# Strengthening the Attack by Effective “Scanning”

634
• by Vatsal Jain
• 18th Nov, 2020
• Last updated on 11th Mar, 2021

As per the Oxford dictionary, “Scanning” is defined as “to look at all parts of (something) carefully in order to detect some feature”. Scanning is a technique which is very widely used in the cyber security domain. Security engineers, hackers, and researchers often use various kinds of scanning in the course of their work. Network Scanning is a process where an attacker uses tools and techniques to gather information about the target. This information may be as simple as the active hosts within the network, to complex discoveries like gathering the OS of the hosts, open ports and active vulnerabilities on the host. Scanning is not only done on the network; it could also be application scanning, or website scanning, depending on the need. However, in this article, we will focus mainly on network scanning and will only briefly touch upon application and website scanning.

Scanning is an integral part of ethical hacking, and without understanding the basics of ethical hacking, we would not be able to do justice to this topic. Generally, after reconnaissance, scanning is the second step of any hacking attempt. For that purpose, we will look at the basics of ethical hacking and its steps, after which we shall understand scanning and its types, take a deep dive into network scanning and finally look at some tools which are used in the industry for various types of scanning.

## What is hacking and ethical hacking?

Whenever we listen to the word ‘Hacker’, we imagine a guy with black hood, sitting alone in a room, having multiple screens in front of him and typing commands at a blazing speed! In reality, that is not the case. A computer hacker is a person with deep domain expertise in the fields of computers, who explores methods to overcome the defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker can be financially or politically motivated, or could be working with an organization to help them strengthen their infrastructure. The latter is also referred to an ethical hacker.

If we talk about the English definition of hacker as per the Oxford dictionary , it refers to a person who uses computers to get access to data in somebody else's computer or phone system without permission. An unethical hacker is someone who overcomes the security controls deployed by security teams to protect confidential and sensitive data by exploiting various vulnerabilities present in the system or network, and gains unauthorized access to the system. This is usually done for financial gain by unethical hackers.

Now when the word ‘ethical’ is attached to ‘hacking’, it changes the meaning a bit and also the intent of hacking. In ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or steals it or uses it for personal, professional or financial gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, the ethical hackers have an explicit permission to exploit the target from the owner. The companies could hire ethical hackers on their payroll and pay them to do such hacking or may allow hackers around the globe to evaluate their websites or applications through bug bounty programs. In this case, the companies offer monetary rewards to hackers who report bugs to the companies.

Now when we have discussed ethical hackers, it would make sense to introduce the term, “White Hat Hacker”. A White Hat Hacker is an individual, generally working with or for a company to help the company strengthen its security posture. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix the issues before the black hat hackers or the bad guys could exploit the vulnerability. Ethical hackers can also be referred to as white hat hackers.

## Steps in Ethical Hacking

To successfully understand scanning, it is very important to understand what the various steps of hacking are. Any successful attack would need these steps to be followed:

1. Reconnaissance or information gathering – As they say in the military, reconnaissance means to gather the information of the area by using foot soldiers, planes, drones, etc. In ethical hacking also, the process is similar. Here we try to gather as much information as we can about our target. The better the reconnaissance, the easier the attack would be. Basically, this step lays the foundation of our attack. Reconnaissance could be of two types, active and passive. In case of active reconnaissance, scanning is widely used for gaining information about the target. Generally, information that is available to the public is gathered in this phase.
2. Scanning – The attacker has gained valuable insights about the target. But this is not enough, as deeper insights are required. Scanning helps in getting more specific information about the target. Web scanners help attackers understand the vulnerabilities in a website, while application scanners look at the application code and the lists of potential vulnerabilities and issues. Network scanners help the attacker to perform host discovery, identify ports and services and gain various details about the network, as we will discuss going forward.
3. Gaining access – Now the attacker is armed with a lot of information on the IP ranges, key people of the organization, OS running on key servers, active hosts and so on. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) into the network of the target. This is generally done by using social engineering techniques like phishing.
4. Maintaining access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. The attacker generally does this by creating a backdoor, which no one else is aware of. A backdoor is just like a secret way in and out of the system. This backdoor will ensure that even if the main gate (exploited vulnerability) has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system.
5. Covering tracks – Any attacker would want to remain anonymous while he is in the system or has left after stealing the information or damaging it. This is a very important step, since if this is not done, the hacker(if he is a black hat hacker) could land in jail. This is generally done by tampering (deleting or corrupting) the log files and/or using a VPN or a Virtual Private Network.

## Types of scanning in ethical hacking

Scanning is the second step in ethical hacking. It helps the attacker get detailed information about the target. Scanning could be basically of three types:

1. Port Scanning – Detecting open ports and running services on the target host
2. Network Scanning – Discovering IP addresses, operating systems, topology, etc.
3. Vulnerability Scanning – Scanning to gather information about known vulnerabilities in a target

Port scanning could be further divided into 5 types:

1. Ping Scan – This is the simplest scan. Ping scan sends ICMP packets and wait for the response from the target. If there is a response, the target is considered to be active and listening.
2. TCP Half Open – Also, referred to as SYN scan, this is another very common type of scanning method.
3. TCP Connect – TCP connect is similar to TCP half open, except for the fact that a complete TCP connection is established in TCP connect port scanning.
4. UDP – UDP is used by very common services like DNS, SNMP, DHCP. So, sending a UDP packet and waiting for a response helps gather information about UDP ports.
5. Stealth Scanning – As the word says, stealth means a quieter activity. When an attacker wants to be undetected while scanning, a stealth scan is used.

### What is network scanning

Network is the backbone of any information technology infrastructure, over which data and resources are shared. In today’s world, when the network is being used for almost everything, “Network Security”  is of critical importance. If the network is not secure, any other control is not worth applying! Network scanning is the process or technique by which we scan the network to gain details such as active hosts, open ports including running TCP and UDP services, open vulnerabilities, details about the host like operating system and much more. For IP (internet protocol) networks, generally “ping” is used for reaching a host and checking its status. Ping is an ICMP (Internet Control Message Protocol) utility and sends packets to the target and receives an ICMP echo reply.

Within an organization, network scanning is used by monitoring and management systems. These are legitimate uses of scanning and are very regularly used by network management tools and network administrators. On the other side, scanning used by an attacker relies on the same tools and protocols as used by network administrators for monitoring and management. The attacker would first obtain the IP address range of the target network generally using DNS or the whois protocol. Once the attacker has the IP range, he would scan the network for active host, their operating systems and related details as discussed above. Finally, with all this information, the attacker may attempt to breach the target systems.

## How is Network Scanning different from Reconnaissance?

Reconnaissance, as discussed above, is the first step in ethical hacking. In this step, the attacker tries to gather as much information as possible. Reconnaissance could be of two types, active and passive. In passive reconnaissance, the attacker makes absolutely no contact with the target systems or the network. However, in active reconnaissance, the attacker makes direct contact with the target machines and network in order to gain some basic information. This is generally done by scanning and foot-printing.

You might be wondering, why are we talking about scanning in reconnaissance and then also discussing scanning as a different and independent step of ethical hacking? There is a thin line between the two.

As discussed above, during active reconnaissance, there is contact with the target network. However, in the scanning step (2nd step of ethical hacking), the attacker already has basic information about the network and the infrastructure. The aim is to get details like active host names, open ports, operating systems on the active hosts, etc. While they might seem the same, scanning is not possible or rather, would not be successful without an in-depth and detailed reconnaissance. The scanning step further expands reconnaissance and takes it to the next level.

### Network Scanning tool – NMAP with examples

Let us have a look at nmap, a very commonly used network scanning tool and see some examples of its use. You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot] org. Below is what the Zenmap looks like:

We input the target IP or IP range in the “Target” field, choose a profile from the dropdown and input a command which specifies certain parameters. Below are some common parameters you can find in the nmap tool:

1. HOST DISCOVERY:
a. -sL: List Scan - simply list targets to scan
b. -sn: Ping Scan - disable port scan
c. -Pn: Treat all hosts as online -- skip host discovery
2. SCAN TECHNIQUES:
a. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
b. -sU: UDP Scan
c. -sN/sF/sX: TCP Null, FIN, and Xmas scans
d. --scanflags <flags>: Customize TCP scan flags
3. PORT SPECIFICATION AND SCAN ORDER:
a. -p <port ranges>: Only scan specified ports
b. --exclude-ports <port ranges>: Exclude the specified ports from scanning
c. -F: Fast mode - Scan fewer ports than the default scan
4. SERVICE/VERSION DETECTION
a. -sV: Probe open ports to determine service/version info
5. OS DETECTION:
a. -O: Enable OS detection

Some examples are given below:

1. nmap -v -A knowledgehut.com
2. nmap -v -sn 192.168.0.1-100
3. nmap -v -O 192.168.1.200-210
4. nmap -v -iR 10000 -Pn -p 443

You can refer to nmap official website (nmap [dot] org/book/man [dot] html) for more examples and use cases.

### Some common scanning tools used in the industry

With the evolution of sophisticated attacks, the network security industry has evolved a great deal, and there are more than a dozen tools which help companies manage their network and ensure it is secure from all kinds of attacks. Below are some very common and trusted tools which are used across the industry:

1. OpenVAS – OpenVAS or the Open Vulnerability Assessment System is an open source tool for network scanning and monitoring. OpenVAS allows a high level of customization and provides an option of intelligent scan. It provides three types of scans, namely, full scan, web server scan and WordPress scan.
2. Nmap – As discussed above, nmap is one of the most reliable network scanners used across the industry. It is an open source tool and allows a lot of pre-configured commands. It comes with NSE or the Nmap Scanning Engine, which is very effective in detecting network misconfigurations and security issues. It is available both in graphical user interface (GUI) and command line interface (CLI).
3. Nessus – One of the most widely used enterprise scanning tools, the Tenable owned Nessus provides amazing scanning capabilities, including many predefined templates. It has pre-configured scans (templates) for PCI compliance, Badlock detection, Malware Scan, DROWN Detection to name a few. It is one of the most trusted scanners used across the industry. Nessus provides free trial version and student editions (with limited features of course) for learning and research purposes.
4. Acunetix – Acunetix is one of the most widely used web application scanners. The ability to integrate with trackers like Jira, repositories like GitHub and automation capabilities with Jenkins, makes Acunetix a must-have for enterprises. It also helps the security teams integrate security into their SDLC (Software Development Life Cycle) processes.
5. Wireshark – Wireshark is a free and open source packet analyzer. Very widely used, this tool is often used by attackers when they have successfully entered a network for “sniffing” the traffic. Wireshark’s ability to capture real time packets, convert them to human readable form and a very easy to use and interactive GUI makes it one of the favorite tools of network administrators and security researchers (and hackers, of course!).

#### Concluding remarks

Scanning is the second step of the ethical hacking process and until an attacker is proficient in this, it is highly unlikely that the attack will be successful. Network scanning not only tells you about the hosts and their basic configurations, it also tells an attacker about various vulnerabilities present in the hosts. On the other side, application scanners tell what vulnerabilities (generally from an OWASP standpoint) are existent in an application. Scanning, if done the right way can reveal a lot of information about the organization. Having said that, the network and security administrators within almost all organizations have tools deployed to ensure that any scanning attempt is detected almost instantaneously and a corrective action (generally blocking) is taken. This makes it even more difficult for any attacker to launch a scan on an organization’s network and come up with successful results. Many a times, scanning is blocked at the firewall level. This means, ICMP traffic is denied by default, except for some IPs and subnets where it is required for trouble-shooting purposes.

### Vatsal Jain

Author

Vatsal Jain is an Information Security professional with close to 3 years of experience. He has worked with multiple MNCs and has exposure in Information Security Auditing, creating and maintaining InfoSec Policies and Procedures, Network Security and Risk Management. He has cracked exams like CISA, CISM and CEH. He also holds certifications like ISO 27001 LA, ITIL Foundation, ISO 22301 LI and AZ-900. He has done B.Tech. in CSE with a specialization in Cyber Security and Forensics.

