As a red teamer or penetration tester, one of the most important skills you can possess is the ability to scan and enumerate a target network. Network scanning and enumeration are the processes of discovering hosts, services, and vulnerabilities in a network. It’s crucial to understand the tools and techniques that can be used to accomplish these tasks in a manner that is efficient, accurate, and stealthy.
In this article, we will explore some of the most popular tools and techniques used for network scanning and enumeration. We will cover the basics of scanning and enumeration, discuss different types of scans, and provide examples of how these tools can be used in the real world.
Basics of Network Scanning and Enumeration
The first step in network scanning and enumeration is to identify the IP range that needs to be scanned. Once you have identified the IP range, you can start scanning for open ports and services. There are several techniques that can be used for network scanning and enumeration, including ping sweeps, port scanning, and OS fingerprinting.
Ping Sweeps
A ping sweep is a basic scanning technique used to identify active hosts on a network. The technique involves sending ICMP echo requests to a range of IP addresses to check if a host is alive or not. The output of a ping sweep is a list of active IP addresses on the network. This technique is useful for quickly identifying live hosts on a network.
Ping sweeps can be performed using tools such as fping, nmap, and hping3. Here’s an example of how to perform a ping sweep using nmap:
nmap -sn 192.168.1.0/24
This command will perform a ping sweep on the IP range 192.168.1.0/24, and return a list of active IP addresses.
Port Scanning
Port scanning is the process of scanning a range of TCP or UDP ports on a target host or network to identify open ports and the services running on them. This technique is useful for identifying potential attack vectors and vulnerabilities on a target system.
There are several types of port scans, including TCP connect scans, SYN scans, and UDP scans. The most popular tool for port scanning is nmap. Here’s an example of how to perform a SYN scan using nmap:
nmap -sS 192.168.1.1
This command will perform a SYN scan on the target IP address 192.168.1.1, and return a list of open ports.
OS Fingerprinting
OS fingerprinting is the process of identifying the operating system running on a target system by analyzing its network traffic. This technique is useful for determining the types of attacks that can be used against a target system.
OS fingerprinting can be performed using tools such as nmap and p0f. Here’s an example of how to perform OS fingerprinting using nmap:
nmap -O 192.168.1.1
This command will perform OS fingerprinting on the target IP address 192.168.1.1, and return information about the operating system running on the system.
Types of Scans
There are several types of scans that can be used for network scanning and enumeration, including:
- TCP Connect Scan
- SYN Scan
- UDP Scan
- ACK Scan
- Null Scan
- Xmas Scan
- FIN Scan
- Idle Scan
TCP Connect Scan
TCP connect scan is the most basic type of port scan. It involves opening a full TCP connection to each port on the target system to determine whether the port is open or closed. This type of scan is easily detectable by intrusion detection systems (IDS) and firewalls, as it generates a lot of network traffic. Here’s an example of how to perform a TCP connect scan using nmap:
nmap -sT 192.168.1.1
This command will perform a TCP connect scan on the target IP address 192.168.1.1, and return a list of open ports.
SYN Scan
SYN scan, also known as half-open scanning, is a more stealthy type of port scan. This technique involves sending a SYN packet to each port on the target system, and listening for a response. If a SYN/ACK packet is received, the port is considered open. If a RST packet is received, the port is considered closed. This technique is difficult to detect, as it doesn’t complete the full TCP handshake. Here’s an example of how to perform a SYN scan using nmap:
nmap -sS 192.168.1.1
This command will perform a SYN scan on the target IP address 192.168.1.1, and return a list of open ports.
UDP Scan
UDP scan is used to identify open UDP ports on a target system. This technique involves sending a UDP packet to each port on the target system and listening for a response. If a response is received, the port is considered open. This technique is more difficult than TCP scanning, as UDP is connectionless and doesn’t have a handshake mechanism. Here’s an example of how to perform a UDP scan using nmap:
nmap -sU 192.168.1.1
This command will perform a UDP scan on the target IP address 192.168.1.1, and return a list of open UDP ports.
