Ethical Hacking Module 3 – Scanning Networks Tools and Techniques


As far as the notion of scanning network is concerned, it is the phenomenon that relates to set of processes that are used in order to explore hosts, ports and services in a network. It is also assumed as the key aspect of intelligence gathering. During this process, attackers use to develop a profile of target organization.

Do Not Scan These IP Addresses

Do Not Scan These IP Addresses

Objectives of Network Scanning

There are four Objectives of Network Scanning:

  1. The first and foremost purpose of network scanning is to explore live hosts, IP address, and open ports of live hosts
  2. The other objective is to make sure and explore the operating systems along with system architecture
  3. The third objective of network scanning is to identify services that are running on host
  4. Find vulnerabilities in live hosts

Objectives of Network Scanning

Scanning Methodology

The methodology of scanning is composed of following attributes and these are as follows:

  • Check for Live Systems
  • Check for Open Ports
  • Scanning Beyond IDS
  • Banner Grabbing
  • Scan for Vulnerability
  • Draw Network Diagrams
  • Prepare Proxies
  • Scanning Pen Testing

Scanning Methodology

Check for Live Systems

Check for Live Systems

ICMP Scanning

Through the help of this scanning, active devices can be easily located and at the same time if ICMP is passing through firewall then this scan is really necessary.

PING Sweep

As far as the importance of ping sweep is concerned, it is used for the purpose of establishing the live host from a range of IP addresses. This process is done through the help of sending ICMP ECHO requests to multiple hosts. In this process, attackers calculate subnet masks in order to explore the number of hosts present in the subnet. Attackers then use ping sweep to create an inventory of live systems in the subnet.

PING sweep

Ping Sweep Tools

Colasoft ping tool, pocket trap MSP, Visual Ping tester, ping scanner pro, Ping Info View

Check for Open Ports

Three Way Handshake

Three Way Handshake

TCP uses three way handshake in order to make a connection between server and client. This process can be further divided into three more steps. These steps are computer initiating a connection to the server. In the second step, server replies with a packet both the SYN and ACK flag set. In the last step, the clients respond back to the server with a single ACK packet.

TCP Communication Flags

This process consists of reset, synchronize, acknowledgement, push, urgent and finish as well. In this process, a connection is reset and then a connection is initiated between the hosts and then receipt of a packet is acknowledged as well. In the next step, all buffered data is sent immediately and then data contained in the packet should be processed immediately. This is how this process is completed and there will be no more transmissions.

TCP Communication Flags

Scanning Tool :Nmap

This aspect should be taken into consideration that network administrators can use Nmap in order to make network inventory. In this concern, service upgrading schedules can also be managed and at the same time service up time and monitoring can also be done.

Hping2 / Hping3

In this scenario, command line is used as packet crafter for the purpose of TCP/IP protocol. It is a tool through which security auditing can be performed and firewall including other networks can be tested as well. It can be used on both Linux operating systems and windows as well.

Hping Commands

These commands can be considered in the form of ICM ping, ACK scan on port 80. collecting initial sequence number, firewalls and time stamps. The other commands are SYN scan port 50-60. FIN, Push, and URG scan on port 80, scan entire subnet for host.

Hping Commands

Scanning Techniques

Scanning Techniques

TCP Connect/ Full Open Scan

In this concern, tcp connect scan is done through the help of completing three handshake and then a full connection is established.

Stealth Scan (Half Open Scan)

It is also assumed as 4 steps process in which client send a single SYN packet to the server on the appropriate port. if the port is open then the server responds with the SYN / ACK packet. If client responds with RST packet then remote port is closed state. After that client sends RST packet to close the initiation before connection can be established.


In this scan, attackers send a TCP frame to a remote device with URG, ACK, RST, SYN, PSH and FIN as well. FIN scan only with OS /TCP/ IP is developed according to RFC 793. It does not work on any version of Microsoft windows.

Null Scan

In this scan, attackers send a TCP frame to remote host with no flags. It works only when OS /TCP/ IP is developed according to RFC 793. It does not work on any version of Microsoft windows.


In this scan, most servers on port 80 and mail servers on port 25, port is considered open if application is listening on the port. one way to determine whether a port is open is to send a SYN packet to the port. The target machine will send back a SYN ACK packet if the port is open and an RST packet if the port is closed. The machine that receives an unsolicited SYN /ACK packet will respond with an RST. Every IP packet on the internet has a fragment IP no.

UDP Scanning

There is no three way TCP handshake for UDP scanning, the system does not respond a message when port is open. When the UDP port is sent to closed port the system responds with ICMP port unreachable message.

ACK Flag Scanning

Attackers send an ACK probe packet with random sequence number, no response means port is filtered, and RST response means the port is not filtered.

ACK Flag Scanning

Scanning Tools

These tools are PRTG network monitor, Network inventory explorer, soft perfect network scanner, advanced port scanner, and free port scanner.

Scanning Beyond IDS

CEH Scanning Methodology

There are different kinds of steps taken in this phenomenon and these are check for live systems, check for open ports, scanning beyond IDS, Banner grabbing, scan for vulnerability, draw network diagrams, prepare proxies, and scanning pen testing as well.

IDS Evasion Techniques

IDS Evasion Techniques

These IDS evasion techniques are as follows:

  • Use fragmented IP packets
  • Use source routing (if possible)
  • Spoof your IP address when launching attacks and sniff responses from server.
  • connect to proxy servers or compromised trojaned machines to launch attacks

SYN/FIN Scanning using IP fragments

This is not a new scanning methods but this is an advanced version of previous methods. The TCP header is split into several packets so that the packets filters are not able to detect what the packets intend to do.

SYN-FIN Scanning Using IP Fragments

Banner Grabbing

Banner grabbing or OS fingerprinting is the method that is used in order to determine the operating running on a remote target system.

Types of Banner Grabbing

There are two types of banner grabbing one is active grabbing and other is passive grabbing. In active grabbing there are specially crafted packets are sent to remote OS and the response is noted. The responses are compared with database for the purpose of determining the OS. The responses from different operating systems because of differences in TCP/ IP stack implementation.

Passive Banner Grabbing

In passive banner grabbing, this process is usually occurred through the help of error messages in which these errors provide information about servers and types of OS. At the same time SSL tool that are used by target remote system could be identified by these errors as well. The sniffing of the network traffic is also done in passive banner grabbing and banner grabbing from page extensions is also performed n this process.

Banner grabbing tools

Netcat: This tool is helpful for the purpose of writing and reading the data across network configurations in which TCP/IP protocol.

Telnet: This tool supports HTTP servers to determine the server field in the HTTP response header.

Banner Grabbing Countermeasures

  • Display false banners to misguide the attackers.
  • Turn off unnecessary services on the network to reduce the information closure.
  • IIS users can use these tools to disable and change banner information.
  • IIS location tools and server mask can be used in this process.

Vulnerability Scanning

In this process, the issues and problems of computer or system is explored and examined at the same time. This is done so that ways could be identified through which system can be exploited. In this scenario, 4 steps are followed that are as follows:

  • Network Topologies and OS vulnerabilities
  • Application and services vulnerabilities
  • Open ports and running services
  • Application and services configuration errors

Vulnerability Scanning

Vulnerability Scanning Tools

Nessus: It is assumed and regarded as the vulnerability and configuration assessment product, there are many advantages that can be perceived in the form of agent less auditing. The other features are compliance checks, content audits, customized reporting, high speed vulnerability discovery, in depth assessments, mobile device audits, patch management integration, and scan policy design and executions.

GFI LanGuard: This scanning tool helps in different areas such as asset inventory, risk analysis, change management, and at the same time it is also supporting in giving compliance as well. The features of this scanning are custom vulnerability checks, security vulnerabilities, scans and vulnerability tests. The other features are optimum protection, and network device vulnerability checks that should be taken into consideration.

Saint: This is another tool that needs to be evaluated as well and in this process the threats are identified across the network. This includes devices, operating systems, desktop and web applications etc. The advantages can be considered in the form of vulnerabilities identification on network devices along with rectifying issues in network security as well. The prevention of system risks is also possible in this process and compliances are made with current government and industry regulations. The compliances are also made in the form of compliance audits with policies as well

Network Vulnerability Scanning Tools

These scanning tools are as follows:

Open Vas, Core Impact Professional, Security Manager Plus, Shadow Security Scanner

Network Diagrams

Network Diagrams helps attackers to collect valuable information about architecture and it will shows physical to a target as well.

Network Diagrams

Network Discovery Tool

Lan surveyor identifies a network and creates complete and overall diagram that integrates OSI layer 2 and layer 3 topology data. The features are also important to consider and these are auto generate network maps. The other advantages are auto detect changes, export network maps to visio, Inventory management, network regulatory compliance and network topology database.

Network Discovery and Mapping Tools

LanState, Friendly Pinger, Ipsonar

Proxy Servers

A proxy is a network computer that can serve as an intermediary for connecting with other computers. A proxy works as a firewall as it protects the local network from outside access. Proxy servers can be used for the purpose of reduce web surfing risk to some extent. The proxy servers can also be used in order to filter unwanted contents.

Why Attackers use proxy servers

The following reasons are provided as follows:

  • Proxy servers are used for the purpose of hiding the IP address in order to hack without any problems.
  • To mask the actual source of attack
  • To remotely access intranets
  • To interrupt all requests
  • Multiple proxy servers are used in order to avoid detection by the attackers.

Use of Proxies for attacks

Proxies are used for attacking purpose and these could be considered in the form of direct attack/ no proxies, logged proxies in order to attack target by attackers, using proxy chaining by attackers to attack target.

Proxy Chaining

In this process, users use request for resource from the destination, proxy client at the users system connects a proxy server and passes the request to proxy server. The proxy servers strip the user’s identification information and at the same time request are processed to next proxy server. In the last step, unencrypted request is passed to the web server.

Proxy Chaining

Proxy Tools: Socks Chain

In this process, socks chain actually transmits the TCP/IP application by the help of proxy servers.
Proxy Tool: TOR (The Onion Routing)

The routing process can be explained by the help of following points and these are as follows:

  • Privacy
  • Security
  • Encryption
  • Proxy Chain
  • TOR chain

In this process, the privacy of both sender and receipt of a message as well.

Proxy Tools

These tools are as follows:

Burp Suite, CC Proxy Server, Foxy proxy Standard

Free Proxy Servers

Google search engine provides a list of thousands free proxy servers.

HTTP Tunneling Techniques

As far as the importance of HTTP tunneling techniques is concerned, this can be explained as the process in which users are allowed to do different internet tasks or activities despite of restrictions applied by the firewalls.

HTTP Tunneling Techniques

Need of HTTP Tunneling

This is significant because of the fact that organizations firewall all ports except 80 and 443 and at the same time users want to use FTP as well. In this way FTP will be used by the help of HTTP tunneling as FTP will be performed by means of HTTP protocol.

Need of HTTP Tunneling

G Zapper

Google set a cookie on user’s system with a unique identifier that helps in identifying users different sorts of web tasks or activities.

IP Spoofing Detection Techniques

IP Spoofing Detection Techniques

In this process, a probe is sent to the host of suspect spoofed traffic that triggers reply and compares IP ID with suspect traffic. This is also helpful when attacker is present in the same subnet.

TCP Flow Control Method

In this process, attackers sending spoofed TCP packets will not receive the target’s SYN ACK packets.

IP Spoofing Countermeasures

The counter measures can be considered in the form of reducing access so that configuration information on a machine. The users should not depend on IP based authentication and at the same time random initial sequence numbers. The other steps are strict filter use of ICMP, ingress filtering, egress filtering, access control lists and encryption of all network traffic as well.


The process of scanning is performed for the purpose of discovering or identifying live systems, active or running ports. At the same time attacker’s use scanning methods to bypass firewall rules and logging mechanism. In this manner, it can be assumed that scanning of networks involves different tools and other resources such as banner grabbing, proxies, target networks diagrams, and HTTP tunneling techniques as well.

Ethical Hacking Module 3 – Scanning Networks Tools and Techniques
Rate this post

Filed Under: Ethical Hacking

Author bio

Muhammad Haris

If you like Muhammad Haris posts, you can follow Smasheezy on Twitter. Subscribe to Smasheezy feed via RSS or EMAIL to receive instant updates.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.