Introduction
As an ethical hacker, network scanning techniques, also known as path tracing, can assist you in learning about a network’s logical configuration.
You can employ network scanning techniques to see if there are any firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS) between you and your targets, and, in some situations, to get over them.
Internally, network scanning techniques can be employed to find new subnets and systems of interest.
Traceroute and tracert are two applications you can use to do this. Network tracing can also be done with the use of online tools and services.
Traceroute Command
Traceroute is a computer network diagnostic tool that shows the route (path) of packets and measures their transit times across an Internet Protocol (IP) network.
How traceroute work?
The round-trip time (RTT) of packets as they move from source to destination is used to track the route’s history.
Traceroute will continue until all (typically three) sent packets are lost more than twice, at which point the connection will be lost and the route will be unable to be analyzed.
Ping sends an Internet Control Message Protocol (ICMP) Echo Request to a specific network interface and waits for a response.
Traceroute uses ICMP but employs UDP datagrams instead of ICMP Echo Requests.
Because it is useful for basic troubleshooting, Traceroute is installed by default not only on Kali Linux but on the vast majority of Linux distributions.
Traceroute command options
Option | Definition |
-4 | Forces IPv4 |
-6 | Forces IPv6, same as traceroute6 command |
-I (capital /) | Uses ICMP echo |
-T | Uses TCP SYN for tracerouting |
-f <first ttl> | Starts from the hop number specified instead of 1 |
-g <gateway> | Routes packets through the gateway specified instead of the default |
-m <max ttls> | Specifies the maximum number of hops; default is 30 |
-n | Specifies to not resolve IP addresses to hostnames |
-w <wait> | Specifies the wait time, which can be in seconds or relative to the reply time between hops |
-p <port> | Specifies the port |
The Linux traceroute command will attempt to interact with a UDP port on the destination system using the default arguments.
ICMP or TCP packets can also be used by Traceroute. The traceroute command will send out ICMP echo request packets if you choose to use the ICMP options.
Traceroute can be configured to use TCP while attempting to bypass firewalls or other network filtering devices.
TCP has a better chance of passing through typical firewalls, which may block incoming or outgoing ICMP communication, as well as traffic to unknown UDP ports.
An attacker may, for example, use traceroute -n -T -p 443 www.google.com to traceroute to www.google.com because it is likely that a service will respond to queries delivered to TCP port 443.
The client will send a SYN packet (with matching increasing TTLs) in an attempt to contact the target, comparable to a nmap half-open scan.
The client will deliver a RST to cancel the connection once the target answers with a SYN/ACK.
Messages like “ICMP time exceeded in transit” nevertheless indicate a hop.
Tracert Command
Tracert is a command-line tool that is used to track the path that a packet takes from its source to its destination. Tracert can be used to troubleshoot network connectivity issues.
Tracert is the Windows equivalent of traceroute, however it works a little differently by default than the Linux version. It has fewer possibilities as well.
Tracert command options
Option | Definition |
-d | Specifies to not resolve IP addresses to hostnames |
-h max hops | Specifies the maximum number of hops |
-j host-list | Uses source routing |
-w timeout | Waits timeout milliseconds for replies; default is 4000 ms (4 seconds) |
-R | Traces round-trip path (IPv6 only) |
-4, -6 | Forces IPv4 or IPv6, respectively |
tracert command output can help you determine where a packet is being dropped or delayed. The output from the tracert command shows the IP address of each hop along the path from the source to the destination, as well as the round-trip time for each hop.
After few hops it may say “Request timed out” and does not give any information about the router. This could be for a couple of reasons.
It could be that tracert did not receive an echo reply before the timeout. It could also mean that the router in question is filtering/blocking either incoming ICMP echo requests or outgoing ICMP echo replies.
Online Tools for Network Scanning
Internet and virtual network mapping tools can be used for a variety of reasons. They can assist you figure out if you’re being ignored, as well as distinguish between different paths depending on where the traceroute starts.
When your target organisation prevents your attempts to scan or connect to target devices, this is known as shunning.
You may not be able to scan or connect to target devices if you are being ignored. This can occur for a variety of reasons, including if the target organisation blocks your IP address or if you are attempting to connect to a device that does not exist.
Traceroutes can be performed using the website KeyCDN from multiple locations across the world.
The most significant disadvantage of employing these internet technologies is the risk of information leaking.
You are publicising the fact that you have some level of interest in the target company by using a web-based or other third-party service.
