Scanning is the first phases of hacking and involve the hacker locating
target systems or networks.
During scanning, the hacker continues to gather information regarding
the network and its individual host systems. Data such as IP addresses,
operating system, services, and installed applications can help the
hacker decide which type of exploit to use in hacking a system.
Basically Scanning is the process of locating systems that are alive
and responding on the network. Ethical hackers use it to identify
target systems’ IP addresses.
If i say in simple words, There are basically three types of scanning :
Port scanning Determines open ports and services
Network scanning IP addresses
Vulnerability scanning Presence of known weaknesses
In this tutorial, we will discuss about port scanning!
Port scanning :
The aim of port scanning a server is to detect its open ports the
port’s listening services. Once a hacker knows all the services
running on target server, he could search for possible vulnerabilities
they may have and exploit them to take control of your website or system
Before we proceed, let me clear what is CEH Scanning Methodology.
CEH scanning methodology :
:=> Check for Live Systems
:=> Check for Open Ports
:=> Service Identification
:=> Banner Grabbing /OS Fingerprinting
:=> Vulnerability Scanning
:=> Draw Network Diagrams of
:=> Vulnerable Hosts
:=> Prepare Proxies
:=> Attack
:=> Check for Open Ports
:=> Service Identification
:=> Banner Grabbing /OS Fingerprinting
:=> Vulnerability Scanning
:=> Draw Network Diagrams of
:=> Vulnerable Hosts
:=> Prepare Proxies
:=> Attack
Nmap is a free open source tool that quickly and efficiently performs
ping sweeps, port scanning, service identification, IP address
detection, and operating system detection.
Nmap support several types of scans like :
* TCP connect
* XMAS tree scan
* SYN stealth scan
* Null scan
* Windows scan
* ACK scan
* XMAS tree scan
* SYN stealth scan
* Null scan
* Windows scan
* ACK scan
If you want to scan a single system, then you can use a simple command:
nmap 127.0.1.1
If you want to scan the entire subnet, then the command is
nmap 127.0.1.1/24
Now i will explain each scan type :
1. TCP connect or Simple scan :
# TCP connect() Scan [-sT]
This the default scanning technique used.
Keep in mind that this technique is only applicable to find out the
TCP ports, not the UDP ports.
nmap -sT 127.0.1.1
# SYN Stealth Scan [-sS]
It is a basic scan, and it is also called half-open scanning because
this technique allows Nmap to get information from the remote host
without the complete TCP handshake process.
nmap -sS 127.0.1.1
2. FIN, Null and Xmas Tree Scans [-sF, -sN, -sX] :
Sometimes a normal TCP SYN scan is not the best solution because of the
firewall. This is where FIN action comes in action !
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree
scan sets the FIN, URG and PUSH flags and the Null scan sends a packet
with no flags switched on.
These scan types will work against any system where the TCP/IP
implementation follows RFC 793. Microsoft Windows does not follow the
RFC, and will ignore these packets even on closed ports. This
technicality allows you to detect an MS Windows system by running SYN
along with one of these scans. If the SYN scan shows open ports, and
the FIN/NUL/XMAS does not, chances are you’re looking at a Windows box
(though OS Fingerprinting is a much more reliable way of determining
the OS running on a target!)
nmap -sF 127.0.1.1
3. Ping Scan [-sP]
It allows you to detect which computers are online,
rather than which ports are open.
nmap -sP 127.0.1.1
4. UDP Scan [-sU]
5. IP Protocol Scans [-sO]
6. Idle Scanning [-sI] :
it is an advance scan that provides complete anonymity while scanning.
7. Version Detection (-sV) :
Version detection is the technique that is used to find out what
software version is running on the target computer and on the
respective ports.
This information can be critical in determining an entry point for an
attack.
nmap -sV 127.0.1.1
8. OS Fingerprinting :
One of the most important feature that Nmap has is the ability to
detect remote operating systems and software. It is very helpful
during a penetration test to know about the operating system and the
software used by the remote computer because you can easily predict
the known vulnerabilities from this information.
nmap -O 127.0.1.1
Nmap OS fingerprinting technique discovers the:
Device type (router, work station, and so on)
Running (running operating system)
OS details (the name and the version of OS)
Network distance (the distance in hops between the target and
attacker)
Running (running operating system)
OS details (the name and the version of OS)
Network distance (the distance in hops between the target and
attacker)
9. Typical Scanning Session :
# We can scan our target using a SYN scan [-sS] and -A to enable OS
fingerprinting and version detection.
nmap -sS -A 127.0.1.1
Now we’ll move on to nmap
-sS -P0 -A -v 127.0.1.1
we can deduce that target is a Linux system running a 2.4 to 2.6 kernel
with open ports 21/tcp, 22/tcp, 631/tcp and 6000/tcp(Assume).
No comments:
Post a Comment