In this blog, we will learn about Network Scanning in Computer Networks. I will explain the types and countermeasures of scanning. We will see some Cyber Security Tools that help in Network Scanning. So let’s get started with the blog.
Table of Contents
- Introduction
- Objectives of Network Scanning
- Types of Scanning in Computer Networks
- Stealth Scans
- Types of Stealth Scans
- Countermeasures for Networking Scanning
- Conclusion
- Recent Articles on Computer Networks
- Related Articles on Linux
Introduction
Network Scanning is a method of getting information such as the identification of hosts, port information, and services by scanning networks and ports.
Network scanning is commonly performed by security professionals, system administrators, or attackers for various purposes, such as network inventory, vulnerability assessment, or reconnaissance.
In simple words, Scanning refers to the process of actively probing a network or a specific host to gather information about its devices, services, and vulnerabilities.
Objectives of Network Scanning
Scanning objectives in a computer network can vary depending on the specific goals and context. Here are some common objectives of network scanning:
Network Discovery:
Scanning helps in identifying and mapping the network infrastructure. By scanning, you can determine the IP addresses, active hosts, devices, and configurations. This information is crucial for network administration, troubleshooting, and maintaining an inventory of network resources.
Security Assessment:
Scanning assists in evaluating the security posture of the network and its devices. By conducting vulnerability scans, port scans, or service discovery, security professionals can identify potential vulnerabilities, misconfigurations, or weak points in the network. This information helps strengthen security measures and mitigate potential risks.
Vulnerability Assessment:
Scanning allows for the detection of known vulnerabilities in network devices, applications, or operating systems. Vulnerability scans can provide valuable insights into security weaknesses, outdated software versions, missing patches, or default configurations that could be exploited by attackers. The objective is to identify and remediate vulnerabilities before they can be exploited.
Compliance and Auditing:
Scanning can be used to ensure compliance with industry standards, regulatory requirements, or internal policies. By conducting regular scans and assessments, organizations can demonstrate due diligence in maintaining a secure network infrastructure. Scanning helps identify any non-compliant devices, insecure configurations, or unauthorized services that need to be addressed.
Types of Scanning in Computer Networks
There are several types of scanning techniques used in computer networks. Here are some common types:
Port Scanning:
Port scanning involves scanning a target system or network to identify open ports and the services associated with those ports. It helps to determine which ports are actively listening for incoming connections.
These probes typically correspond to well-known ports or those that are less than or equal to 1024. By carefully using this technique, you can discover the services a system offers to the network as a whole.
Even during this process, it’s possible that you’ll be able to distinguish between systems like mail servers, domain controllers, and web servers.
Port scanning can be done using tools like Nmap, which sends specific network packets to target ports and analyzes the responses to identify their state (open, closed, filtered, etc.).
Vulnerability Scanning:
Vulnerability scanning involves scanning a network or specific hosts to identify known vulnerabilities and weaknesses.
It compares the system’s configuration, software versions, or patch levels against a database of known vulnerabilities.
This kind of scan is typically carried out as a preventative step with the aim of identifying vulnerabilities before an attacker can uncover and exploit them.
As well as locating hosts, access points, and open ports, a vulnerability scan will typically examine service response, categorize risks, and produce reports.
Because they are simple to carry out on their own to assess their systems, vulnerability scans are popular among businesses.
The scan results provide information on potential security issues that need to be addressed. Tools like Nessus and OpenVAS are commonly used for vulnerability scanning.
Network Discovery Scanning:
Finding all of the active/running hosts on a network is the aim of network scanning. This kind of search will identify systems that could be targeted later or that need closer inspection.
This type of scanning focuses on discovering hosts and network devices within a network. It helps identify active IP addresses, network topology, and connectivity.
Network discovery scans use techniques like ping sweeps, Address Resolution Protocol (ARP) scanning, or Internet Control Message Protocol (ICMP) scanning to identify active hosts.
Stealth Scans
A stealth scan, also known as a stealthy or stealthful scan, is a scanning technique used to probe a computer network with minimal or no footprint, aiming to avoid detection by intrusion detection systems (IDS) or other security measures.
In a stealth scan, packet flags cause the target system to reply without a completely established connection.
The objective of a stealth scan is to gather information about network hosts, services, and potential vulnerabilities without triggering alarms or raising suspicion.
Types of Stealth Scans
In ethical hacking, stealth scans are used to gather information about a target system or network while minimizing the risk of detection. These scans are designed to be low-profile and minimize the footprint left behind. Here are some common types of stealth scans:
A) Inverse Mapping Scan:
Inverse Mapping, also known as Inverse TCP Mapping or Inverse TCP Flag Scanning, is a technique used in ethical hacking to identify open ports on a target system.
It relies on sending TCP packets with specific combinations of TCP flags and analyzing the responses to determine port status.
