Strengthening the Attack by Effective “Scanning”
As per the Oxford dictionary, “Scanning” is defined as “to look at all parts of (something) carefully in order to detect some feature”. Scanning is a technique which is very widely used in the cyber security domain. Security engineers, hackers, and researchers often use various kinds of scanning in the course of their work. Network Scanning is a process where an attacker uses tools and techniques to gather information about the target. This information may be as simple as the active hosts within the network, to complex discoveries like gathering the OS of the hosts, open ports and active vulnerabilities on the host. Scanning is not only done on the network; it could also be application scanning, or website scanning, depending on the need. However, in this article, we will focus mainly on network scanning and will only briefly touch upon application and website scanning.
Scanning is an integral part of ethical hacking, and without understanding the basics of ethical hacking, we would not be able to do justice to this topic. Generally, after reconnaissance, scanning is the second step of any hacking attempt. For that purpose, we will look at the basics of ethical hacking and its steps, after which we shall understand scanning and its types, take a deep dive into network scanning and finally look at some tools which are used in the industry for various types of scanning.
Whenever we listen to the word ‘Hacker’, we imagine a guy with black hood, sitting alone in a room, having multiple screens in front of him and typing commands at a blazing speed! In reality, that is not the case. A computer hacker is a person with deep domain expertise in the fields of computers, who explores methods to overcome the defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker can be financially or politically motivated, or could be working with an organization to help them strengthen their infrastructure. The latter is also referred to an ethical hacker.
If we talk about the English definition of hacker as per the Oxford dictionary , it refers to a person who uses computers to get access to data in somebody else’s computer or phone system without permission. An unethical hacker is someone who overcomes the security controls deployed by security teams to protect confidential and sensitive data by exploiting various vulnerabilities present in the system or network, and gains unauthorized access to the system. This is usually done for financial gain by unethical hackers.
Now when the word ‘ethical’ is attached to ‘hacking’, it changes the meaning a bit and also the intent of hacking. In ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or steals it or uses it for personal, professional or financial gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, the ethical hackers have an explicit permission to exploit the target from the owner. The companies could hire ethical hackers on their payroll and pay them to do such hacking or may allow hackers around the globe to evaluate their websites or applications through bug bounty programs. In this case, the companies offer monetary rewards to hackers who report bugs to the companies.
Now when we have discussed ethical hackers, it would make sense to introduce the term, “White Hat Hacker”. A White Hat Hacker is an individual, generally working with or for a company to help the company strengthen its security posture. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix the issues before the black hat hackers or the bad guys could exploit the vulnerability. Ethical hackers can also be referred to as white hat hackers.
To successfully understand scanning, it is very important to understand what the various steps of hacking are. Any successful attack would need these steps to be followed:
Scanning is the second step in ethical hacking. It helps the attacker get detailed information about the target. Scanning could be basically of three types:
Port scanning could be further divided into 5 types:
Network is the backbone of any information technology infrastructure, over which data and resources are shared. In today’s world, when the network is being used for almost everything, “Network Security” is of critical importance. If the network is not secure, any other control is not worth applying! Network scanning is the process or technique by which we scan the network to gain details such as active hosts, open ports including running TCP and UDP services, open vulnerabilities, details about the host like operating system and much more. For IP (internet protocol) networks, generally “ping” is used for reaching a host and checking its status. Ping is an ICMP (Internet Control Message Protocol) utility and sends packets to the target and receives an ICMP echo reply.
Within an organization, network scanning is used by monitoring and management systems. These are legitimate uses of scanning and are very regularly used by network management tools and network administrators. On the other side, scanning used by an attacker relies on the same tools and protocols as used by network administrators for monitoring and management. The attacker would first obtain the IP address range of the target network generally using DNS or the whois protocol. Once the attacker has the IP range, he would scan the network for active host, their operating systems and related details as discussed above. Finally, with all this information, the attacker may attempt to breach the target systems.
Reconnaissance, as discussed above, is the first step in ethical hacking. In this step, the attacker tries to gather as much information as possible. Reconnaissance could be of two types, active and passive. In passive reconnaissance, the attacker makes absolutely no contact with the target systems or the network. However, in active reconnaissance, the attacker makes direct contact with the target machines and network in order to gain some basic information. This is generally done by scanning and foot-printing.
You might be wondering, why are we talking about scanning in reconnaissance and then also discussing scanning as a different and independent step of ethical hacking? There is a thin line between the two.
As discussed above, during active reconnaissance, there is contact with the target network. However, in the scanning step (2nd step of ethical hacking), the attacker already has basic information about the network and the infrastructure. The aim is to get details like active host names, open ports, operating systems on the active hosts, etc. While they might seem the same, scanning is not possible or rather, would not be successful without an in-depth and detailed reconnaissance. The scanning step further expands reconnaissance and takes it to the next level.
Let us have a look at nmap, a very commonly used network scanning tool and see some examples of its use. You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot] org. Below is what the Zenmap looks like:
We input the target IP or IP range in the “Target” field, choose a profile from the dropdown and input a command which specifies certain parameters. Below are some common parameters you can find in the nmap tool:
Some examples are given below:
You can refer to nmap official website (nmap [dot] org/book/man [dot] html) for more examples and use cases.
With the evolution of sophisticated attacks, the network security industry has evolved a great deal, and there are more than a dozen tools which help companies manage their network and ensure it is secure from all kinds of attacks. Below are some very common and trusted tools which are used across the industry:
Concluding remarks
Scanning is the second step of the ethical hacking process and until an attacker is proficient in this, it is highly unlikely that the attack will be successful. Network scanning not only tells you about the hosts and their basic configurations, it also tells an attacker about various vulnerabilities present in the hosts. On the other side, application scanners tell what vulnerabilities (generally from an OWASP standpoint) are existent in an application. Scanning, if done the right way can reveal a lot of information about the organization. Having said that, the network and security administrators within almost all organizations have tools deployed to ensure that any scanning attempt is detected almost instantaneously and a corrective action (generally blocking) is taken. This makes it even more difficult for any attacker to launch a scan on an organization’s network and come up with successful results. Many a times, scanning is blocked at the firewall level. This means, ICMP traffic is denied by default, except for some IPs and subnets where it is required for trouble-shooting purposes.
a. -sL: List Scan – simply list targets to scan
b. -sn: Ping Scan – disable port scan
c. -Pn: Treat all hosts as online — skip host discovery
a. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
b. -sU: UDP Scan
c. -sN/sF/sX: TCP Null, FIN, and Xmas scans
d. –scanflags <flags>: Customize TCP scan flags
a. -p <port ranges>: Only scan specified ports
b. –exclude-ports <port ranges>: Exclude the specified ports from scanning
c. -F: Fast mode – Scan fewer ports than the default scan
a. -sV: Probe open ports to determine service/version info
a. -O: Enable OS detection
Research & References of Strengthening the Attack by Effective “Scanning”|A&C Accounting And Tax Services
Source
0 Comments