This may not be a big deal if you’re just using the service for troubleshooting, but there’s nothing stopping the website’s creators from keeping track of everything you do. It’s possible that they’ll sell this information to data aggregators.
Some other online network scanning tools you can try are –
- https://www.intruder.io/
- https://www.acunetix.com/vulnerability-scanner/
- https://www.solarwinds.com/network-performance-monitor
Port Scanning Technique
When you combine port scanning with the OSINT data you obtained during the recon phase of testing, you’ll start to get genuine, actionable insight on your targets.
The fundamental purpose of port scanning is to figure out which TCP and/or UDP ports are “listening” on a specific target IP address, so you can obtain a sense of your target organization’s attack surface.
As the number of packets you send to your targets grows exponentially, this is also the moment at which your target has a very excellent possibility of catching or detecting your activity.
By default, nmap will scan 1000 ports—the top 1000 most often open ports, rather than ports 0–999.
Port scanning can be used to find vulnerabilities in a system, or it can be used by attackers to find ways to gain access to a system.
Port scanning can also be used by administrators to find open ports so that they can be closed if they are not needed.
Nmap retains an own database that records the port and the number of times it has been discovered open.
On Kali Linux, the file nmap-services is located in /usr/share/nmap by default. The following command displays the top 100 most commonly used ports and default services in order of frequency of use:
grep -v ^# /usr/share/nmap/nmap-services | sort -nr -k 3 | head -n 100
If you want nmap to scan a different number of top ports, you can use the —top-ports <num> option.
The -p option in Nmap allows you to specify specific ports. If necessary, you can provide both UDP and TCP ports.
When nmap shows a port as open, it means the target system is actively listening for incoming connections.
When nmap returns a port as closed, it signifies that at the time of the scan, no services were waiting for incoming connections on the target port.
If nmap lists a port as filtered, a device between the client and the target is preventing traffic from reaching the destination port, and nmap is unable to determine the port’s state.
If a port isn’t screened, nmap can reach the target port but can’t tell if it’s open or closed.
If nmap shows a port as open|filtered, it means the target hasn’t responded to it. This is most commonly seen with UDP port scanning.
Finally, an IP ID idle scan might identify a port as filtered|closed if it can’t tell the difference between the two states.
It is important to remember that port scanning is not a hacking technique, and it is not illegal. However, it can be used for malicious purposes, so it is important to be aware of the risks involved.
TCP Connect Scan
TCP connect scan is a type of port scan that uses the TCP protocol’s three-way handshake to establish a connection with a remote host before scanning.
When the user performing the command does not have raw socket or packet rights, nmap defaults to the TCP connect (or full-connect) scan.
This sort of scan completes the TCP three-way handshake to establish a connection with the target before issuing a reset.
A TCP connect scan establishes a connection with the target via operating system calls, resulting in higher overhead and slower scans.
TCP SYN Scan
A TCP SYN scan is a type of port scan that uses the TCP SYN flag to probe for open ports on a remote host. If the SYN flag is set, the host is considered open.
A stealth scan is also known as a SYN scan (or half-open scan).
However, this does not rule out the possibility of perimeter devices detecting half-open scans.
These scans will be detected just as quickly as a full-connect scan by firewalls and intrusion detection systems.
SYN scans require root or privileged access, but they don’t rely on the operating system, therefore they have less overhead and are generally faster than full-connect scans.
The three-way handshake is not completed by SYN scans. Instead, they send a RST message before attempting to establish a connection.
TCP connect scan vs syn scan
Tcp connect scan is a type of network scanning in which the attacker tries to establish a connection with the target system using the TCP/IP protocol and then attempts to exploit vulnerabilities in the target system.
Syn scan is a type of network scanning in which the attacker sends a SYN packet to the target system and then waits for a response.
If the target system responds with a SYN/ACK packet, the attacker knows that the target system is open and vulnerable.
More NMAP Scans
Option | Definition |
-sA | ACK scan, sets the ACK flag only |
-sF | TCP FIN scan, sets the FIN flag |
-sN | NULL scan, clears all flags |
-sX | XMAS scan, sets the FIN, PSH, and URG flags |
-sM | Maimon scan, sets the FIN/ACK flags |
An ACK scan can be used to determine whether or not a firewall is stateful, and it can also be used in conjunction with other scan types to obtain information that would not be obvious based on the findings of a single scan type.
The TCP FIN scan sets only the FIN bit in an attempt to get around stateless firewalls.
The XMAS scan sets the FIN, PSH, and URG flags—three flags that should never be set at the same time in a legitimate packet—while the NULL scan sets none.
