Scanning is a process of identifying network and service-related information by communicating with the target. Scanning helps in identifying IP/Hostnames, Ports, Services running on ports, Live hosts, Vulnerable services running on the target network.
During the network scanning process, attackers gather a list of IP addresses of computers that are live on the target network. The job of the attacker will be easy if he/she can analyze the network structure and services running on each machine.
Ports are virtual entry points to any digital device; devices can communicate with one another using port, there are virtually 65535 ports available in every device, those can be identified with port numbers, ranging from 0 to 65535.
Well known ports
Port scanning is a technique where the attacker will send communication probes to targets to see how the target is responding to them, based on the response attacker will determine what ports are open and several other port details, like service running on the port numbers, and OS the target is running.
|Application||Port Number(s)||Application||Port Number(s)|
For details on other port numbers and services refer RFC-1700
ICMP stands for Internet Control Messaging Protocol; this is widely used for internet communication troubleshooting or to generate errors related to IP operations, this will send packets to the target machine and will see whether the packets are delivered or not.
Identifying the turned-on computers by sending ICMP packets or ARP packets or some other kind of packets is called Live Host Identification Scan.
Transmission Control Protocol (TCP), which is a widely used protocol for data transmission over a network. This protocol establishes a reliable connection between two hosts before transmitting data, to ensure that data transmitted over the network reaches the destination without fail. TCP also known as a connection-oriented protocol, establishes a reliable connection between sender and receiver. TCP provides error and flow control mechanisms which help in orderly transmission of data and retransmission of lost packets.
UDP stands for User Datagram Protocol, which is connectionless protocol, mostly used for connections that can tolerate data loss. UDP is used by applications on the internet that offer voice and video communications, which can suffer some data loss without adversely affecting the quality. UDP does not provide error and flow control mechanisms because of which it does not require a connection before transmitting data over the network.
To start a proper TCP conversation, the sender and receiver perform 3- way handshake before exchanging data over the network. It is a process used by two hosts to agree upon some protocol stack to start sharing data. Following image represents the process of 3-way handshake.
Nmap directly communicates with the operating system to establish a connection with the target machine and port by issuing the connect system call.
SYN scan is the most popular scan option. It can scan thousands of ports in a short period on a fast network not hampered by restrictive firewalls.
This scan is different from others scanning operations discussed before; it never determines open ports. It is used to identify firewall rules, determining the type of firewall and identify filtered ports.
The Xmas-Tree scan sends a TCP packet with the following flags:
URG — Indicates that the data is urgent and should be processed immediately
PSH — Forces data to a buffer
FIN — Used when finishing a TCP session
FIN scan, which attempts to close a connection that isn’t open. The operating system generates an error if service is not running on target port. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port.
A data packet with zero flag values will be sent to a TCP port. (In a regular TCP communication, at least one bit or flag is set). In TCP connect / SYN scans, a response indicates an open port, but in a NULL scan, a response indicates a closed port.
Importance of Scanning
Scanning will provide an exact outline of the network structure of the target workspace. It is beneficial for hacking target servers or individual computers. Scanning will provide a blueprint of entire network and details about devices running on the network, information related to network topology and helps in deciding what operating system is running on target computers.