AoC 2022 Day 4: Scanning in Cyber Security
What is Scanning
Identifying live hosts, ports, and services, learning the operating system of the target system, and spotting vulnerabilities and threats in the network are all accomplished through the scanning process. These scans, which are often automated, reveal potential vulnerabilities. For attackers, scanning exposes some of the attack surface and enables the launch of focused attacks to take advantage of the system.
Scanning is classified as either active or passive based on the degree of intrusiveness to gathering information about a target system or network, as explained below:
- Passive Scanning: This method involves scanning a network without directly interacting with the target device (server, computer etc.). Passive scanning is usually carried out through packet capture and analysis tools like Wireshark; however, this technique only provides basic asset information like OS version, network protocol etc., against the target.
- Active Scanning: Active scanning is a scanning method whereby you scan individual endpoints in an IT network to retrieve more detailed information. The active scan involves sending packets or queries directly to specific assets rather than passively collecting that data by “catching” it in transit on the network’s traffic. Active scanning is an immediate deep scan performed on targets to get detailed information. These targets can be a single endpoint or a network of endpoints.
The following standard techniques are employed to scan a target system or network effectively.
A network is often made up of a number of linked hosts or computers that exchange data and resources. A network’s whole topology can be found and mapped using network scanning, including any active hosts or computers, open ports, IP addresses, and services being used by any active hosts using any active operating system. After mapping the network, an attacker uses exploits according to the target system and services identified. For example, a computer in a network with an outdated Apache version enables an attacker to launch an exploit against a vulnerable Apache server.
Port scanning is a conventional method to examine open ports in a network capable of receiving and sending data. First, an attacker maps a complete network with installed devices/ hosts like firewalls, routers, servers etc., then scans open ports on each live host. Port number varies between 0 to 65,536 based on the type of service running on the host. Port scanning results fall into the following three categories:
- Closed Ports: The host is not listening to the specific port.
- Open Ports: The host actively accepts a connection on the specific port.
- Filtered Ports: This indicates that the port is open; however, the host is not accepting connections or accepting connections as per certain criteria like specific source IP address.
The vulnerability scanning helps assess whether the system may be at risk or abused by proactively identifying the network’s weaknesses in an automated manner. There are both free and paid programs that may be used to find security holes in a target system using a built-in database of vulnerabilities. Tools like Nessus and Acunetix are frequently used by pentesters to find vulnerabilities in a system.
Network Mapper (Nmap)
Nmap is a popular tool used to carry out port scanning, discover network protocols, identify running services, and detect operating systems on live hosts. A quick summary of important Nmap options is listed below:
- TCP SYN Scan: Get the list of live hosts and associated ports on the hosts without completing the TCP three-way handshake and making the scan a little stealthier. Usage:
nmap -sS MACHINE_IP.
- Ping Scan: Allows scanning the live hosts in the network without going deeper and checking for ports services etc. Usage:
nmap -sn MACHINE_IP.
- Operating System Scan: Allows scanning of the type of OS running on a live host. Usage:
nmap -O MACHINE_IP.
- Detecting Services: Get a list of running services on a live host. Usage:
nmap -sV MACHINE_IP
Open-source software called Nikto enables for the vulnerability scanning of websites. It makes it possible to search a website for subdomains, out-of-date servers, debug messages, etc. You can access it by typing
nikto -host MACHINE_IP.
~ Source: Tryhackme.