This causes the IDSs to light up the packet like a Christmas tree, hence the name.
The discoverer of a Maimon scan gave it the name Maimon. During scans of BSD-based systems, a researcher discovered that they did not behave as expected after receiving a packet with the FIN/ACK flags set.
If the port was open, the operating system deleted them instead of reacting with a RST.
These kinds of scans aren’t nearly as useful as they were decades ago. They are not only likely to be recognised by IDSs and firewalls, but they also do not deliver trustworthy findings when it comes to port status.
UDP Scanning
UDP scan is a type of port scan that uses the UDP protocol to probe for open ports on a remote host. If a UDP packet is sent to a closed port, the host will respond with an ICMP port unreachable message.
In comparison to the TCP protocol, the UDP protocol is more simpler. It’s important to keep in mind that TCP is essential to recover from duplicated or dropped communications.
There is no such requirement with UDP. UDP is a “best effort” protocol, which means there is no guarantee that a packet will make it to its destination once it has left the sender, and the receiver will not alert the sender if it does or does not.
This distinguishes searching UDP ports from scanning TCP ports, owing to the one significant difference between the two protocols.
There are only two ports: one for the source and one for the destination, as well as sections for segment length, checksum, and data.
Because nmap is less likely to be able to determine whether a port is open or filtered, it will have to wait for timeouts and send more packets, resulting in dramatically higher UDP port scan durations.
In some circumstances, nmap will attempt to “speed up” the process of identifying whether or not a UDP port is open.
For more prevalent UDP services, UDP will try to elicit protocol-specific replies based on the destination port by default.
OS Fingerprinting Techniques
TCP/IP fingerprinting is a method of identifying a remote host’s operating system (OS) and/or software version by analyzing the way it responds to certain network traffic. This is usually done by sending specific packets to the host and then analyzing the responses.
There are a number of tools available that can be used for TCP/IP fingerprinting, such as nmap, p0f, and Xprobe2.
Nmap accomplishes this in the same way as it accomplishes version scanning: it sends TCP, UDP, IP, and/or ICMP packets and compares the received packets to a database of known signatures.
To fingerprint an operating system, Nmap will run over two dozen different tests.
TCP/IP fingerprinting is not 100% accurate, but it can often give a good indication of what OS and/or software versions are running on a remote host.
When nmap is unsure about the results, it will publish a probability of what it thinks the target operating system is—and it may print out more than one vendor and/or version of the operating system.
Determining what operating system the victim is running, similar to version scanning, might assist attackers narrow down specific sorts of exploits.
Occasionally, you’ll see that the operating system on the target is most likely an older version of Windows.
What you do know is that it’s almost certainly a Windows client system, which implies it has a standard user logging in and running standard apps like web browsers and other client software.
From there, you can send phishing e-mails to employees in the company, attempting to exploit client software like as Internet Explorer or Adobe Acrobat.
Version Scanning
Nmap can go beyond port scanning to try to figure out what service and version is listening on a specific target port for incoming connections.
You can enable this by using the -sV option.
This is particularly valuable in pentesting because it can help you limit down a vast number of potential vulnerabilities and exploits to just a few, if not just one.
Nmap accomplishes this by sending specially constructed packets to open ports and comparing replies to a sample database.
The difference between this and protocol-specific scans is that during version scanning, it probes all open ports for multiple known services, but protocol-specific scans only probe possible open UDP ports for its default service.
For example, you’re probably aware that HTTP uses TCP port 80 by default. If you scan a host with version scanning enabled and discover that TCP ports 22, 80, 8080, and 4444 are open, nmap will try to figure out which versions of services are listening on all open ports.
As you can expect, this not only lengthens the scan but also makes it much noisier, as the number of packets sent to your target increases dramatically.
However, you gain accuracy in exchange for sacrificing stealth. Version scanning will not only allow you to identify whether a UDP port is actually open versus open|filtered, but it will also allow you to overcome various firewall restrictions.
If a firewall separates the pentester from the target, the tester may receive a generic “open” notification from the firewall rather than the target host in some instances.
This just implies that traffic on that port is allowed across the firewall, not that the target’s default service is listening on that port. If you do a scan with version detection, nmap will be able to tell if a port is actually open by identifying the version of the service that is executing on it.
Version scanning can also assist you find services that systems administrators are attempting to “hide.”
Netcat
Netcat is a network utility that can be used for a variety of purposes, such as port scanning, file transfers, and port forwarding. It is often referred to as the “Swiss army knife” of networking tools.
