Scanning is the process of gathering additional information about the target or a network. Network scanning refers to the identifying hosts, ports and services running on the network and try to find vulnerability through ports and services which are open and running into the network. the process of the scanning could be different on every network depending on the network configuration weather the firewall is there or not, network is scanned by the organization to protect the network etc.

Types of Scanning

1. Port Scanning : Port scanning refers to the scanning the open ports and services open and running inside a network. Port scanning is the process of checking services running on the target computer by sending a number of messages to the network. Port scanning include the TCP and UDP scanning.

2. Network Scanning : Network Scanning is the process of identifying the live host on the network. Either by pining the network or by advance scanning technique depend upon the network and firewall rules.

3. Vulnerability Scanning : As the name suggest vulnerability scanning is the process of finding vulnerability or weakness into the network or system.




Before you dive into the network scanning technique you should know about TCP/IP and TCP FLAGS, In the previous blog i have explained about TCP flags  .

Network And Port Scanning

ICMP Scanning : ICMP (Internet Control Message Protocol) or ping is the process of sending ICMP request or packet to the host the check the the live host. The Network devices like router, switch firewall, or any computer every device which is connected to a network use ICMP protocol from ping command for conectivity test. To ping a network or device from windows or linux type the following command into the command prompt or terminal.

ping 192.168.0.1 (target ip or domain)
ping www.google.com

ICMP Echo Scanning : ICMP Scanning allow to scan the a particular host machine. ICMP Echo Scanning ping all the machine inside a network or subnet. ICMP echo broadcast the ICMP request the entire network to check the live host in the subnet or network. ICMP Echo can done by NMap, Angry IP Scanner, Hping3.



TCP Connect/Full Open Scan : Tcp Connect is the most reliable Tcp scanning technique. In TCP connect scanning the host try to connect to the system with TCP three way handshake on a port number (if port is not defined it will to connect with all well known port). 

                                 




TCP connect establish the connection with the client on a port if the port is open client will reply, as soon the connection is established attacker send the RST packet to reset the connection.


If the target machine has closed the particular port the target machine will reply with RST packet. The drawback of Full Open Scan /TCP Connect is that it is easily detectable, The logs in the target machine will disclose the connection and scanning.

Stealth Scan/Half Open Scan : The Half scan Involve resetting the tcp connection with the target. In Half Scan attacker send the SYS packet with the port number to the target if  the port is open in the target machine, target machine will reply back like normal handshake. After the target reply attacker is suppose to send the ACK packet to complete the handshake but instead of ACK the attacker send the RST packet to stop/reset the connection.


If the target machine has closed the particular port it will with RST flag to reset the connection.



Attacker use Stealth Scan to bypass the firewall rules and logs from the target machine and hide the unusual tarffic.



Xmas Scanning : Xmas is a port scanning technique by sending FIN, URG, PUSH  Flag and send to the target machine. If the target machine has port open. It will not response back to the attacker.



If the target machine has closed the port it will response back with RST flag.

The advantage of Xmas scanning is it avoid the IDS and TCP three way and handshake. Xmas scan only work with unix/linux based system, Windows the blocked the Xmas scanning.




ACK Probe Scanning : Attacker send Ack flag to the remote device and then analysis the header information of the received the RST flag to find out if the port is open or closed. In ACK probe the attacker send N nmuber of Ack packet to the target, If the target has stateful firewall if will not send any response to the attacker.




If The Firewall is not the the target machine will reply back with RST packet.

ACK scan when firewall is not present

When the attacker get the reply from the target with RST flag the attacker analyses the RST Flag, To identify weather the port is open or not. ACK flag can evades the IDS in most case not everytime. This scan is very slow and only work with older operation system.

You can follow us on twitter, Instagram,telegram and reddit for Cyber Security update