Scanning in Hacking | Scanning tools and techniques
Scanning in Hacking
Scanning plays a very important role in information gathering in hacking. information gathering itself has four main types scanning, fingerprinting, enumeration and Vulnerability analysis.. in this post, we'll cover the topic Scanning. how to scan target and get the information we need for exploitation and hacking..
so let's get started with it..
so let's get started with it..
Scanning -
Scanning is a process in which we can identify the architecture of target, ports, services, OS, live hosts and much more.
also find threats and vulnerabilities in the target network.
scanning makes a profile to target and we can get so much information about target using scans.
we'll do it one by one.. going to use Nmap for it..
NMAP is a widely accepted tool in scanning and Enumeration, if you really want to be a good hacker then mastering NMAP will be your priority.
I already made an article about How to use NMAP so check it also.
Open – Port Open means in the target machines applications are listening for connections and packets.
Filtered – Filtered ports are those which NMAP cant distinguish between open or close port because network obstacles are working to block NMAP requests so it cannot tell whether its closed or open port.
Basic NMAP options
-O: Enable OS detection
also find threats and vulnerabilities in the target network.
scanning makes a profile to target and we can get so much information about target using scans.
we'll do it one by one.. going to use Nmap for it..
NMAP ( The Network Mapper)
NMAP is a widely accepted tool in scanning and Enumeration, if you really want to be a good hacker then mastering NMAP will be your priority.
I already made an article about How to use NMAP so check it also.
Port states
Closed -In the Target machine application is not listening for connections/packets on the port. though this port can open any timeOpen – Port Open means in the target machines applications are listening for connections and packets.
Filtered – Filtered ports are those which NMAP cant distinguish between open or close port because network obstacles are working to block NMAP requests so it cannot tell whether its closed or open port.
Basic NMAP options
-O: Enable OS detection
-6: Enable IPv6 scanning
-T1 to -T5: Really slow port scan to Really fast and noisy port scan
-V: Print version number
-sU: UDP scan (scanning UDP port)
-V: Print version number
-sU: UDP scan (scanning UDP port)
-p: Ports scanning
-p-: Scanning all ports
-p 22,8080: Scan port 22 and8080.
--resume <filename>: Resume an aborted scan
-p-: Scanning all ports
-p 22,8080: Scan port 22 and8080.
--resume <filename>: Resume an aborted scan
-sV: Service Detection-Tx: Set scan speed
-S <IP_Address>: Spoof source address
-sS: Stealth scan ( less detectable and noisy)
-v: Increase verbosity level (use -vv or more for greater effect)
-v: Increase verbosity level (use -vv or more for greater effect)
-A: OS and version detection, script scanning, and traceroute
there are many vulnerabilities and exploits you can find for system services and use them in exploitation.
OS detection, service detection in ports
-A is all in one command we can use to detect OS, Services, script scanning and traceroute with ports status..there are many vulnerabilities and exploits you can find for system services and use them in exploitation.
nmap -A (target IP)
 |
| Nmap os and other services detection |
•Port Scanning Techniques:
There are various port scanning techniques available. The well-known tools like Nmap and Nessus have made the port scanning process automated. The scanning technique includes:
NMAP ping sweeps
NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.
Nmap ping sweep
NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.
 |
Nmap ping sweep
|
ARP scan (Address Resolution Protocol) :
In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communicate parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
Use this command in nmap
nmap --arp-type ARP (target IP)
ARP scan
In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communicate parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
Use this command in nmap
nmap --arp-type ARP (target IP)
 |
ARP scan
|
TCP connect scan:
TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.
this image shows how it works..
working of TCP protocol
to find TCP ports in Nmap use command..
nmap -sT (IP address)
TCP ports scan in Nmap
TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.
this image shows how it works..
 |
| working of TCP protocol |
nmap -sT (IP address)
 |
| TCP ports scan in Nmap |
* Half-open scan:
while TCP connection it does not connect with the server so it's stealthy scan
like TCP scan we send syn packet first.
then server sends syn/ack packet to us..
but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..
nmap -sS (target Ip)
while TCP connection it does not connect with the server so it's stealthy scan
like TCP scan we send syn packet first.
then server sends syn/ack packet to us..
but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..
nmap -sS (target Ip)
TCP XMAS Scan
It is practiced to distinguish listening ports on the targeted system. it transfers reset acknowledgment when ports are close and do not reply when a port is open.
The scan handles the FIN flags URG, PSH and of the TCP header.
It is practiced to distinguish listening ports on the targeted system. it transfers reset acknowledgment when ports are close and do not reply when a port is open.
The scan handles the FIN flags URG, PSH and of the TCP header.
use this Nmap command..
nmap -sX (target Ip)
use this Nmap command..
nmap -sX (target Ip)
TCP FIN Scan
This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got
In FIN flag while closed ports send a reset response and
TCP packets transmitted to the victim open ports don't reply.
nmap -sF (target Ip)
This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got
In FIN flag while closed ports send a reset response and
TCP packets transmitted to the victim open ports don't reply.
In FIN flag while closed ports send a reset response and
TCP packets transmitted to the victim open ports don't reply.
nmap -sF (target Ip)
TCP ACK Scan:
sometimes active websites also do not send ICMP ping in answer.
by using TCP ACK Scan attacker can see the port situation by an acknowledgment received
use command in Nmap
nmap -sA (target Ip)
by using TCP ACK Scan attacker can see the port situation by an acknowledgment received
use command in Nmap
Null Scan:
Works by transmitting TCP packets with no flags fixed to the target. Open ports do not reply while closed ports reply with a RESET packet
nmap -sN (target Ip)
nmap -sN (target Ip)
Conclusion
This is the type of scanning used in hacking for information gathering..By using port scanning, we can explore information such as: What services are running, what users own those services, is anonymous login is supported, whether certain network services require authentication and other related details.
Preventions
One approach to narrow the knowledge obtained from port scans is to close nonessential services on the targeted systems. Another way to restrict the information provided to port scanners is to apply TCP Wrappers, where appropriate. Whereas, TCP Wrapper delivers the flexibility to the administrator to allow or deny access to the setting's approved domain names or IP addresses.
Additionally, otherwise to restrict the loss of data within port scanning is to employ PortSentry offered by Psionic. PortSentry discovers connection requests on a variety of decided ports. It is customizable and may be configured to neglect a selective number of tries. The administrator can choose what ports PortSentry will listen for connection requests and different types of unreasonable requests. The administrator will arrange ports that their system isn't sustaining.
Additionally, otherwise to restrict the loss of data within port scanning is to employ PortSentry offered by Psionic. PortSentry discovers connection requests on a variety of decided ports. It is customizable and may be configured to neglect a selective number of tries. The administrator can choose what ports PortSentry will listen for connection requests and different types of unreasonable requests. The administrator will arrange ports that their system isn't sustaining.
this is it for scanning I covered lots of scanning techniques here and these are mainly used for hacking pen-testing and bug bounty hunting and also in red teaming..
further posts are on enumeration, fingerprinting and vulnerability assessment coming soon..
till then.
Happy Hacking..😊
