Scanning Networks

30 Sep 2019

  1. Foot Printing and Recon
  2. Scanning Networks
  3. Gaining Access
  4. Maintaining Access
  5. Covering Tracks

Phase 2: Scanning

  • Learn the types of devices on the network.
  • Check for listening services and open ports.
  • Determine the operating systems on the network.
  • Monitor for data being sent over the network in clear text.

Network Scanning

  • Develop a profile of a target organisation
  • can be a valuable tool for an analyst

Scanning Techniques

  • Ping Sweep -
  • Port Scan -
  • Network Mapping -
  • OS Fingerprinting -

Vulnerability Scan

First stage and can be by anyone normally in-house security specialist. Generates a comprehensive report, these scans should be performed on a regular basis.

Penetration Tester

Expertise required by a skilled tester normally an outside consultant, they will create a report with methodologies and possible solutions to problems for an executive audience. Should be tested once a year, costs can range into thousands.

Regulation Requirements

  • PCI
  • GLBA
  • Sarbanes-Oxley

Scanning on IPv6 Networks

  • Manual - Pattern recognition.
  • SLAAC - All addresses uses FFFE in the middle, commonly shared NIC card vendors.
  • DHCPv6 - Predictable patterns.

Port Scanning

Identifies which ports and services are open, records information based on the queries.

Precursor to an attack so measures need to be taken to protect devices.

Firewall Responses

  • Open and Listening
  • Closed and Denying
  • No reply - in stealth mode

Firewalls and IPS can use adaptive firewall responses if port scanning is detected.

Scanning Methods: Detection Avoidance

  • Strobe mode - quietly checks a few ports at a time.
  • Stealth mode - uses scans designed to avoid detection.


Security weaknesses:

  • Modifying records at the domain.
  • DDOS against DNS infastructure.
  • Cache Poisoning.
  • WHOIS directory information.

Good Practice

  • Restrict Zone Transfers
  • Deny inbound connections to TCP port 53
  • Consider using DNSSec
  • Conceal information at the registrars on file
  • Use split horizon or split DNS
  • Don’t provide recursive servicees to the public
  • Monitor your DNS infrastructure.


In ethical hacking ICMP packets are used to discover; live hosts, network topology, firewall detection and OS fingerprinting.

Best Practice

  • Type 3 and Type 4 Required, the rest are optional.

Used to find out more information about the target host such as the operating system, open ports and services.

Prevent banner grabbing by:

  • Mask or disable the webserver information.
  • Hide file extensions.
  • Disable unnecessary services.

Passive operating system discovery

  • BROWSER protocol - shares information about devices and services.
  • HTTP Headers - can provide information about the server.

Internet of Everything IoT

Self-configurating network allows devices to join, leave and learn about other devices

Universal plug and play (UPnP)

  • Provides discovery and advertisements
  • Awareness of services and devices on the network

Simple Service Discovery Protol (SSDP)

Drafted in late 1999

  • Enables clients to discover network services
  • Little or no static configuration required
  • Used for passive discovery of network devices

Best Practices

  • Configure registery to disable discovery messages
  • Disable SSDP in the group policy object
  • Create firewall rules to allow only trusted hosts on inbound port 1900/UDP

Vulnerability Scanning

Probes targets on the network:

  • Detect open ports
  • Determines software, OSs, and versions
  • Identifies known vulnerabilities

Information Systems

Software side, drives business processes and decision making, includes:

  • DBMS,
  • DSS,
  • MIS

Information Technology

Hardware side

  • Computers
  • Networking Devices

Both work together in an organisation and both should be tested.

Two types of scanning:

Unauthenticated Scan

  • Find basic configuration issues
  • Uses no username or passwords
  • Simple to run
  • Will miss many vulnerabilties

Authenticated Scan

  • Uses a valid username and password
  • Mimic a user on the system or website
  • More aggressive - can see inside a system
    • Closer look at software, versions
    • Netstat
  • Some use of brute force techniques
    • Can cause crashes
  • More thorough and provides a comprehensive report.

Evading Detection

Intrusion Detection Systems

  • Intrusion Detection or Prevention System
  • Monitor network for unusual of suspicious activity.
  • Stand-alone or integrated within an ASA or router.
  • Detection - Works out of band to identify malicious activity.
  • Prevention - Works in line to block attacks.

When scanning you can hide your host IP address by using the -D command this is called “Cloaking with Decoys” but doesn’t work with all types of scans.

Total stealth mode using an IDLE scan, it uses a bystander or zombie.

Spoof your MAC or IP Address

Christmas Tree Attack sends a large number of packets with the FIN, PSH and URG flags set. This could be avoided by older systems.

IP Fragmentation Scan

Splits an IP packet into fragmented parts to avoid detection as the target would need to fully assemble to identify the host.

