Thursday, December 26, 2019

Scanning in Hacking | Scanning tools and techniques

Scanning in Hacking

Scanning plays a very important role in information gathering in hacking. information gathering itself has four main types scanning, fingerprinting, enumeration and Vulnerability analysis.. in this post, we'll cover the topic Scanning. how to scan target and get the information we need for exploitation and hacking..

so let's get started with it..

Scanning - 

         Scanning is a process in which we can identify the architecture of target, ports, services, OS, live hosts and much more.
also find threats and vulnerabilities in the target network.
scanning makes a profile to target and we can get so much information about target usings scans.

we'll do it one by one.. going to use Nmap for it..

NMAP ( The Network Mapper)

NMAP is a widely accepted tool in scanning and Enumeration, if you really want to be a good hacker then mastering NMAP will be your priority.
I already made an article about How to use NMAP so check it also.

Port states

Closed -In the Target machine application is not listening for connections/packets on the port. though this port can open any time

Open – Port Open means in the target machines applications are listening for connections and packets.

Filtered – Filtered ports are those which NMAP cant distinguish between open or close port because network obstacles are working to block NMAP requests so it cannot tell whether its closed or open port.

Basic NMAP options

-O: Enable OS detection
-6: Enable IPv6 scanning
-T1 to -T5: Really slow port scan to Really fast and noisy port scan 
-V: Print version number
-sU: UDP scan (scanning UDP port)
-p: Ports scanning
-p-: Scanning all ports
-p 22,8080: Scan port 22 and8080.
--resume <filename>: Resume an aborted scan
 -sV: Service Detection-Tx: Set scan speed
-S <IP_Address>: Spoof source address
-sS: Stealth scan ( less detectable and noisy)
-v: Increase verbosity level (use -vv or more for greater effect)
-A: OS and version detection, script scanning, and traceroute


  OS detection, service detection in ports

-A is all in one command we can use to detect OS, Services, script scanning and traceroute with ports status..
there are many vulnerabilities and exploits you can find for system services and use them in exploitation.

nmap -A (target IP)

Nmap os and other services detection

Port Scanning Techniques:

There are various port scanning techniques available. The well-known tools like Nmap and Nessus have made the port scanning process automated. The scanning technique includes:

NMAP ping sweeps

 NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.

Nmap ping sweep

ARP scan (Address Resolution Protocol) :

In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communicate parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
 Use this command in nmap

nmap --arp-type ARP (target IP)

ARP scan

 TCP connect scan:

TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.

this image shows how it works..
working of TCP protocol

to find TCP ports in Nmap use command..

nmap -sT (IP address)

TCP ports scan in Nmap

Half-open scan:

  while TCP connection it does not connect with the server so it's stealthy scan

like TCP scan we send syn packet first.

then server sends syn/ack packet to us..
but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..

nmap -sS  (target Ip)


It is practiced to distinguish listening ports on the targeted system.  it transfers reset acknowledgment when ports are close and do not reply when a port is open.
The scan handles the FIN flags URG, PSH and of the TCP header.

use this Nmap command..

nmap -sX  (target Ip)


This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got

In FIN flag  while closed ports send a reset response and

TCP packets transmitted to the victim open ports don't reply.

nmap -sF (target Ip)


 sometimes active websites also do not send ICMP ping in answer.

by using TCP ACK Scan attacker can see the port situation by an acknowledgment received

use command in Nmap
nmap -sA (target Ip)

Null Scan: 

Works by transmitting TCP packets with no flags fixed to the target. Open ports do not reply while closed ports reply with a RESET packet

nmap -sN (target Ip)


This is the type of scanning used in hacking for information gathering..By using port scanning, we can explore information such as: What services are running, what users own those services, is anonymous login is supported, whether certain network services require authentication and other related details.


One approach to narrow the knowledge obtained from port scans is to close nonessential services on the targeted systems. Another way to restrict the information provided to port scanners is to apply TCP Wrappers, where appropriate. Whereas, TCP Wrapper delivers the flexibility to the administrator to allow or deny access to the setting's approved domain names or IP addresses.

Additionally, otherwise to restrict the loss of data within port scanning is to employ PortSentry offered by Psionic. PortSentry discovers connection requests on a variety of decided ports. It is customizable and may be configured to neglect a selective number of tries. The administrator can choose what ports PortSentry will listen for connection requests and different types of unreasonable requests. The administrator will arrange ports that their system isn't sustaining.

this is it for scanning I covered lots of scanning techniques here and these are mainly used for hacking pen-testing and bug bounty hunting and also in red teaming..

further posts are on enumeration, fingerprinting and vulnerability assessment coming soon..
till then.

Happy Hacking..😊


Popular Posts