Network reconnaissance: Scanning

When we deploy an application and provide accessibility to the world, the first concern that comes in mind, is security. We enforce security constrains, often configure the network to provide minimal access to the outside world. Throughout the way, many different tools accompany us, among those, a very useful tool is network scanner, otherwise known as port scanner. In this article, we'll briefly go through different network scanning strategies, and build a simple network scanner.

Reasons

Network scanning may have many different reasons. When a network is configured, a scanner can be used to assess the security level. The scanner provides insight about informations including but not limited to,

• Service port status
• Host activity
• Network mapping
• Service identification
• OS identification
• Latency assessment
• Physical or logical channel fault detection

Not to mention, like any other security tools out there, network scanner has it's equal share of ethical and unethical usage.

Types of scanning

Network scanning is a low level networking operation that operates on transport layer. It operates using network sockets. The term "Port" is used as an external endpoint of a connection, where "Socket" is used as an internal endpoint.

Port numbers (both for UDP and TCP) are often standardized (i.e. by IANA), on which popular services run. But, that is just a suggestion, cause service administrator may choose to utilize a different port. Scanning can be differentiated into two categories.

TCP scanning

TCP is a connection oriented protocol and all the web applications that rely on HTTP or HTTPS, use this protocol. Primarily the services that requires a reliable connection with error recovery, are based on TCP. Some notable services that uses TCP includes, FTP (21), SSH (22), NTP (123), Kerberos (464), Telnet (23), MySQL (3306), Redis (6379), IMAP (143).

UDP scanning

UDP is a faster, connectionless protocol without error recovery support, that is mostly used by network services that doesn't require a natively trusted connection (e.g. streaming services, low level networking services). The primary reason behind utilization of this service is, speed. Some notable UDP services includes DNS (53), DHCP (547), OpenVPN (1194) and more.

A service can be assigned with any port number. It can only be determined that you are talking to a specific service, is by pre-negotiation, meta-analysis (otherwise known as banner grabbing), or by specific handshake pattern. A service that is TCP based, may also have its UDP counterpart (often in the same suite).

Tools

There are countless network discovery tools and suites which incorporates a network scanner, among which nmap, netcat (also ncat, Nmap's reimplementation of netcat) and angry IP scanner received a wide popularity, where Nmap is often popular among Linux communities.

It will be an understatement, if Nmap is just considered as a port scanner. It's a powerful utility that incorporates many bells and whistles to be a good network exploration kit.

Example

Let's go through some basic exploration operation using Nmap. Nmap is a command line utility, and Linux will be our host OS.

Single host scanning

This is the simplest operation, where the target IP is known. Let's scan our host machine for any port.

$ nmap 127.0.0.1

Starting Nmap 7.01 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

The scan indicates that the host is alive (certainly it is