ACK Scan
ACK scan is used to determine whether a firewall is filtering ports on a target system. This technique involves sending an ACK packet to a port on the target system, and listening for a response. If a RST packet is received, the port is considered unfiltered. If no response is received, the port is considered filtered. Here’s an example of how to perform an ACK scan using nmap:
nmap -sA 192.168.1.1
This command will perform an ACK scan on the target IP address 192.168.1.1, and return a list of unfiltered ports.
Null Scan
Null scan is another stealthy technique that involves sending a TCP packet with no flags set to each port on the target system. If a RST packet is received, the port is considered closed. If no response is received, the port is considered open. This technique is difficult to detect, as it doesn’t generate any network traffic. Here’s an example of how to perform a null scan using nmap:
nmap -sN 192.168.1.1
This command will perform a null scan on the target IP address 192.168.1.1, and return a list of open ports.
Xmas Scan
Xmas scan is similar to null scan, but involves sending a TCP packet with the FIN, PSH, and URG flags set to each port on the target system. If a RST packet is received, the port is considered closed. If no response is received, the port is considered open. This technique is also difficult to detect, as it doesn’t generate any network traffic. Here’s an example of how to perform an Xmas scan using nmap:
nmap -sX 192.168.1.1
This command will perform an Xmas scan on the target IP address 192.168.1.1, and return a list of open ports.
FIN Scan
FIN scan is another stealthy technique that involves sending a TCP packet with only the FIN flag set to each port on the target system. If a RST packet is received, the port is considered closed. If no response is received, the port is considered open. This technique is also difficult to detect, as it doesn’t generate any network traffic. Here’s an example of how to perform a FIN scan using nmap:
nmap -sF 192.168.1.1
This command will perform a FIN scan on the target IP address 192.168.1.1, and return a list of open ports.
Idle Scan
Idle scan, also known as zombie scanning, is a technique that involves using an idle system as a proxy to scan a target system. This technique involves sending a SYN packet to a port on the target system, and then sending a SYN/ACK packet to the idle system with a forged source IP address. If the idle system responds with a RST packet, the port is considered closed. If the idle system responds with a SYN/ACK packet, the port is considered open. This technique is very stealthy, as it doesn’t generate any network traffic from the attacker’s system. Here’s an example of how to perform an idle scan using nmap:
nmap -sI 192.168.1.2 192.168.1.1
This command will perform an idle scan on the target IP address 192.168.1.1, using the idle system with the IP address 192.168.1.2 as a proxy.
nbtscan
While Nmap is one of the most popular network scanning tools, there are other tools that can also be used to perform network scans and gather information about a target system. One such tool is nbtscan.
Nbtscan is a command-line tool that can be used to perform NetBIOS name resolution scans on a target network. NetBIOS is a protocol used by Windows systems for sharing files, printers, and other resources on a network. By using nbtscan, you can identify the NetBIOS names of the systems on the network, and potentially discover shares and services that are available.
To use nbtscan, you simply need to specify the IP address range of the target network. Here’s an example:
nbtscan 192.168.1.0/24
This command will perform a NetBIOS name resolution scan on the target network at IP address range 192.168.1.0/24, and return a list of the NetBIOS names of the systems on the network.
MAC address detection
Nbtscan can be used to identify the MAC address of the network adapter on a target system.
nbtscan -m 192.168.1.1
This command will perform a MAC address detection scan on the target system at IP address 192.168.1.1, and return the MAC address of the network adapter on the system.
Enumeration
Once you have identified the open ports and services on a target system, the next step is to enumerate the system to gather more information about its configuration, users, and applications. Enumeration involves using various tools and techniques to gather information about the target system. The purpose of enumeration is to gather as much information as possible about the target, which can be used to identify vulnerabilities and weaknesses in the target system. This information can also be used to create an attack plan and to prioritize the vulnerabilities to exploit.
Enumeration can be performed manually or with the help of automated tools. Manual enumeration involves searching through system files and directories, configuration files, and other resources to gather information about the system. However, this method can be time-consuming and is not practical for larger networks. Therefore, most enumeration tasks are performed using automated tools.
The following are some of the most common enumeration techniques and tools used by penetration testers and red teamers:
Banner Grabbing
Banner grabbing is a technique used to extract information about the system and services running on it. This technique involves connecting to a service, sending a request, and analyzing the response. The response usually contains information about the system, including the version number and the name of the software running the service.
Banner grabbing can be performed using tools such as Nmap, Netcat, and Telnet. For example, the following command can be used to perform banner grabbing using Nmap:
nmap -sV -p 22 192.168.1.1
This command will scan the target system at IP address 192.168.1.1, and retrieve the version information of the SSH service running on port 22.
Service Enumeration
Service enumeration involves identifying the services running on the target system and gathering information about them. This can include identifying the name, version, and configuration of the services, and any known vulnerabilities or exploits.
Tools such as Nmap, Metasploit, and Nessus can be used for service enumeration. Nmap can be used to identify the services running on a target system, while Metasploit and Nessus can be used to identify vulnerabilities and potential exploits.
For example, the following command can be used to perform service enumeration using Nmap:
nmap -sV -sT -O 192.168.1.1
This command will scan the target system at IP address 192.168.1.1, and retrieve the version information of the services running on it.
User Enumeration
User enumeration involves identifying the user accounts on the target system. This information can be used to identify the most privileged users, including the administrator and root accounts. Attackers can use this information to launch password-guessing attacks or try to exploit vulnerabilities in the system.
Tools such as Nmap, Metasploit, and Hydra can be used for user enumeration. For example, the following command can be used to perform user enumeration using Hydra:
hydra -L users.txt -P passwords.txt -M 192.168.1.1 ssh
This command will use Hydra to perform a dictionary attack against the SSH service running on the target system at IP address 192.168.1.1, using the usernames and passwords specified in the users.txt and passwords.txt files.
DNS Enumeration
DNS enumeration involves identifying the DNS servers and services running on the target network. This information can be used to identify potential vulnerabilities in the DNS service, such as misconfigured zone files or DNS cache poisoning.
Tools such as Nmap, Fierce, and DNSRecon can be used for DNS enumeration. For example, the following command can be used to perform DNS enumeration using DNSRecon:
dnsrecon -d target.com -t axfr
This command will use DNSRecon to perform an AXFR (zone transfer) request against the DNS server for the target.com domain, and retrieve a list of all the DNS records in the zone.
SNMP Enumeration
Simple Network Management Protocol (SNMP) enumeration involves identifying SNMP-enabled devices on the target network and gathering information about them. This information can be used to identify potential vulnerabilities in the SNMP service, such as weak community strings or misconfigured access controls.
Tools such as Nmap, Snmpwalk, and snmp-check can be used for SNMP enumeration. For example, the following command can be used to perform SNMP enumeration using snmp-check:
snmp-check -t 192.168.1.1 -c public
This command will use snmp-check to connect to the SNMP service running on the target system at IP address 192.168.1.1, using the public community string, and retrieve information about the SNMP service and system.
SMB Enumeration
Server Message Block (SMB) enumeration involves identifying SMB-enabled devices on the target network and gathering information about them. This information can be used to identify potential vulnerabilities in the SMB service, such as weak passwords or misconfigured access controls.
Tools such as Nmap, Metasploit, and smbclient can be used for SMB enumeration. For example, the following command can be used to perform SMB enumeration using smbclient:
smbclient -L 192.168.1.1 -N
This command will use smbclient to connect to the SMB service running on the target system at IP address 192.168.1.1, and retrieve a list of shares available on the system.
Conclusion
In this article, we have covered the basics of network scanning and enumeration, discussed different types of scans, and provided examples of how these tools can be used in the real world. Network scanning and enumeration are critical skills for any red teamer or penetration tester, as they help to identify potential attack vectors and vulnerabilities on a target system. It’s important to use these tools and techniques in a manner that is efficient, accurate, and stealthy, to avoid detection and maximize the effectiveness of the attack.