A quick guide to network scanning for ethical hacking
The term “scanning” refers to looking closely at all parts of something to detect some trait. In the world of cyber security, scanning is a very popular technique. In the course of their work, security engineers, hackers, and researchers use various types of scanning. A network scan is a process of gathering information about a target using tools and techniques. It may be as simple as identifying the active hosts within the network, or as complex as identifying the hosts’ operating systems, open ports, and active vulnerabilities.
Network scanning is not the only type of scanning; application or website scanning can also be performed, depending on the need. As a result, we will only briefly discuss application and website scanning in this article, focusing primarily on network scanning.
A full understanding of ethical hacking would not be possible without understanding scanning, which is an integral part of this topic. An attempt at hacking generally starts with reconnaissance and then moves on to scanning. In order to accomplish that, we will look at ethical hacking and its steps, then scanning and its types, take a deep dive into network scanning and finally examine some tools used in the industry to scan.
Ethical hacking: what is it?
In our minds, hackers are guys with black hoods, sitting alone in a room, typing commands at a blazing speed with multiple screens in front of them! This isn’t true. Hackers are people with deep expertise in computers who explore ways to exploit vulnerabilities to overcome defense mechanisms in a system or network. Hackers can have financial or political motivations, or they could work with organizations to improve their infrastructure. An ethical hacker is also called this.
In English, a hacker is a person who uses a computer to access data on another person’s computer or phone without their permission. The term unethical hacker refers to someone who exploits vulnerabilities in systems and networks in order to gain unauthorized access to confidential and sensitive data. Usually, unethical hackers do this to make money.
Adding ‘ethical’ to ‘hacking’ changes its meaning and the intent of hacking. During ethical
hacking, hackers exploit vulnerabilities, gain access to data, but never alter, delete or steal it. It is in this case that the hacker discloses the vulnerability to the system owner with a “Proof of Concept” (PoC) and requests that the vulnerability is remedied. Hackers often have the owner’s explicit permission before exploiting a target. By implementing bug bounty programs, companies can hire ethical hackers to do the hacking or hire them on their payrolls. A monetary reward is offered to hackers who report bugs.
After discussing ethical hackers, let’s introduce “White Hat Hackers”. A White Hat Hacker works with or for a company to strengthen its security posture. System owners or information owners explicitly authorize white hat hackers to attack their systems. We want to fix these issues before black hat hackers or bad guys exploit them. It is also called white hat hacking.
The steps to ethical hacking
Understanding hacking is crucial to understanding scanning. The steps to a successful attack are:
- Using foot soldiers, planes, drones, etc., reconnaissance gathers information about the area. Similar processes apply to ethical hacking. It is here that we gather information about our target. An easier attack requires better reconnaissance. Our attack starts here. Active and passive reconnaissance are both possible. Scanners are widely used in active reconnaissance to gain information about targets. In this phase, public information is gathered.
- During scanning, the attacker gained valuable insights. However, deeper insight is needed. The scanning process helps in identifying the target. Attackers can use web scanners to identify vulnerabilities in websites, while application scanners can identify vulnerabilities and issues in applications. As we will discuss going forward, network scanners enable attackers to discover hosts, identify ports, and gather various network details.
- Accessing the system – The attacker now has access to key IP ranges, key people, operating systems, and active hosts. Attackers now use techniques to deliver payloads (viruses or malicious code) into target networks. Phishing is generally used to do this.
- Having access to a network and system, the attacker must now ensure that he has persistent access to the resources. Attackers usually do this by creating a backdoor. Backdoors are secret ways into and out of systems. Even if the target closes the main gate (exploited vulnerability), he can still access the compromised system via this backdoor.
- A hacker would want to remain anonymous while in the system or after he leaves after stealing or damaging information. Hackers (if they are black hat hackers) could be thrown in jail if this step is not taken. The log files are usually tampered with (delete or corrupted) or a VPN is used.
Scans used in ethical hacking.
There are three basic types of scanning:
- A port scan detects open ports and running services on a target
- Scanning networks for IP addresses, operating systems, topologies, etc.
- Identifying vulnerabilities in a target through vulnerability scanning
There are five types of port scanning:
- The simplest scan is a ping. ICMP packets are sent to the target and ICMP responses are waited for. Responses indicate an active and listening target.
- Another very common type of scanning is TCP Half Open. It is also known as a SYN scan.
- In TCP connect port scanning, a complete TCP connection is established, in contrast to TCP half open.
- UDP – UDP is used by very common services like DNS, SNMP, and DHCP. Checking UDP ports is easy thanks to UDP packets.
- As the name suggests, stealth scanning is quiet. Stealth scans are used by attackers to remain undetected while scanning.
Data and resources are shared over networks in information technology infrastructures. Nowadays, almost everything is done over the network, so “Network Security” is of critical importance. Security is the first control to apply! Scanners scan the network for details such as active hosts, open ports, TCP and UDP services, open vulnerabilities, and information about the host, like operating system. A “ping” is used for checking the status of IP (internet protocol) hosts. Ping uses ICMP (Internet Control Message Protocol) to send packets to the target and receive ICMP echo replies.
Organizations use network scanning for monitoring and management. It is very common for network management tools and network administrators to use scanning for these purposes. A network administrator’s tools and protocols for monitoring and managing their networks are the same as those used by an attacker. In general, attackers obtain IP addresses of target networks via DNS or whois. As discussed above, once the attacker has the IP range, he will scan the network for active hosts and their operating systems. This information may be used by the attacker to breach the target system.
Some common scanning tools used.
These are some industry-wide tools that are widely used:
- An open source tool for monitoring and scanning networks, OpenVAS is an open source vulnerability assessment tool. With OpenVAS, you can customize the scan and use intelligent scanning. Scans include full scans, web server scans, and WordPress scans.
- Network scanners such as Nmap are widely used across the industry. A lot of preconfigured commands are available. Network misconfigurations and security issues can be detected using NSE, the Nmap Scanning Engine. The command line interface (CLI) and graphical user interface (GUI) are available.
- Among the most widely used enterprise scanning tools, Nessus from Tenable offers incredible scanning capabilities and predefined templates. Pre-configured scans (templates) include PCI compliance, padlock detection, malware detection, and drown detection. Across the industry, it is trusted. In addition to a free trial version, Nessus also offers student editions (with limited features).
- The Acunetix web application scanner is widely used. Acunetix integrates with Jira, GitHub, and Jenkins, enabling enterprises to automate tasks. In addition, it streamlines SDLC (Software Development Life Cycle) processes for security.
- The Wireshark packet analyzer is free and open source. Attackers often use this tool when they have successfully gained access to a network to “sniff” traffic. Among the favorite tools of network administrators and security researchers (and hackers, too!) is Wireshark’s ability to capture real-time packets, convert them to human-readable format, and provide an interactive GUI.
An attacker is unlikely to succeed in an ethical hack until they are proficient at scanning. The network scanning process not only identifies hosts and their configurations, but also the vulnerabilities present on those hosts. Application scanners, on the other hand, report vulnerabilities in an application (usually from an OWASP perspective). If done right, scanning can reveal a lot about an organization. However, almost all organizations have security and network administrators who ensure that scanning attempts are detected almost instantaneously and a corrective action is taken (usually blocking). An attacker will have a harder time scanning an organization’s network successfully this way. The firewall often blocks scanning. The default policy is to block ICMP traffic, except for troubleshooting IPs and subnets.