From the course: Penetration Testing and Ethical Hacking

Scanning networks

- [Instructor] Scanning networks. In this part of the lesson, we're going to look at scanning networks. This is the next step after fingerprinting. In scanning networks, we're going to actively begin probing the network, looking for host. So let's go ahead and get started. So after the footprinting phase, you may have enough information about the target. The scanning network phase requires some of this information to proceed further. So network scanning is the method of obtaining network information about the hostess on the network, the ports that those hosts are using, different services are running on those host, operating system types and the different versions that they're running. These are all the information that you'll gather by scanning networks. Now the main objectives of scanning the network, or network scanning, are as follows. So you want to identify what's on the host, on the network, what live hosts are on the network, what ports are open or what ports are closed on those hosts. You want to find out the operating system, what operating system is running on the host, if it's Windows, if it's Linux, or other operating systems. Services that's running on the network, is it an FTP server running on that host, or is it running a web server, or using another service by identifying the port that's open? You want to identify the processes that's running on the network. Also, you want to identify the presence of a security device, like a firewall or any type of other switches, other network devices as well. You want to identify system architecture. Also, running services, as well as vulnerabilities. That's the main key. You want to find out what vulnerabilities are on that network. So in an overview of scanning in the networks, so it includes probing the target to get information. Now in depth identification of network ports and running services helps to create a network architecture. And the attacker gets a clear picture of the target by again, identifying what's running on that system. So before we jump into scanning networks, let's learn some basics here, TCP and UDP communication basics. So there are two types of traffic types, or internet protocol traffic, or IP traffic. There's TCP, transmission control protocol, and there's also UDP, user datagram protocol. You may be familiar with TCP, IP and UDP types of traffic from other classes. But again, just a brief overview just to kind of bring you up to speed. So TCP is connection-oriented. It's bidirectional communication that takes place after the establishment of a successful connection. Basically, when you establish a TCP connection, there's like a three-way handshake. We'll get to that here in a moment, but it's again, it's a connection-oriented protocol. The connection is basically, a successful connection is based on a three-way handshake. There has to be three parts that happen in order for that connection to be successful, whereas UDP is a simpler type of connectionless internet protocol. So multiple messages are sent as packets and chunks using UDP, so it's not connection-oriented. So TCP, again, connection oriented, bidirectional communication that takes place after the establishment of a successful connection. Now, because TCP is more complex, the header is larger, and flags are used to establish and terminate connections. So these are some of the flags that we're going to be talking about and looking over, and you'll see these more as the course goes on. So some of these flags are the SYN flag. It initiates a connection between two hosts to facilitate communication. Then you have an ACK, which acknowledges the receipt of a packet. Then you have something called an URG, or urgent, indicates that data containers packet's urgent and should be processed immediately. Then you have, which called the push, or PSH, instructs the sending system to send all buffered data immediately. Then you have something called a FIN, and this basically informs the remote system when communication ends to do a graceful close, close it gracefully. So you're finished sending your information, then you have something called a RST, or this resets connection. So again, those are different flags that are used when a TCP communication is started. So, and again, over on the right hand side, we have a TCP header, and in that header, you have the flags, what we just talked about. So we talked about the three-way handshake. So there's a three-way handshake in establishing a TCP connection between hosts. This handshake ensures successful reliable connection, connection oriented sessions between the host. So if I had a computer and you had a computer and I wanted to communicate with you, I would send out a send packet, and you being that computer on end or server, you receive that SYN packet, and you also send a SYN-ACK packet, or SYN and acknowledgement. Then I get your SYN-ACK and I send back an ACK, or acknowledgement. And at that point, that TCP connection is initiated and we have been sending information over there. So it's like a three, again, a three-way validation type handshake. So that's what the three-way handshake is, a successful handshake results in establishment of a TCP connection. So we're going to come back to a three-way handshake later in this course, and other courses as well. So now let's talk about the scanning methodology. Again, when you're scanning a network, you want to check for live systems, looking for open ports, and also scanning beyond an IDS, or an intrusion detection system. There's ways that you can craft a packet, and scan beyond the IDS. Also, you can do something what's called banner grabbing. Banner grabbing is actually gathering information that may be displayed when you connect to a host. Also, you're going to be scanning for vulnerabilities, and you want to create a network diagram, a diagram of your network. And also you want to look for proxies. Any of the type of devices on the network that may be substituting for another device, or sending information for another device. That's what a proxy is. So in host discovery, initially you must know about the host that live on the target network. So there's different ways you can do that. ICMP, or ping packets, carry out the process of finding a live host on the network. And a lot of you may have used the ping command before. The target replies to an ICMP P echo packets with an ICMP echo reply. So if you send a ping out to an IP address, it'll reply letting you know that that IP address is alive. It'll give you the time to live value time in milliseconds as well. So this response, again, verifies that the host is up and alive. The target does not respond to ICMP packets when the host is down. So there's a method of scanning called an ICMP scanning. It's a method for identifying live hosts by sending ICMP Echo requests to a host. An ICMP Echo reply packet is received from a host and it verifies that that host is up and it's live. That's one of the basic ways of testing to see if a device is is alive. If you have the IP address, you can ping it, P-I-N-G space and the IP address, and if it's alive, it will send you an echo reply back. Ping scanning is a useful tool not only for identifying a live host, but also for determining the ICMP packets that are passing through firewalls, and for the TTL value. Now there's something also called a Ping Sweep. And a Ping Sweep determines live host on a large scale. So what if you had an application or a way to ping from the lowest IP adjust value in a scale to the highest? So that would be a ping sweep. You can ping that entire scale, and it sends ICMP echo requests packets to a range of IP addresses, instead of sending it to one host and observing the response. So live hosts respond with an ICMP Echo reply packets. So instead of just probing individually, again, you're probing for the entire range. Now there's a lot of tools that you can use to do this. Some are listed here, and again, these are tools that you want to write down for your notes. The angry IP scanner is one tool, Solar Winds ping sweep, nmap, fping and PingPlotter Pro. Again, some tools that can do that Ping Sweep for you. Alright, in this course we learned just the beginnings of scanning networks. We had an overview of the scanning networks. Also, we talked about the scanning methodology, as well as host discovery. Alright, I'll see you in the future lessons, and we'll learn more about scanning networks.

Contents