Nov 20, 2020

Scanning Network

Mapping a Network

Sometimes, instead of receiving full information about target machines, penetration tester gets just address block. Later on, pentester needs to discover what kind of hosts with what kind of configuration, exist in particular network.

There are several different ways to reveal network configuration.

PING sweeping

Ping works by sending one or more special ICMP packets (type 8 - echo request) to a host. If the host replies with ICMP echo reply packets, it means that host is alive. RFC792 describes protocol used to carry diagnostic messages. ICMP is a part of the Internet Protocol.


fping is a Linux tool, improved version of standard ping. It can be run against IP range:

fping -a -g <ip_range> 2>/dev/null # -a -- show alive; -g -- generate list, redirect to /dev/null to surpress noise.


Recommended tool for penetration testing is nmap. It is very powerful tool, which allows for detection hosts, its systems and more. To attempt port sweeping (ping scan), one can use -sn option:

nmap -sn <ip_range>

OS Fingerprinting

After finishing nmap run, we end up having list of live hosts, responding to ping. Next, we need to understand what kind of operating system is used by a host. Based on differences in network stack implementation of the various operating systems, automated programs can analyze response, and recognize OS version, creating host signatures.

During a penetration test, person needs to perform reconnaissance step on every network node:

  • routers
  • firewalls
  • hosts
  • servers
  • printers
  • etc

The goal is to create table of nodes, with appropriate information about systems.

Offline fingerprinting (p0f)

For offline fingerprinting, one can use p0f tool to analyze dump of network traffic.

Online fingerprinting (nmap)

In a case of online, to go tool is again nmap. To perform OS fingerprinting with it, you have to use -O option and specify target. In a case of known targets, you can add -Pn to skip rediscovering them again.

nmap -Pn -O <targets>

This option can be additionally fine-tuned, to prevent from too aggressive way of discovering hosts:

  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively

Port Scanning

After recognizing nodes and detecting operating systems, we can continue with port scanning. It allows to discover the daemons and services running on those nodes.

Port scanning is a process used to determine what TCP and UDP ports are open on target hosts. It, also usually helps detect which software and version is listening on a specific port.

TCP Three-Way Handshake

Default usage:

nmap -sT <target>

Description of process.

Client --- SYN ---> Server
Client <- SYN+ACK - Server
Client --- ACK ---> Server

Client wants to connect to a server, it first sends a packet with the SYN flag enabled. The server then responds by sending a packet with both SYN and ACK flags enabled. Finally, the client replies back by sending a packet with the ACK flag enabled and the actual data transmission can start.

In a case of closed port, it looks slightly differently.

Client --- SYN ---> Server
Client <- RST+ACK - Server

The server will reply with a packet that has the reset RST and ACK flags set. This behavior tells the client that the port is closed.

The simplest way to perform a port scan is trying to connect to every port.

  • if the scanner receives a RST packet, then the port is closed.
  • if the scanner can complete 3-way handshake, then the port is open. After connecting, the scanner sends an RST packet to the target host to abruptly close the connection.

The culprit here is, that every TCP connect is recorded in the daemon logs. Even scans, which often should be stealth. That is because, from the application point of view, the scan probe is legitimate connection. It allows system administrators to easily detect the scan.

TCP-SYN scan

Default usage:

nmap -sS <targets>

To mitigate possibility of being detected (in the case of 3-way handshake), there is more stealthy solution, called TCP-SYN scan. During a SYN scan, the scanner does not perform a full handshake. It just sends a SYN packet and analyzes the response coming from the target machine.

  • if it receives a RST packet, then port is closed.
  • if it receives an ACK packet, then port is open. After marking the port as open, the scanner sends a RST packet to the target host to stop the handshake.

As there is no full connection to the destination daemon, a SYN scan cannot be detected by looking at daemon logs. It is important to remember, that even TCP-SYN scan can be detected with well-configured IDS (Intrusion Detection System).

Version detection scan

Default usage:

namp -sV <targets>

This scan is recorded in logs, however it is very useful. It mixes a TCP connect scan with some probes, which are used to detect what application is listening on a particular port.

Client --- SYN ---> Server
Client <- SYN+ACK - Server
Client --- ACK ---> Server
Client <- Banner -- Server
Client -- RST+ACK > Server

If the daemon doesn't send a banner, nmap sends some probes to understand what the listening application is. It later tries to guess the application based on its behavior.

Network Discovery with port scanning

Sometimes, firewall can block pings. In this kind of scenario, typical usage of ping is insufficient. Even if host is not responding to ICMP requests, it oftentimes has some TCP and UDP port opens. nmap can be forced to scan host which is not responding to ping with -Pn. The scan for common ports like 22 (ssh), 80,443 (http/https server), 445 (samba service) or 53 (DNS) can reveal that the host is actually "alive" however not responding to ICMP.

Detecting firewall

Large networks very often are protected from intrusion by firewalls. It might be difficult to detect firewall, but based on partial or incomplete results of scan, one can identify, that it could be it. nmap scan with fingerprinting -sV should not have any problems to return full information. Sometimes, however, default information about VERSION could be not present or unrecognized (tcpwrapped means that TCP handshake was completed, but the remote host closed the connection without receiving any data). To try and see what happened, you might want to use nmap with --reason that will show an explanation of why a port is marked open or closed.


Masscan was designed to deal with large networks and to scan thousands of IP addresses at once. It is similar to nmap but a lot faster.

Vulnerability Assessment

Vulnerability assessment is a scan of the vulnerabilities found on networks and applications. It is faseter and lighter on the infrastructure. As opposed to a penetration test, during a vulnerability assessment, you don't proceed to the exploitation phase. It means, that after discovering vulnerability, you won't be able to confirm it by testing and giving a proof of exploitation.


Scanners perform their probes on:

  • daemons listening on TCP and UDP ports
  • configuration files of operating systems, software suites, network devices, etc.
  • windows registry entries.

The purpose is to find vulnerabilities and misconfigurations. The better and more up-to-date database of vulnerabilities, the better result of scan.

However, in a case of custom application, a vulnerability scanner may not be enough. In that case, manual test needs to be performed.