NST - Network Scanning (Lesson)

Network Scanning

Introduction

In this lesson, you will learn about reconnaissance methods threat actors use to investigate their targets prior to an attack. You will step into the shoes of a cyber sleuth to understand the preliminary moves of online adversaries, discovering how they exploit seemingly innocuous details to orchestrate devastating breaches. You will learn how every click, share, and online interaction can be a potential goldmine for cyber attackers, as we unravel methods used to scout out vulnerabilities in the quest to exploit the unwary.

Network Scanner

A Network scanner such as Nmap works by sending different types of packets and looking to see what response is given. Remember the TCP three-way handshake we discussed in a previous lesson?

  1. I start a connection with SYN.
  2. If you want to talk, respond with SYN/ACK.
  3. I respond with ACK and start sending data.

I start a connection with SYN. If you want to talk, respond with SYN/ACK. I respond with ACK and start sending data.

 

Quick Vocabulary Review

  1. TCP stands for Transmission Control Protocol.
  2. SYN stands for "Synchronize Sequence Numbers." It is used to initiate a TCP connection.
  3. ACK stands for "Acknowledgment." It is used to acknowledge the receipt of packets.

Nmap scan sends a lot of packets to the target network and waits to see if it gets a response like SYN/ACK from devices. It is kind of like poking someone with a stick and waiting to see if they respond – or not! If we hear Ouch! then the person is probably English speaking. If we hear Ay! then the person is probably Spanish speaking. If we hear nothing at all, then the person is possibly asleep!

Pokingwithstick

With Nmap you can select what type of packet to send to a target system and then, based on the response packets, Nmap will provide info about the target.

  1. Host Discovery Scan: The purpose is to find which hosts are live in a network.
  2. Port Scan: The purpose is to find which ports are open on a host.
  3. OS Detection Scan: The purpose is to determine what Operating System is being used by the host.
  4. Service/Version Scan: The purpose is to determine the software and version used by servers on the system.

Enumeration: Host Discovery Scan

A basic Nmap host discovery scan is often called a “ping sweep” because it replaces the manual method of sending a ping packet to all IP addresses.  An ARP (Address Resolution Protocol) request is a network request sent over a local network to find out the MAC (Media Access Control) address that corresponds to a specific IP (Internet Protocol) address. ARP is used in IPv4 networks to map an IP address to a MAC address, which is necessary because data on the Ethernet layer is actually forwarded using MAC addresses, not IP addresses.

“Live” hosts means these are systems that are on – because they respond to scan packets! Take a look at this example. What does it mean?

Command: nmap - sn 192.168.100.0/24 over command option network ID subnet mask

Translation: Send packets to all IP addresses in the 192.168.100.0 network with the 255.255.255.0 subnet mask (“ping sweep”). The computers that send a reply are listed as live.

Here is the problem with doing scans on a network, though… If someone is monitoring the network with a tool like Wireshark, then they will definitely notice an ARP request going to 254 network addresses in sequential order!  That is NOT normal traffic on a network!  To address this, Nmap has lots of different options and many of them will help make your scan more “stealthy.” 

Remember, the scan is part of reconnaissance before trying to exploit the network.  If the target sees a scan, they will be aware that someone is performing recon and will probably take action to be more secure.  Malicious actors do not want that! This is why cybersecurity professionals must always be alert and vigilant, paying close attention to any unusual activity.

Enumeration: Port Scan

When people think of Nmap, they most often think of this feature -- knocking on ports to see if they are open. To exploit a system, malicious actors need a way in. The easiest way is to find a service that is running to provide a service to the outside world. A web server is the best example, but there are lots of other servers that must interact with the public. Think about it -- a door that is used by lots of strangers should be easy to sneak in through, as opposed to doors that are private and need an ID to get in.

Doing a port scan is the way to find those services.  However, as we already discussed, going through the whole three-way handshake to complete a connection is going to attract some attention if you try to do it to every system in the network!

One more definition so the next section makes sense… RST stands for Reset. The RST flag is used to abruptly terminate a TCP connection. It is sent from one device to another to signal that the connection on which the packet was received is invalid or no longer in use. An RST packet can be sent for several reasons, such as an attempt to connect to a server port with no application listening, or if a device receives unexpected packets that don't match any existing connection on its end. It essentially tells the recipient to immediately reset the connection, disregarding any queued data.

Port Scanning Technique: Send TCP and UDP packets to various ports to determine if a service is active. Examples: TCP 80 (web server), TCP 23 (telnet server), UDP 53 (DNS server). Open ports reply with a SYN/ACK and closed ports respond with an RST/ACK.

TCP Connect scan is the most reliable but also the most noticeable. It is easily logged and detected because a full connection is established!

TCP Connect Scan Activity

There are two slides in this activity.

Fingerprinting

Being able to gather operating system (OS) and service version information is very important to a malicious actor. Most exploits will only work on specific operating systems or specific version of a service. If the hacker does not know if the system they are attacking fits the exploit’s criteria, they could be trying to exploit for a long time but it will not work on that system! The point of reconnaissance is to get enough information so that you are NOT randomly throwing exploits at tons of computers, hoping that it will eventually work on one.

OS Detection: Nmap scan packets will get different responses based on the target operating system.  The scan results are used to provide a “best guess” as to the OS type and version.

Service/Version Detection: Initiates a service connection. The server response includes information about the service software name and version.

Nmap Warning

Nmap is useful to both network administrators and malicious actors, so it is NOT considered a “hacking” tool. For example, a network administrator might run Nmap on their own network to see if there are any rogue devices installed or to check whether any devices have services running with ports open that need to be secured behind a firewall.  

However, it is considered a hostile action to scan someone’s network if you don’t have permission! It would be the same as walking up to someone’s house and trying all the door handles and windows to see if they are open.  Even if you do not have any intentions of robbing the house, it is still very rude and most people would take offense. Do not ever scan without permission!

Reflection and Wrap-up

In this lesson, we learned about the crucial role of reconnaissance in cybersecurity, particularly focusing on network scanning techniques used by threat actors to gather information about potential targets. We explored different aspects of network scanning, including enumeration, fingerprinting, and the use of tools like Nmap for identifying live hosts, open ports, operating systems, and service versions within a network. This reconnaissance allows attackers to find vulnerabilities and plan their attacks more effectively. Additionally, we discussed the ethical implications of network scanning, emphasizing the importance of permission before conducting any scans to avoid legal and ethical issues.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON.