January 18th, 2005 12:19 AM
This is very closely related to my ‘footprinting’ tutorial which should be read first, and should accompany this quite well. You can find the first tutorial here:
Scanning I will split into two parts. I will briefly explain the method of ping sweeping (which whilst slightly outdated nowadays is still useful to learn), and then concentrate on port scanning.
1) Ping Sweeping
An ICMP Echo Request or ‘ping’ as it is usually called is used to determine if a TCP/IP host is alive. This is done using the command prompt and simply typing: ping www.target.com into the command prompt.
-----Picture Goes here------
Generally if the target computer is alive it will send a request back using the ICMP echo reply message. Unfortunately nowadays most companies block ping requests, so failure to receive a ping reply will most probably mean it has been blocked by a firewall or router. It is still useful to know if you ever need to use it in a networked environment when there is no internet connection (even if this is few and far between nowadays).
If you are using windows there is a free product that you can use called Pinger. You can resolve a host name and output the results to a text file. You can get Pinger written by Rhino9 from this address:
2) Port Scanning
Port scanning is the art of connecting to each port on a system and seeing if it responds. It is similar in the way how a burglar would case the establishment seeing where doors and windows are, and if any are open. The most simplified version of this is the three-way hand shake, where A sends B a SYN request. The SYN request is directed at a specific port and includes the ISN A will use. If B is listening on the specified port, it sends A an acknowledgment (ACK) of the SYN request. The ACK includes the ISN B will use, and if B isn’t listening it will send a RST back, to indicate that the connection is unsuccessful. A then sends B an ACK for the ACK that B sent in response to the SYN request. It is only once B receives the ACK, the connection is made. This is shown below:
There are a number of techniques used to survey which ports are listening on a machine. I will briefly describe the three main types, but for a better understanding on all possible types, please visit Fyodors paper entitled “The art of port scanning” as it is a great article. You can find the article here: http://www.insecure.org/nmap/nmap_doc.html
1) TCP connect() scanning
2) SYN Scanning
3) TCP FIN scanning
There are numerous port scanning tools available. A very good one is NetScanTools Pro 2004, although it does come at a cost ($199). It has loads of different utilities under just the one interface, so if you can get your hands on it then it comes highly recommended.
If however you are on a tight budget, the best scanners I can recommend are SuperScan, Blues Port scanner and the best of all NMap.
NMap is a free security scanner which can be used for exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts.
There are many features to NMap, it can identify what services hosts are running, which OS they are running, which firewalls are being used, and most commonly used, which ports are open on their system. NMap runs on windows as well as Linux and there are two user interfaces; the first (and best) is a command line version, and the second is a GUI which I would not recommend, but some people prefer something to look at!
I’m not going to write a tutorial on how to use NMap, as there are many out there. Here are the best few that I can come up with:
If you read all the information on these posts you will realize how powerful NMap really can be.
4) What to do after scanning?
Well is really depends on why you are using this information. Ping sweeping and scanning is very effective as a security scanner for your own network, in order to help you ensure there are no ports open that shouldn’t be. Scanning goes hand in hand with foot printing (I have written a tutorial on this too) as the basis to any attack on a network etc. After physical attributes like email addresses and phone numbers, scanning can identify any open ports on a network for a remote computer. If a person still wants to get in then they can easily find a Trojan or exploit for the particular port that is open via google, or other security sites. (Bugtraq, security focus)
As always I hope you learnt something new, and remember to use the information sensibly as I will not be held responsible for any illegal acts you do! You can find me at: