No announcement yet.

Scanning Networks

  • Time
  • Show
Clear All
new posts

  • Scanning Networks

    Once the footprinting phase has been completed and you have gathered a good amount of information about your target, it is time to act on this information. At this point you try to ascertain what assets the target has and what is of value.
    The scanning process is possible in part because of the wealth of information you gathered in the footprinting and reconnaissance phase and how well you interpret that data. Using information found on discussion groups, through e-mails, at job posting sites, and by other means, you now have an idea of how to position your scan.
    Network scanning is a methodical process that involves probing a target network with the intent of finding out information about it and using that information for later attack phases. Scanning is the pre-attack phase where you will be looking for specific information based on the information that was gathered earlier.
    If you have the time and an understanding of network and system fundamentals, coupled with thorough reconnaissance it is possible to get a reasonable picture of the target network; in some cases, even better than the victim have of their own network and environment. Getting a better overview of a network than the owner itself is in part because of the rapid growth of networks, adoption of technology, large support teams, business mergers, in and outsourcing, and personnel turnover, the client's knowledge of their own network may have become lost or obscured somewhat. In some cases the people who designed the network created the initial diagram, but after they left the company or went to new positions the diagram was never updated as new technology was adopted. Therefore, the diagram became outdated and highly inaccurate.

    What should you as a penetration tester be looking to uncover and how can you reveal this information? The information you are looking to reveal can be quite varied, but generally you are keeping an eye out for things like:
    • IP addresses and open/closed ports on live hosts
    • Information on the operating systems in use and the system architecture
    • Services or processes running on live hosts

    Scanning is a set of procedures used to identify hosts, ports, and services on a target network. Scanning is considered part of the intelligence-gathering process an attacker uses to gain information about the targeted environment. Expect the information that is gathered during this phase to take a good amount of time to analyze, which will vary greatly depending on now good you are at reading the resulting information and the amount of live hosts targeted. If you have performed your initial reconnaissance well, this process should not be complicated. You knowledge will help you not only target your initial scans better, but also better determine how to decipher certain parts of the results. Scanning is designed to reveal the nature of system networks as well as the vulnerabilities that are present in the environment.

    Scanning typically breaks down into one of three types...

    Port Scanning
    Portscanning is when you send carefully crafted messages or packets to a target host with the intent of learning more about it. These probes are typically associated with well-known port numbers or those less than 1024. Through the careful application of this technique, you can learn about the services a system is offering to the network as a whole. It is even possible that during this process you can tell systems such as mail servers, domain controllers, and web servers from one another.

    Network Scanning
    Network scanning is designed to locate all the live hosts on a network. This type of scan will identify those systems that may be attacked later or those that may be scanned more closely.

    Vulnerability Scanning
    A vulnerability scan is used to identify weaknesses or vulnerabilities on a target system. This type of scan is quite commonly done as a proactive measure with the goal of catching problems internally before an attacker is able to locate those same vulnerabilities and act on them.
    Certified Security Geek