Network Scanning Techniques

Network scanning refers to the process of obtaining additional information and performing a more detailed reconnaissance based on the collected information in the footprinting phase.

In this phase, a number of different procedures are used with the objective to identify hosts, ports, and services in the target network. The whole purpose is to identify vulnerabilities in communication channels and then create an attack plan.

Types of Network Scanning

Scanning has three types:

  • Port scanning - used to list open ports and services
  • Network scanning - used to list IP addresses
  • Vulnerability scanning - used to discover the presence of known vulnerabilities

Scanning Techniques

Port scanning techniques are extremely useful when it comes to identifying open ports. Scanning techniques represent different categories which are used based on protocol types. They are categorized into three categories:

  • Scanning ICMP network services
  • Scanning TCP network services
  • Scanning UDP network services

Scanning ICMP network services

ICMP Scanning

ICMP scanning is used for identifying active devices and determining whether ICMP can pass through a firewall.

Ping Sweep

Ping sweep is used to determine the range of IP addresses that is mapped to active devices. It allows hackers to calculate subnet masks and identify the number of present hosts in the subnet. This in turn enables them to create an inventory of active devices in the subnet.

ICMP Echo Scanning

ICMP Echo Scanning is used to determine which hosts are active in a target network by pinging all the machines in the network.

Scanning TCP Network Services

TCP Connect

TCP connect scan used for detecting open ports upon the completion of the three-way handshake. It works by establishing a full connection and then dropping it by sending a RST packet.

Stealth Scan

Stealth scan is used for bypassing firewall and logging mechanisms. It works by resetting the TCP connection before the three-way handshake is completed, which in turn makes the connection half open.

Inverse TCP Flag Scanning

Inverse TCP flag scanning works by sending TCP probe packets with or without TCP flags. Based on the response, it is possible to determine whether the port is open or closed. If there is no response, then the port is open. If the response is RST, then the port is closed.

Xmas Scan

Xmas scan works by sending a TCP frame with FIN, URG, and PUSH flags set to the target device. Based on the response, it is possible to determine whether the port is open or closed. If there is no response, then the port is open. If the response is RST, then the port is closed. It is important to note that this scan works only for UNIX hosts.

ACK Flag Probe Scanning

ACK flag probe scanning works by sending TCP probe packets with ACK flag set in order to determine whether the port is open or closed. This is done by analyzing the TTL and WINDOW field of the received RST packet’s header. The port is open if the TTL value is less than 64.

Similarly, the port is also considered to be open if the WINDOW value is not 0 (zero). Otherwise, the port is considered to be closed.

ACK flag probe is also used to determine the filtering rules of the target network. If there is no response, then that means that a stateful firewall is present. If the response is RST, then the port is not filtered.

Scanning UDP Network Services

IDLE/IPID Header Scan

IDLE/IPID header scan works by sending a spoofed source address to the target to determine which services are available. In this scan, hackers use IP address of a zombie machine for sending out the packets. Based on the IPID of the packer (fragment identification number), it is possible to determine whether the port is open or closed.

UDP Scanning

UDP scanning uses UDP protocol to test whether the port is open or closed. In this scan there is no flag manipulation. Instead, ICMP is used to determine if the port is open or not. So, if a packet is sent to a port and the ICMP port unreachable packet is returned, then that means that the port is closed. If, however, there is no response, then the port is open.

SSDP and List Scanning

SSDP, or Simple Service Discovery Protocol, service responds to queries sent over IPv4 and IPv6 broadcast addresses. Attackers use this scan to exploit UPnP vulnerabilities and carry out buffer overflow or DoS attacks. List scanning indirectly discovers hosts. This scan works by listing out IP addresses and names without pinging the hosts and with performing a reverse DNS resolution to identify the names of the hosts.