Module03 Scanning Networks Section 01: Network Scanning Concepts Cover the fundamentals of key issues in the information security world, in...

Module03 Scanning Networks

Thursday, February 29, 2024 0 Comments

 Module03 Scanning Networks

Section 01: Network Scanning Concepts

Cover the fundamentals of key issues in the information security world,

including the basics of ethical hacking, information security controls, relevant

laws, and standard procedures. Hands-On Lab Exercises: Over 10 hands-on

exercises with real-life simulated targets to build skills on h ow to:

> Perform host, port, service, and OS discovery on the target network

> Perform scanning on the target network beyond IDS and firewall

Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP):

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP).

TCP segment flags:

1. SYN: Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid when it is set, and others when it is clear.

2. ACK: Indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.

3. FIN: Last packet from sender

4. RST: Reset the connection

TCP is connection-oriented, and a connection between client and server is established before data can be sent. The server must be listening (passive open) for connection requests from clients before a connection is established. Three-way handshake (active open), retransmission, and error detection adds to reliability but lengthens latency.



Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.


hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols.


Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

Section 02: Host Discovery

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP):

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

Section 03: Port and Service Discovery

TCP Scanning:

Scanning can be roughly divided into:

1. Open TCP scanning

2. Stealth TCP scanning

3. UDP scanning

4. SCTP scanning

5. IPv6 scanning

UDP Scan:

UDP scan be done using nmap by running

command: nmap -sU

Service Version Discovery:

A port is assigned a service to run on, and every service has a specific version.

Version detection using nmap

command: nmap -sV

nmap Reduction Techniques

Method 1

Below we list several techniques for reducing nmap scanning time.

1. Limit the number of ports (e.g. default 1000)

2. Port scan (-sn) can be skipped if only liveness of hosts needs to be checked.

3. Avoid advanced scan types (--traceroute)

Method 2

Optimizing time parameters. Consider -T option for nmap

command: -T<0-5>: Set timing template (higher is faster)

Method 3

Separate TCP and UDP scanning into different scans.

Section 04: OS Discovery

Banner Grabbing

Banner Grabbing:

Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits.

An example of banner grabbing is provided below



Identifying Target OS


Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.

Discovery using nmap

command: nmap -O

nmap script engine:

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

nmap IPv6

command: nmap -6 -O

Section 05: Scanning Beyond IDS and Firewall

Evasion Techniques (Routing)

Intrusion detection system (IDS)

An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations.

Techniques to evade IDS/firewalls are !

1. Proxy servers

2. IP address spoofing

3. Mac address spoofing

4. Packet fragmentation

Packet fragmentation:

IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.

Source routing:

In computer networking, source routing, also called path addressing, allows a sender of a packet to partially or completely specify the route the packet takes through the network.

Evasion Techniques (Spoofing)

Internet protocol (IP) address spoofing:

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

Media access control (MAC) address spoofing:

MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed.

Evasion Techniques (Other)

Randomizing host order. The nmap option --randomize-hosts man pages is

--randomize-hosts (Randomize target host order)

   Tells Nmap to shuffle each group of up to 16384 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when

   you combine it with slow timing options. If you want to randomize over larger group sizes, increase PING_GROUP_SZ in nmap.h and recompile. An alternative solution is to

   generate the target IP list with a list scan (-sL -n -oN filename), randomize it with a Perl script, then provide the whole list to Nmap with -iL.

Proxy server:

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

Section 06: Network Scanning Countermeasures

Ping Sweeping Countermeasures:

1. Dont allow connections to send more than a small number of ICMP ECHO requests.

2. Use IDS and IPS to detect ping sweeps

3. Limit ICMP traffic with access control lists (ACLs)

Port Sweeping Countermeasures:

1. Use IDS and IPS to detect ping sweeps

2. Ensure all routers, firewalls, etc are running the latests version of their software.

3. Block unwanted ports.

Banner Grabbing countermeasures:

1. Display false banners to mislead attackers.

2. Turn of unnecessary services on hosts to limit information disclosure.

3. Disable details of vendors and version in banners.

IP Spoofing Countermeasures

Internet protocol security (IPSec):

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

1. Avoid authentication based on IP address

2. Use firewalls and ACLs

3. Use encyrption. IPSec can greatly reduce the risk of IP spoofing.

Scanning Detection Tools


Splunk is the data platform that powers enterprise observability, unified security and limitless custom applications in hybrid environments.