Join Lisa Bock as she covers the second step of penetration testing, Port Scanning, which helps develop a profile of target organization. Discover how port scanning attempts to connect with open ports on a system, maps a network, learns the type of devices, checks for listening services, and determines the operating systems. Learn what ports to scan, and what ports to avoid.
- [Voiceover] Structured ethical hacking typically has five phases: reconnaissance, scanning, gaining access, maintaining access, and covering tracks. After conducting a thorough footprinting and reconnaissance exercise, the ethical hacker is then armed with more information on the target and has a better idea of how to get deeper into the system. Once reconnaissance is complete and enough information is available, such as the IP address range or what data or services might be of value, the second step of penetration testing involves scanning or port scanning.
The ethical hacker outlines a plan before beginning, including how and what to scan. The process of scanning the network devices begins by attempting to connect with open TCP and UDP ports on the system, then continues by mapping the network. We learn what type of devices are on the network, check for listening services, determine the operating systems, and monitor for evidence of data being sent in clear text.
Enumeration is closely related, in that after scanning is complete, enumeration activity actively connects to a target machine and gathers more detailed information. Scanning can use may different types of tools and techniques in order to see what defense mechanisms might be in place, such as firewalls and intrusion detection systems, and then builds a general topology or physical layout of the network. One objective of scanning is to identify live or responding hosts on the network.
A tool such as Nmap will send TCP, UDP, and ICMP packets to various ports of a target machine. The packets are specifically crafted in order to obtain responses and gather attributes. Some ports are more exposed than others, in that the nature of what the port represents is a juicier target. Scanning techniques vary, but one of our goals is to detect open ports and services that are running. The ports we're mostly concerned with are the well-known ports.
These are in the range of one through 1023. You should become familiar with these. Other ports can be scanned as well. Ports 1024 through 49151 are registered ports, meaning vendors use these for applications, such as port 3389, Remote Desktop Protocol. You should also scan those ports associated with Trojans, such as port 1001, Silencer.
Network scanning helps develop a profile of a target organization. When properly done, it is a valuable tool for the security analyst. However, an important rule to keep in mind is that certain IP addresses must never be scanned, and include mostly government and military networks. If you do a keyword search on "do not scan "certain IP address ranges", you'll find an updated list. But here is just a sampling of them.
These IP address ranges are protected from scans, even pings. If I open a command line prompt and ping any of those IP addresses, the request will timeout due to packet filtering or a silent discard to the bit bucket.
This course investigates the scanning tools and techniques used to obtain information from a target system, including specially crafted packets, TCP flags, UDP scans, and ping sweeps. Lisa Bock discusses how hackers can identify live systems via protocols, blueprint a network, and perform a vulnerability scan to find weaknesses. She also introduces some of the tools and techniques that hackers use to counter detection via evasion, concealment, and spoofing. In addition, learn how to reduce the threat of tunneling, a method hackers use to circumvent network security.
Note: Our Ethical Hacking series maps to the 18 parts of the EC-Council Certified Ethical Hacker (CEH) exam (312_50). This course maps to the 03 Scanning Networks domain.
- Scanning overview
- Port scanning countermeasures
- Scanning and querying DNS
- Scanning with ICMP
- Mapping (or blueprinting) a network
- Scanning for vulnerabilities
- Using tools such as hping and NetScan
- Evading detection
- Concealing your network traffic
- Preventing tunneling