Here’s how the Inverse Mapping scan works:
- The attacker sends TCP packets with specific flag combinations, such as SYN-ACK, FIN-ACK, or RST, to a range of ports on the target system.
- The attacker then analyzes the responses received from the target system. Based on the responses, they can infer the port status:
Condition 1: If the attacker receives an SYN-ACK packet in response, it indicates that the port is closed or filtered, as the target system should not have sent an SYN-ACK in response to an unexpected SYN-ACK packet.
Condition 2: If the attacker receives an RST packet in response, it indicates that the port is open or unfiltered. This means the target system sent an RST packet in response to the unexpected TCP packet, which suggests the port is open and actively rejecting connections.
Condition 3: If no response is received, it can indicate that the port is filtered by a firewall or some other mechanism. The lack of response does not necessarily mean the port is closed; it means that the attacker did not receive any conclusive information about the port status.
B) TCP SYN Scan (Half-Open Scan):
TCP half-open scanning, also known as SYN scanning or stealth scanning, is a technique used in computer network reconnaissance to determine if specific ports on a target system are open, closed, or filtered. It is a type of port-scanning method.
In a TCP half-open scan, the scanner sends an SYN packet to the target system, but instead of sending an ACK packet in response to the SYN-ACK from the target, it simply ignores the response.
By doing this, the scanner does not establish a full connection with the target system, hence the term “half-open.” The purpose of this technique is to avoid fully opening a connection, which can be logged by intrusion detection systems (IDS) or firewalls.
The scanner sends an SYN packet to each port it wants to check, and
- If the target responds with an SYN-ACK packet, it means the port is open.
- If the target responds with an RST (reset) packet, it means the port is closed.
- If the scanner does not receive any response, it indicates that the port is filtered or blocked by a firewall.
C) TCP FIN Scan:
A TCP/FIN scan is a technique used in network scanning to identify open ports on a target system. It leverages the TCP (Transmission Control Protocol) FIN flag to probe a target system’s ports and determine their state.
When a TCP connection is established and data transmission is complete, the FIN (finish) flag is used to signal the end of the connection. A FIN scan takes advantage of this behavior by sending TCP packets with only the FIN flag set, without initiating a full three-way handshake.
Here’s how a TCP FIN scan works:
Target selection:
The attacker selects a target IP address or a range of IP addresses to scan for open ports.
Port scanning:
The attacker sends TCP packets to the target system’s ports, with only the FIN flag set, and without any data payload. The attacker typically sends multiple packets to different ports to scan for open, closed, or filtered ports.
Response analysis: The target system responds to the received packets in different ways depending on the state of the port:
Conditions:
A) If the port is closed: The target system sends a TCP RST (reset) packet in response to the FIN packet, indicating that the port is closed and the service is not listening on that port.
B) If the port is open: The target system does not respond to the FIN packet, or it may send a TCP RST packet if the port is open but does not have an active service listening on it.
C) If the port is filtered: In some cases, firewalls or network filtering devices may be configured to drop incoming packets silently. In such cases, the attacker may not receive any response from the target system, making it difficult to determine the state of the port.
Conclusion:
Based on the responses received from the target system, the attacker can determine the state of each probed port. If a response is received indicating that the port is closed, it implies that the port is not actively listening for connections. If there is no response or an error message is received, it suggests that the port may be open or filtered.
It’s important to note that TCP FIN scanning is considered stealthy because it does not complete the full TCP handshake, making it harder to detect compared to other scanning techniques
D) TCP NULL Scan:
In a TCP Null scan, the attacker sends TCP packets with all the TCP flags set to zero (i.e., no flags are set). This is in contrast to regular TCP packets that have specific flags set for various purposes (e.g., SYN, ACK, RST).
Here’s how a TCP Null scan works:
Target selection:
The attacker selects a target IP address or a range of IP addresses to scan for open ports.
Port scanning:
The attacker sends TCP packets to the target system’s ports with all the TCP flags set to zero and without any data payload. The attacker typically sends multiple packets to different ports to scan for open, closed, or filtered ports.
Response analysis: The target system responds to the received packets in different ways depending on the state of the port:
- If the port is closed: The target system should respond with a TCP RST (reset) packet since a TCP Null packet violates the TCP protocol. The RST packet indicates that the port is closed and not actively listening for connections.
- If the port is open: The target system does not respond to the Null packet because it does not violate any TCP rules. This lack of response indicates that the port is open and not responding with a TCP RST packet.
- If the port is filtered: Similar to the TCP FIN scan, if a firewall or network filtering device is in place and configured to drop packets silently, the attacker may not receive any response, making it difficult to determine the state of the port.
Conclusion:
Based on the responses received (or lack thereof) from the target system, the attacker can determine the state of each probed port.
If a TCP RST packet is received, it indicates that the port is closed. If there is no response, it suggests that the port may be open, while a filtered state makes it challenging to determine the port’s actual state.
E) TCP Xmas Scan:
In a TCP XMAS scan, the attacker sends TCP packets with the URG (urgent), PSH (push), and FIN (finish) flags set to 1 and all other flags set to 0. This combination of flags resembles a “lit-up” or “XMAS tree” packet, hence the name XMAS scan.
Here’s how a TCP XMAS scan works:
Target selection:
The attacker selects a target IP address or a range of IP addresses to scan for open ports.
Port scanning:
The attacker sends TCP packets to the target system’s ports with the URG, PSH, and FIN flags set to 1 and all other flags set to 0. These packets are sent without any data payload. The attacker typically sends multiple packets to different ports to scan for open, closed, or filtered ports.
Response analysis: The target system responds to the received packets in different ways depending on the state of the port:
A) If the port is closed:
The target system should respond with a TCP RST (reset) packet since the combination of URG, PSH, and FIN flags violates the TCP protocol. The RST packet indicates that the port is closed and not actively listening for connections.
B) If the port is open:
The target system does not respond to the XMAS packet because it does not recognize the combination of flags as a valid TCP packet. This lack of response suggests that the port is open and not responding with a TCP RST packet.
C) If the port is filtered:
Similar to other scan techniques, if a firewall or network filtering device is in place and configured to drop packets silently, the attacker may not receive any response, making it difficult to determine the state of the port.
It’s important to note that TCP XMAS scans are considered stealthy because the combination of URG, PSH, and FIN flags is unusual and unlikely to occur in regular TCP traffic.
It’s important to note that while stealth scans are useful for minimizing detection, the use of such techniques should always comply with legal and ethical boundaries. Conducting any form of scanning or testing without proper authorization is illegal.
Countermeasures for Networking Scanning
To mitigate the risks associated with network scanning and protect your network infrastructure, you can implement various countermeasures. Here are some effective countermeasures for network scanning:
Firewall Configuration:
Configure firewalls to filter and block unauthorized scanning attempts. Ensure that only necessary ports are open and that access is restricted to trusted IP addresses or networks. Regularly review and update firewall rules to maintain an effective defense.
Intrusion Detection/Prevention Systems (IDS/IPS):
Implement IDS/IPS solutions to monitor network traffic and detect suspicious or unauthorized scanning activities. These systems can help identify and respond to scanning attempts in real time, providing alerts or automatically blocking the source of the scans.
Network Segmentation:
Segment your network into separate subnets or VLANs to limit the impact of scanning activities. By separating critical assets from the rest of the network, you can contain potential vulnerabilities and reduce the potential damage caused by successful scans.
Network Monitoring and Log Analysis:
Deploy network monitoring tools to continuously monitor network traffic and log events. Analyzing network logs can help identify scanning attempts, anomalies, or suspicious activities. Monitoring can provide valuable insights into potential security risks and help in responding promptly.
Network Access Controls:
Implement strong access controls, including strong passwords, multi-factor authentication, and least privilege principles. Restrict administrative access to critical network devices and regularly review and update access privileges.
Threat Intelligence:
Stay informed about emerging threats and vulnerabilities by leveraging threat intelligence sources. Regularly update your knowledge of known scanning techniques and common vulnerabilities, allowing you to proactively address potential risks.
By implementing these countermeasures, you can significantly reduce the risk posed by network scanning and enhance the security posture of your network infrastructure.
Conclusion
It is important to note that while network scanning can be used for legitimate purposes like network administration and security assessments, unauthorized or malicious scanning can violate laws and regulations. It is crucial to obtain proper authorization before conducting any scanning activities on a network you don’t own or manage.
Recent Articles on Computer Networks
- Introduction to Computer Networking | What is Computer Network
- What are Topology & Types of Topology in Computer Network
- What is FootPrinting in Cyber Security and its Types, Purpose
- Introduction to Cloud Computing | What is Cloud Computing
- Distributed Shared Memory and its advantages and Disadvantages
- What is VPN? How doe VPN Work? What VPN should I use?
- What is an Internet and How the Internet Works
- What is a Website and How Does a Website or web work?
- Introduction to Virus and different types of Viruses in Computer
- What is TCP and its Types and What is TCP three-way Handshake
- What is UDP Protocol? How does it work and what are its advantages?
- What is an IP and its Functions, What is IPv4 and IPv6 Address
- What is MAC Address and its Types and Difference MAC vs IP
- What is ARP and its Types? How Does it Work and ARP Format
- Sessions and Cookies and the Difference Between Them
- What is ICMP Protocol and its Message Format?
Related Articles on Linux
- What is Linux Operating System | Introduction to Linux
- Directory in Linux Define | Linux Directory & its Commands
- Explain the chmod command in Linux | Linux chmod command
- Linux User Management || User Management in Linux
- Linux Computer Network Advanced Command | Network Command
- Redirection in Linux I/O| Linux I/O Redirection