  • Used to avoid detection
  • Can overwhelm and crash a device

Tiny fragmented IP packets splits up the TCP header over several packets.

nmap -f <IP addr>

IP fragmentation can only occur on devices that allow for this type of packet.

Staying Anonymous

  • Use private browsing
  • Use Browser extensions
    • Privacy Badger
  • Use password manager
  • Use DuckDuckgo

  • Information stored in Cookies, some can be dangerous
  • HTTP doesn’t keep a record of past visits (Stateles Protocol)
  • Personal VPN
  • Temp email addresses (10MinuteEmail)

  • Mobile Users
    • Don’t use your phone (burner phones for use case)
    • Don’t use Google
    • Disable GPS
    • Think about the apps installed

Concealing and Spoofing

Hiding with Onion Routing (TOR)

  • Encrypts and moves taffic within the TOR network.
  • Enables anonymous browsing.
  • Nodes know there neighbours but nothing else.
  • Ensure safe browsing
    • Don’t torrent.
    • Don’t install or enable plugins (Flash, Quicktime).
    • Only use HTTPS (HTTPS Everywhere plugin).
    • Don’t open documents while online.

TOR Flow Map

Proxifier and SocksChain

Proxy is using something on your behalf. Proxy chaining is where you use multiple proxy servers concealing where the traffic came from.

SOCKS * Socket Secure * SOCKS5 offers more choices for autentication and IPv6, UDP support.

IP address spoofing countermeasures

Conceals the identify of the hacker, the header is modified with a fake IP address so that the packet appears to have come from another machine.

IP Spoofing has the source address modified and is normally used when no reply is required such as DDoS.

ARP Spoofing is sending counterfeit ARP messages so that the attacker’s MAC is linked with a legitimate IP address, reply packets will be returned.

Use Case:

  • Man-in-the-Middle Attack
    • SSL Strip - Eyesdrop
  • Denial-of-Service Attack
    • Spoofing strengthens the attack.
    • Server is not sure if requests are legitimate.

Best Practices:

  • Use cryptographic autentication methods (IPSec).
  • Use bogon filters.
  • Deny private IP addresses from coming into the network.

IP spoofing detection techniques

  • Direct TTL Probe - Only useful when the attacker is on a different segment, we check the TTL value to ensure they are the same.
  • IP Identification Number - Checking the ID number to ensure they are correct.
  • TCP Flow Control Method - attackers will not be able to recieve a spoofed packet, sending a SYN packet, you will not recieve a SYN-ACK back.


Types of Tunneling:

  • Teredo or 6to4 tunneling for dual stack
  • IPSec, LLTP, SSL for encryption

HTTP Tunnel

Wiki Link:

  • Access programs without being monitored
  • Not a true tunnel
  • Doesn’t encapsulate within the HTTP protocol
  • Plain text
  • Sends content over port 80
  • Reverse HTTP tunnel - a dangerous application
    • Sends a CONNECT packet to a proxy
  • All traffic is tunneled inside normal GET and POST
  • This works with most proxies and firewalls

SSH Tunnel

  • Encrypted
  • Host based autentication

Defend against tunneling

  • Allow only preapproved software
  • Close unnecessary ports and services
  • Use of anti-virus and anti-malware programs

Detecting HTTP Tunnel

HTTP connections are not persistent and have small packet sizes. Monitor for lengthy connections using port 80.

Use of a intrusion detection system (IDS)

  • Catch and mine data destined for port 80 using WireShark or NetworkMiner.
  • Inspect log files regularly.
  • Collect and analyse statistics.

Application Proxy Firewall

Actively Filter

  • Post Request
  • HTML Scripts
  • Host or URL “filter url http 0 0 0 0”
  • MIME and file extensions

Additional Precautions

  • Set a connection timeout (prevents lengthy connections)
  • Proxies with autentication
  • Prevent HTTP-CONNECT queries
  • Disable SSH port forwarding.


  • Nmap
  • Netcat
  • DMitry (Deepmagic Information Gathering Tool)
  • Curl
  • Armitage
  • netstat
  • Proxy Switcher
  • Proxifier
  • Proxy Workbench
  • ProxyChains
  • Acunetix - Web Vulnerability Scanner
  • Nessus
  • hPing
    • Command-line packet crafting tool (ICMP, UDP or TCP).
    • Specific flags and options can be set.
  • Nikto - Web Server Scanner
  • NetScan Tools - Paid for Suite of tools.
  • Microsoft Baseline Security Analyzer
  • Qualys Browser Check
  • Cloud Shark
  • ManageEngine OpManager
  • Solarwinds Network Topology Mapper
  • The Dude (Mikrotik)
  • Spiceworks Network Monitor
  • NetworkMiner
  • Mobile Devices
    • Fing - Network Tools
    • Net Scan
    • IP Tools: Wifi Analyzer


Back to Top