After the
reconnaissance and information-gathering stages we have scanning. It is
important that the information-gathering stage be as complete as possible to
identify the best location and targets to scan. During scanning, the hacker
continues to gather information regarding the network and its individual host
systems. . Information such as IP addresses, operating system, services, and
installed applications can help the hacker determine which type of exploit to
use in hacking a system.
Scanning
is the process of
locating systems that are alive and responding on the network.
Ethical
hackers use scanning to identify target systems’ IP addresses. Scanning is also
used
to
determine whether a system is on the network and available. Scanning tools are
used to
gather information about a system
In our hacking track we have three
types of scanning
1. Port
scanning :- It Determines open ports and services.
2. Network
scanning:- Identifies IP addresses on a given network or subnet.
3. Vulnerability scanning:-
Identifying weaknesses(Security loopholes) on target systems.
Port
Scanning :- Port scanning is the process of identifying
open and available TCP/IP ports
on a
system. Port-scanning tools enable a hacker to learn about the services
available on a target system. Port numbers are divided into three ranges:
1. Well-Known
Ports: 0-1023
2. Registered
Ports: 1024-49151
3. Dynamic Ports: 49152-65535
Network
Scanning:- Network scanning is a procedure for
identifying active hosts on a
network,
either to attack them or as a network security assessment. Hosts are identified
by their
individual IP addresses. Network-scanning tools attempt to identify all the live
or
responding
hosts on the network and their corresponding IP addresses.
Vulnerability
Scanning:- Vulnerability scanning is the process of Identifying
the
vulnerabilities
of computer systems on a network. Generally, a vulnerability scanner first
identifies
the operating system and version number, including service packs that may be
installed.
Then, the scanner identifies weaknesses or vulnerabilities in the operating
system.
During the
later attack phase, a hacker can exploit those weaknesses in order to gain
access
to the system.
Scanning
Methodology
As a
Ethical Hacker, you are expected to be familiar with the scanning methodology
mentioned below. This methodology is the process by which a hacker scans the
network. It ensures
that no
system or vulnerability is overlooked and that the hacker gathers all necessary
information
to perform an attack.
We’ll look
at the various stages of this scanning methodology, starting with the first
three steps.
1. checking
for systems that are live.
2.
checking for open ports.
3.
checking for services identification.
Scanning
Methodologies:
1. Check
for Live Systems
2. Check
for Open Ports
3. Service
Identification
4. Banner Grabbing /
5. OS
Fingerprinting
6. Vulnerability
Scanning
7. Draw Network Diagrams of
8. Vulnerable
Hosts
9. Prepare
Proxies
10. Attack
Identifying live systems using a Windows Ping:
To use the
built-in ping command in Windows to test connectivity to another system:
1.
Open a command prompt in Windows.
2.
Type ping www.microsoft.com.
A timeout
indicates that the remote system is not responding or turned off or that the
ping
was blocked. A reply indicates that the system
is alive and responding to ICMP requests.
Identifying live systems and open ports using Advanced IP Scanner:
Advanced
IP Scanner is one of the best tool to scan network, to find live systems, IP
address, MAC address , and open ports. Here’s what it looks like:
Advanced IP Scanner goes a little bit beyond the typical ping sweep or just pinging IP addresses because it can give us interesting information about the hosts out there, like IP address , MAC address, netbios names, and user names of currently logged in users.
Identifying
live systems and open ports using Superscan:
Super Scan
be considered as one of the complete tool that can be used for scanning as well
as getting domain information about target system along with windows
enumeration. It can perform all stages of scanning and hence most of the time
becomes best choice for every hacker on windows system. Here in this section we
will see how to use Super Scan.
Type IP
address of target you want to scan in Hostname/IP. To scan range of IP address
type Start and End IP. If you want to add range of IP address then in notepad specify
each IP/Host on new line and import it via 'Read IPs from file' option. To
start scan press blue arrow button. The scan will start and it will show
result.
As you can see above result we have got nine live hosts in given
range of IP address.
You can scroll it down to view the result. And also view overall
result in HTML format, by clicking 'view HTML' result option.
Identifying
live systems and open ports Advanced Port Scanner:
But personally, I
prefer interface tools. One of them is Advanced Port Scanner, which is a sister
product of Advanced IP Scanner. Here’s what it looks like:
You can see that, for each of the hosts it found, it actually conducted a closer examination. So, for example, in host 192.168.1.6, I can see which ports are open. They’re 139, 135, and 445. Because I recognize these as typical Microsoft ports, then my guess is that this host probably runs on a Microsoft operating system.
You can see different ports on
different systems. For example, the next one has Telnet and HTTP. One really
interesting thing about this one is that it thinks it’s a web server but it
also has its printer port open. This
already gives me a lot of interesting information without even having to attack
the system.
More Scanning Tools:
NetBIOS Enumerator
nmap
Angry IP scanner
NetScanTools
IPSecScan
IP tools
Nscan