## Learning Ethical Hacking Can Be A Disaster If You Neglect These 7 Rules

21673
Learning Ethical Hacking Can Be A Disaster If You ...

Attacking one’s own self defence systems to chec... Read More

## How To Get Knowledge About The Certified Ethical Hacker

Technology has flourished at break neck speed in the past decade. Inventions and innovations have transformed the way we live and work. We live in an interconnected world where everything is online. While this has made our lives easier, it has also made us vulnerable to sophisticated cyber criminals, who at their malicious best attack not just an individual but even a company, and in more brazen attacks even a nation's security and financial health.According to the latest report by Verizon, 70% of cybercrimes were caused by malicious hackers and outsiders. With a lot of sensitive data now being present online, the perception threat has steadily grown over the years.One of the foremost methods to prevent cybercrime is to reinforce the security of IT systems. Moreover, adding a dedicated team of ethical hackers to the workforce can help fix loopholes and prevent malicious attacks. With the surge in cybercrime, the need for cybersecurity has increased. This in turn has led to a rise in the demand for skilled ethical hackers and information security professionals.What is the CEH certification?The CEH(Certified Ethical Hacking) credential from EC-Council demonstrates that you have hands-on knowledge of niche techniques used by security professionals and hackers to prevent cyber-attacks. CEH also provides skills to assess the security aspects, scan the infrastructure, and detect vulnerabilities in the organizations. With the CEH course, you can:Enter into the industry as a security professionalLearn the hacker mentality to get a step ahead of cybercriminalsBoost your career in IT securityImprove your skills and knowledge which is a primary requirement for career advancementThe demand for Ethical HackersAccording to Forbes, "in this current year of 2020-21, the Global security market is worth $173 billion and within the next 5 years this will grow to around$270 billion." Statistics by the Australian Cyber Security Growth Network show that organizations across the globe are expected to raise their security budget by 8% annually.Source: austcyber.comMalicious cyber activities are increasing around the world, as cybercriminals are using sophisticated strategies for infiltration of systems and networks. Therefore, the demand for cybersecurity experts or ethical hackers will continue to increase.Opportunities for an ethical hackerIn India alone, more than 20,000 websites faced defacement, DDoS, or ransomware attacks just in 2019 as per the report of CERT(Indian Computer Emergency Response Team).Therefore, from private organizations to government entities, everyone needs an ethical hacker or security professional to counter unauthorized hacking and strengthen their security needs. As per the NASSCOM report, there will be 72000 security professionals in the coming years.Types of roles and responsibilities of an Ethical HackerCybersecurity experts will get various types of work opportunities from small scale organizations to giant tech corporations, government agencies, research organizations, and many others.The work of ethical hackers will differ and is not limited to the size and requirement of the organization, but also the skills and experience of hackers. However, here are some overall responsibilities expected from ethical hackers.To protect IT infrastructures, networks, devices, and data from cybercriminalsMonitor application and network performanceTo perform security tests to validate the strength of application, devices, and networkImplement information security management system to be followed by the entire organizationTo set detection and prevention facilities and make a barrier from outer /unauthorized accessTo stay connected with top management with updated risk management and business continuity plans.To perform all the above tasks and operations there are multiple designations hired by organizations, ranging from entry-level security personnel to CISO (Chief Information Security Officer). This pyramid shows the various levels of roles for cyber security professionals.Job roles and salariesEthical hackers can take on a variety of roles.Consulting - As explained earlier, almost all organizations require security professionals to secure their network,  data, devices, etc. Some organizations prefer to outsource the security solution rather than hire on their own.  In this case, the organization expects customized security solutions and suggestions and advice on protection of their assets against cyber-attacks.Bug bounty - Many organizations and tech giants organize bounty programs for hackers to find out vulnerabilities in their applications or websites and offer attractive cash prices.Training - Ethical hackers can provide training to professionals and students for advancement in their careers. These types of training also help to spread awareness in the society against cybercrime and to keep them secure from any potential fraud.Events - Tech giants like Tesla invites hackers to hack their cars. There are similar events for hackers to perform their skills and earn prizes, or in some cases jobs with handsome packages.The salary range for ethical hackersLucrative salaries are the most attractive part of this profession. Salaries in this field vary based on location, designation, skill, and experience. As we have seen in the pyramid earlier, there are multiple roles in the security field, with packages increasing from bottom to top. All organizations value their security, and are ready to pay top dollar for qualified candidates.As per a survey, the average salary of an ethical hacker or information security officer is INR 12,00,000 per annum with 3-5 years of experience. This is just an average figure. In some cases in New Delhi & Mumbai, suitable candidates got paid as much as up to INR 18,00,000 p.a. even without work experience.The package information mentioned above was just for India. Let's have a look at the below table to understand the worldwide salary ratio based on designation and experience.Do you have the skills for it?Before you decide to pursue ethical hacking as a profession, here are some skills you have to master:FocusPatienceStrategy making abilityGood CommunicationCuriosityDisciplineZest for learningThinking out of the boxPositive attitudeTop 10 technical skills:-Excellent computer skills  LinuxNetworking & InfrastructureProgramming skillsDatabase management systemsCryptographyCloud technologiesWeb applicationWireless technologiesPenetration TestingImportance of ethicsHave you heard the term 'Royal Guards'?  It refers to an elite group of highly skilled warriors who act as a monarch’s personal security guards. The monarch and the kingdom trust them and feel safe while surrounded by royal guards.In this field as well, an ethical hacker or a team of security professionals act as royal guards of the organization. Organizations trust the security professionals expecting security and implicit loyalty. Security professionals must be highly ethical, as they can have access to the most vital information systems, data, or any other assets. An ethical hacker must follow ethical /genuine practices during the entire employment term (and even after leaving a company) and uphold the trust of the management.EC-Council has written 19 steps of  'Code - of - Ethics' which must be followed by all ethical hackers to maintain the dignity of the profession.Below is a sample:As an ethical hacker, you must keep private and confidential information gained in your professional work (in particular as it pertains to client lists and client personal information). You should not collect, give, sell, or transfer any personal information (such as name, e-mail address, Social Security number, or another unique identifier) to a third party without the client's prior consent.ConclusionHighly skilled hackers will always be in demand because in the digital age, all organizations need to stay protected from hackers at any cost. This is a career that is surely future-proof!