Practical Network Scanning
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Ping sweeps and Port scans

Let's try to understand ping before we discuss ping sweep.

  • Ping: Ping is a tool commonly used to find the status of a host on a network. Ping is based on the ICMP protocol. When a Ping process request is sent out as an ICMP echo to the target host, it replies with an ICMP echo reply.
  • Ping Sweep: Ping sweep is a technique that can be used to find out which hosts are alive in a network for a defined IP range. Network admins who allow ICMP are vulnerable to ICMP based attacks.

Multiple tools are available for ping sweeps. You can even develop your own tool with a small script. Here is a simple example of how to run a ping sweep from a Windows machine: FOR /L loop, which is a counter, the variable is %i. It starts at 1 and increases by 1 with each iteration through the loop, going up to 255. I want to ping through a /24-sized subnet for network 192.168.0.0/24 and ping each IP address once (-n 1). Filters can be used | find “Reply", but this will only show the IPs you get a reply from. In my live network, I have four IPs responding to the ICMP ping, as shown in the following screenshot:

  • Port Scan: Firstly, let's explore what port is. Any application on a host should have a valid port which acts like a small door to communicate with other hosts on the network. You can have a total of 65,535 TCP ports and another 65,535 UDP ports. Port ranges 0 to 1023 are reserved for privileged services and are designated as well-known ports.

A port scan is a process that sends client requests to a range of server port addresses on a targeted host, with the aim of looking for active ports and exploiting a known vulnerability of that service.

  • TCP Port Scan: TCP port scan is the most basic form of TCP scanning. Port scanning tools can scan a target at a very quick speed of approximately one thousand ports per second or more. These tools use operating systems to open a connection to any port on the target machine in order to detect the number of available services for a given target. If the port is listening, an initial connection handshake will succeed, otherwise the port will not be reachable.
  • TCP SYN scanning: TCP SYN scan is based on the TCP three-way handshake and is also known as half-open scanning. The attacker does not open a full TCP connection but sends a SYN packet and waits for a response. A SYN/ACK response from the target indicates that the port is listening and as soon as a SYN/ACK is received, the attacker sends an RST response.
上一章目录下一章