As a red teamer or penetration tester, one of the most important skills you can possess is scanning and enumerating a target network. Network scanning and enumeration discover a network’s hosts, services, and vulnerabilities. It’s crucial to understand the tools and techniques that can be used to accomplish these tasks in a manner that is efficient, accurate, and stealthy.
This article will explore some of the most popular tools and techniques used for network scanning and enumeration. We will cover the basics of scanning and enumeration, discuss different types of scans, and provide examples of how these tools can be used in the real world.
Basics of Network Scanning and Enumeration
The first step in network scanning and enumeration is to identify the IP range that needs to be scanned. Once you have identified the IP range, you can scan for open ports and services. Several techniques can be used for network scanning and enumeration, including ping sweeps, port scanning, and OS fingerprinting.
Ping Sweeps
A ping sweep is a basic scanning technique to identify active network hosts. The method involves sending ICMP echo requests to a range of IP addresses to check whether a host is alive. The output of a ping sweep is a list of active IP addresses on the network. This technique is helpful for quickly identifying live hosts on a network.
Ping sweeps can be performed using fping, nmap, and hping3 tools. Here’s an example of how to perform a ping sweep using nmap:
nmap -sn 192.168.1.0/24
This command will perform a ping sweep on the IP range 192.168.1.0/24 and return a list of active IP addresses.
Port Scanning
Port scanning is scanning a range of TCP or UDP ports on a target host or network to identify open ports and their services. This technique helps identify potential attack vectors and vulnerabilities in a target system.
Several port scans include TCP connect scans, SYN scans, and UDP scans. The most popular tool for port scanning is nmap. Here’s an example of how to perform an SYN scan using nmap:
nmap -sS 192.168.1.1
This command will perform an SYN scan of the target IP address 192.168.1.1 and return a list of open ports.
OS Fingerprinting
OS fingerprinting identifies the operating system running on a target system by analyzing its network traffic. This technique helps determine the types of attacks that can be used against a target system.
OS fingerprinting can be performed using tools such as nmap and p0f. Here’s an example of how to perform OS fingerprinting using nmap:
nmap -O 192.168.1.1
This command will perform OS fingerprinting on the target IP address 192.168.1.1 and return information about the operating system running.
Types of Scans
Several types of scans can be used for network scanning and enumeration, including:
- TCP Connect Scan
- SYN Scan
- UDP Scan
- ACK Scan
- Null Scan
- Xmas Scan
- FIN Scan
- Idle Scan
TCP Connect Scan
TCP connect scan is the most basic type of port scan. It involves opening a full TCP connection to each port on the target system to determine whether it is open or closed. This type of scan is easily detectable by intrusion detection systems (IDS) and firewalls, as it generates much network traffic. Here’s an example of how to perform a TCP connect scan using nmap:
nmap -sT 192.168.1.1
This command will perform a TCP connect scan on the target IP address 192.168.1.1 and return a list of open ports.
SYN Scan
SYN scan, also known as half-open scanning, is a more stealthy port scan. This technique involves sending a SYN packet to each target system port and listening for a response. The port is considered open if a SYN/ACK packet is received. If a RST packet is received, the port is considered closed. This technique is difficult to detect, as it doesn’t complete the full TCP handshake. Here’s an example of how to perform an SYN scan using nmap:
nmap -sS 192.168.1.1
This command will perform an SYN scan of the target IP address 192.168.1.1 and return a list of open ports.
UDP Scan
UDP scan is used to identify open UDP ports on a target system. This technique involves sending a UDP packet to each port on the target system and listening for a response. If a response is received, the port is considered open. This technique is more complicated than TCP scanning, as UDP is connectionless and doesn’t have a handshake mechanism. Here’s an example of how to perform a UDP scan using nmap:
nmap -sU 192.168.1.1
This command will perform a UDP scan on the target IP address 192.168.1.1 and return a list of open UDP ports.
ACK Scan
ACK scan determines whether a firewall is filtering ports on a target system. This technique involves sending an ACK packet to a target system port and listening for a response. If a RST packet is received, the port is considered unfiltered. If no response is received, the port is considered filtered. Here’s an example of how to perform an ACK scan using nmap:
nmap -sA 192.168.1.1
This command will perform an ACK scan on the target IP address 192.168.1.1 and return a list of unfiltered ports.
Null Scan
The null scan is another stealthy technique that sends a TCP packet with no flags set to each port on the target system. If a RST packet is received, the port is considered closed. If no response is received, the port is considered open. This technique is difficult to detect, as it does not generate typical network traffic. Here’s an example of how to perform a null scan using nmap:
nmap -sN 192.168.1.1
This command will perform a null scan on the target IP address 192.168.1.1, and return a list of open ports.
Xmas Scan
Xmas scan is similar to a null scan but involves sending a TCP packet with the FIN, PSH, and URG flags set to each port on the target system. If a RST packet is received, the port is considered closed. If no response is received, the port is considered open. This technique is also difficult to detect, as it generates no network traffic. Here’s an example of how to perform an Xmas scan using nmap:
nmap -sX 192.168.1.1
This command will perform an Xmas scan on the target IP address 192.168.1.1 and return a list of open ports.
FIN Scan
FIN scan is another stealthy technique that sends a TCP packet with only the FIN flag set to each port on the target system. If a RST packet is received, the port is considered closed. If no response is received, the port is considered open. This technique is also difficult to detect, as it generates no network traffic. Here’s an example of how to perform a FIN scan using nmap:
nmap -sF 192.168.1.1
This command will perform a FIN scan on the target IP address 192.168.1.1 and return a list of open ports.
Idle Scan
Idle scan, also known as zombie scanning, is a technique that involves using an idle system as a proxy to scan a target system. This technique consists of sending an SYN packet to a port on the target system and then sending an SYN/ACK packet to the idle system using a forged source IP address. The port is considered closed if the idle system responds with a RST packet. The port is considered open if the idle system responds with a SYN/ACK packet. This technique is very stealthy, as it doesn’t generate any network traffic from the attacker’s system. Here’s an example of how to perform an idle scan using nmap:
nmap -sI 192.168.1.2 192.168.1.1
This command will perform an idle scan on the target IP address 192.168.1.1, using the idle system with the IP address 192.168.1.2 as a proxy.
nbtscan
While Nmap is one of the most popular network scanning tools, others can also perform network scans and gather information about a target system. One such tool is nbtscan.
Nbtscan is a command-line tool that can perform NetBIOS name resolution scans on a target network. NetBIOS is a protocol Windows systems use to share files, printers, and other resources on a network. By using nbtscan, you can identify the NetBIOS names of the systems on the network and potentially discover available shares and services.
To use nbtscan, you need to specify the IP address range of the target network. Here’s an example:
nbtscan 192.168.1.0/24
This command will perform a NetBIOS name resolution scan on the target network at IP address range 192.168.1.0/24 and return a list of the NetBIOS names of the systems on the network.
MAC address detection
Nbtscan can be used to identify the MAC address of the network adapter on a target system.
nbtscan -m 192.168.1.1
This command will perform a MAC address detection scan on the target system at IP address 192.168.1.1 and return the MAC address of the network adapter on the system.
Enumeration
Once you have identified the open ports and services on a target system, the next step is to enumerate the system to gather more information about its configuration, users, and applications. Enumeration involves using various tools and techniques to collect information about the target system. Enumeration aims to gather as much information as possible about the target, which can be used to identify vulnerabilities and weaknesses in the target system. This information can also be used to create an attack plan and to prioritize the vulnerabilities to exploit.
Enumeration can be performed manually or with the help of automated tools. Manual enumeration involves searching through system files and directories, configuration files, and other resources to gather information about the system. However, this method can be time-consuming and impractical for more extensive networks. Therefore, most enumeration tasks are performed using automated tools.
The following are some of the most common enumeration techniques and tools used by penetration testers and red teamers:
Banner Grabbing
Banner grabbing is a technique used to extract information about the system and services running on it. This technique involves connecting to a service, sending a request, and analyzing the response. The response usually contains information about the system, including the version number and the name of the software running the service.
Banner grabbing can be performed using Nmap, Netcat, and Telnet. For example, the following command can be used to perform banner grabbing using Nmap:
nmap -sV -p 22 192.168.1.1
This command will scan the target system at IP address 192.168.1.1 and retrieve the version information of the SSH service running on port 22.
Service Enumeration
Service enumeration involves identifying the services running on the target system and gathering information about them. This can include determining the name, version, and configuration of the services and any known vulnerabilities or exploits.
Nmap, Metasploit, and Nessus can be used for service enumeration. Nmap can be used to identify the services running on a target system, while Metasploit and Nessus can be used to identify vulnerabilities and potential exploits.
For example, the following command can be used to perform service enumeration using Nmap:
nmap -sV -sT -O 192.168.1.1
This command will scan the target system at IP address 192.168.1.1 and retrieve the version information of its services.
User Enumeration
User enumeration involves identifying the user accounts on the target system. This information can be used to identify the most privileged users, including the administrator and root accounts. Attackers can use this information to launch password-guessing attacks or try to exploit vulnerabilities in the system.
Nmap, Metasploit, and Hydra can be used for user enumeration. For example, the following command can be used to perform user enumeration using Hydra:
hydra -L users.txt -P passwords.txt -M 192.168.1.1 ssh
This command will use Hydra to perform a dictionary attack against the SSH service running on the target system at IP address 192.168.1.1, using the usernames and passwords specified in the users.txt and passwords.txt files.
DNS Enumeration
DNS enumeration involves identifying the DNS servers and services running on the target network. This information can be used to identify potential vulnerabilities in the DNS service, such as misconfigured zone files or DNS cache poisoning.
Nmap, Fierce, and DNSRecon can be used for DNS enumeration. For example, the following command can be used to perform DNS enumeration using DNSRecon:
dnsrecon -d target.com -t axfr
This command will use DNSRecon to perform an AXFR (zone transfer) request against the DNS server for the target.com domain and retrieve a list of all the DNS records in the zone.
SNMP Enumeration
Simple Network Management Protocol (SNMP) enumeration involves identifying SNMP-enabled devices on the target network and gathering information about them. This information can be used to identify potential vulnerabilities in the SNMP service, such as weak community strings or misconfigured access controls.
Nmap, Snmpwalk, and snmp-check can be used for SNMP enumeration. For example, the following command can be used to perform SNMP enumeration using snmp-check:
snmp-check -t 192.168.1.1 -c public
This command will use snmp-check to connect to the SNMP service running on the target system at IP address 192.168.1.1, using the public community string, and retrieve information about the SNMP service and system.
SMB Enumeration
Server Message Block (SMB) enumeration involves identifying SMB-enabled devices on the target network and gathering information about them. This information can be used to identify potential vulnerabilities in the SMB service, such as weak passwords or misconfigured access controls.
Nmap, Metasploit, and smbclient can be used for SMB enumeration. For example, the following command can be used to perform SMB enumeration using smbclient:
smbclient -L 192.168.1.1 -N
This command will use smbclient to connect to the SMB service running on the target system at IP address 192.168.1.1 and retrieve a list of shares available.
Conclusion
In this article, we have covered the basics of network scanning and enumeration, discussed different types of scans, and provided examples of how these tools can be used in the real world. Network scanning and enumeration are critical skills for any red teamer or penetration tester, as they help to identify potential attack vectors and vulnerabilities on a target system. It’s essential to use these tools and techniques in a manner that is efficient, accurate, and stealthy to avoid detection and maximize the effectiveness of the attack.