DEV Community

Timothy Imanuel
Timothy Imanuel

Posted on

Week 4

#cybersecurity #devjournal #infosec #networking

Ethical Hacking Week 4: Target Discovery & OS Fingerprinting πŸŽ―πŸ”

In Week 4 of Ethical Hacking and Penetration Testing, we officially started mapping out our targets. Before you can exploit a system, you have to find it and figure out exactly what it’s running. This phase is all about Target Discovery and OS Fingerprinting.

Finding the Target (Discovery)

We looked at the command-line tools used to identify live machines on a network. The classic ping sweep is great, but we also explored arping, fping, hping, and nbtscan for mapping out local networks. For modern setups, we even touched on IPv6 discovery tools like alive6.

OS Fingerprinting (Who are we talking to?)

Once we know a machine is alive, we need to know what operating system it’s running so we can look up vulnerabilities. There are two ways to do this:

  • Active Fingerprinting: We send carefully crafted packets to the target and analyze the unique ways its TCP/IP stack responds. Tools like Nmap do this perfectly. It’s fast, but very noisy (firewalls will log you).
  • Passive Fingerprinting: We quietly sniff the network traffic without sending anything. Tools like p0f let us figure out the OS just by observing how the target naturally communicates. It's slower, but totally stealthy.

TCP vs. UDP (The Delivery Methods)

To understand port scanning, you have to understand how data moves across the network.

  • TCP (Transmission Control Protocol): Connection-oriented and highly reliable. It uses a strict 3-way handshake (SYN βž” SYN-ACK βž” ACK) before sending data, and will automatically retransmit lost packets and reorder them at the destination.
  • UDP (User Datagram Protocol): Connectionless and fast. It just fires datagrams at the target without checking if they arrive. It's up to the application (like DNS or SNMP) to handle lost data.

We also learned the layout of the port neighborhood:

  • 0 - 1,023: Well-Known Ports
  • 1,024 - 49,151: Registered Ports
  • 49,152 - 65,535: Dynamic/Private Ports

Reading Port Scans like a Pro

When we use a network scanner like Nmap, Unicornscan, or Amap, the target's response tells us exactly what state the port is in.

Decoding a TCP Scan:

  • Gets a SYN+ACK? The port is open and listening.
  • Gets an RST+ACK? The target explicitly rejected you (Port Closed).
  • Gets an ICMP Unreachable or absolutely nothing? The port is Filtered by a firewall.

Decoding a UDP Scan:

  • Gets a UDP response? The port is open.
  • Gets an ICMP Port Unreachable? The port is closed.
  • Gets nothing? The firewall might be dropping it, or the inbound packet was blocked.

Wrapping Up

We are officially mapping networks! Understanding how TCP and UDP respond to our probes is the difference between guessing and knowing. Stay tuned for the next phase. Keep hacking!

cybersecurity #infosec #ethicalhacking #nmap #networking

Top comments (0)