this command, Nmap sends an ICMP request to every IP address in the network range specified.

2.Port Scanning

Port scanning involves targeting an individual active machine or server and scanning for its open ports. Ports are essential for communication between machines to send and receive data. Ports are associated with specific protocols and services, and through port scanning, we aim to identify open ports that may be using outdated services vulnerable to exploitation.

Various techniques can be used for port scanning, such as TCP connect scanning, SYN scanning, UDP scanning, and ACK scanning, all of which can be performed using the Nmap tool. For example, a TCP connect scan, which is a reliable and straightforward port scanning technique, can be performed with the following command

nmap -sT 192.168.29.12  
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-21 21:40 IST
Nmap scan report for 192.168.29.12
Host is up (0.0049s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown

In this command, the nmap performs the TCP connect scan on the first 10000 port.

3.Vulnerability Scanning:

In vulnerability scanning, we take a more active approach to identify available vulnerabilities on the network or system. This involves scanning for known vulnerabilities in software, configurations, or missing patches. The main objective is to discover weaknesses by identifying services or applications that can be easily exploited. And there various tools such as OpenVAS, Nessus, etc., provide powerful utilities for vulnerability scanning