It’s a very adaptable and simple-to-use programme that works on both Linux and Windows hosts. It can function as a network client or as a server in a standard client-server arrangement, with one end configured as a server, or “listener.”
The netcat client does not need to connect to a netcat listener. It can be used as a port scanner and a version scanner, for example.
Option | Definition |
-l (lowercase /) | Puts netcat into listen mode. |
-p <port> | Used in conjunction with the listen option, tells netcat which port to listen on. |
-v | Specifies verbose output. Use -vv for more verbosity. |
-n | Specifies to not resolve IP addresses to hostnames. |
-e <filename> | Executes the specified filename upon connection. |
-L | Indicates to listen harder, a Windows-only option to keep netcat in listen mode upon client disconnect. |
-u | Puts netcat into UDP mode. Default is TCP mode. |
-z | Puts netcat into Zero I/O mode, which can be used for scanning. |
-w<X> | Sets timeout to <X> seconds. |
If a connected client disconnects while netcat is in listen mode, the listener leaves by default.
You can use the -L option on Windows to have it “listen harder.”
Even if a client disconnects, netcat will stay in listen mode.
When you’re worried about losing access to a specific target, this becomes crucial. If you don’t know the difference between the two “listen” options, being persistent will be challenging.
The most important thing to remember when using netcat as a port scanner is to use both the Zero I/O and verbose modes. Netcat can be run in Zero I/O mode to automate the port scanning operation, and the verbose option directs it to return success and error messages.
While netcat is a versatile tool, it is also quite quiet by default, which means it doesn’t give the user much in the way of feedback. As a result, the verbose option gives you the most information available.
By default, Netcat allows you to communicate data. This can come in handy when trying to identify programme versions.
Netcat’s strength comes from the fact that it’s frequently disregarded by system administrators when setting up or installing new Linux servers, and it rarely, if ever, requires root rights to execute.
While it’s doubtful that you’ll find nmap installed by default on your target Linux servers, you may utilise netcat and your scripting skills to rapidly construct a Bash or Python script, or a one-liner, to port-scan internal hosts once you’ve established that initial foothold.
The disadvantages Because netcat isn’t quite as quick as nmap, you’d better have done your homework. Knowing which exact ports to target will help this “poor man’s” network scanner scan much faster.
There are some circumstances in which netcat requires root capabilities. When setting up netcat listeners, those precise cases will be discussed if necessary.
Questions
What is TCP connect scan in Nmap?
A TCP connect scan is a type of network scanning technique that uses the Transmission Control Protocol (TCP) “connect” call to determine which ports on a target host are open.
What is TCP connect full open scan?
A full open scan establishes a TCP three-Way handshake prior to performing any port scans on the target system, with the goal of determining their status if they are open and closed.
TCP full open scan vs. TCP full connect scan
A full open scan is an active reconnaissance technique in which an attacker attempts to connect to every port on a target system in order to determine which ones are open.
A full connect scan, on the other hand, is a passive reconnaissance technique in which an attacker simply observes traffic flowing to and from a target system in order to determine which ports are open.
What is the purpose of TCP connect scan?
The purpose of a TCP connect scan is to determine which ports on a target system are open and listening for incoming connections. By establishing a connection with each port, the attacker can determine which ones are open and which ones are closed.
What is the purpose of TCP SYN scan in Nmap?
The purpose of a TCP SYN scan is to determine which ports on a target system are open and listening for incoming connections. By sending a SYN packet to each port, the attacker can determine which ones are open and which ones are closed.
UDP scan vs. TCP scan
There are several key differences between UDP scans and TCP scans.
UDP scans are typically used to find open UDP ports, while TCP scans are used to find open TCP ports. UDP scans are generally less reliable than TCP scans, as UDP is a connectionless protocol and therefore does not guarantee that packets will be delivered.
Additionally, UDP scans can often be blocked by firewalls, while TCP scans can often bypass them.
Why is UDP scanning slow?
UDP scanning is slow because it is a connectionless protocol and therefore does not guarantee that packets will be delivered. Additionally, UDP scans can often be blocked by firewalls.
What is netcat used for?
Netcat is a network utility that can be used for a variety of tasks, such as port scanning, banner grabbing, and buffer overflows.
How do I get netcat on Linux?
Netcat can be installed from most Linux distributions’ package repositories. For example, on Ubuntu, it can be installed with the command sudo apt-get install netcat.
How do I use netcat for port scanning?
To use Netcat for port scanning, simply specify the host and port(s) you wish to scan, like so: nc -v host port1 port2 port3.