Ethical

Hacking
Course
Chapter 5: Scanning

presentation slides to accompany

CEHv12 Certified Ethical Hacker Exam Study Guide
author: Ric Messier; © 2023 John Wiley & Sons
Agenda

• Port scanning
• Vulnerability scanning
Conducting Ping Sweeps
• Ping sweeps
• Identify which IP addresses belong to active hosts
• Ping a range of IP addresses to see what type of response is returned
• Problems
• Might shut down computers at the time of the sweep
• Indicates that the IP address does not belong to a live host
• Many network administrators configure nodes to not respond to an ICMP Echo Request (type
8) with an ICMP Echo Reply (type 0)
• Firewalls may filter out ICMP traffic

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Fping (1 of 4)
• With the Fping tool, you can ping multiple IP addresses simultaneously
• Included with Kali Linux
• Accepts a range of IP addresses
• Entered at a command prompt
• You can create a file containing multiple IP addresses
• Use it as input for the Fping command
• Input file
• Usually created with a shell-scripting language so that you don’t need to type thousands of IP
addresses needed for a ping sweep

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Fping (2 of 4)

Figure 5-6 Fping parameters

Source: GNU Public License

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Fping (3 of 4)
• To ping sweep a range of IP addresses without using an input file, use the command:
• fping –g BeginningIPaddress EndingIPaddress
• The –g parameter is used when no input file is available
• Example:
• fping –g [Link] [Link] command returns the results shown
on Figure 5-6

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Fping (4 of 4)

Source: GNU General Public License

Figure 5-7 Results of fping commands
Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Hping3
• Used to:
• Perform ping sweeps
• Bypass filtering devices
• Allows users to inject modified IP packets
• Advanced port-scanning tool
• All security testers must be familiar with this tool
• Offers a variety of features

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
MetaPing MetaPing is a lightweight, GUI-based tool
designed for network monitoring and
ping sweeps. It helps users visually track
the availability and responsiveness of
devices in a network. By continuously
pinging devices, it can monitor their
uptime and provide real-time feedback
about network connectivity.

Key Features of MetaPing

• Continuous Monitoring:
Allows for constant tracking of device
status and response times.
• Graphical Interface:
Provides a simple, user-friendly interface
for visualizing device availability.
• Customizable Device List:
Users can input specific IP addresses or
hostnames for monitoring.
• Real-Time Updates:
Displays current status and response
times for each monitored device.
• Alerts:
Can notify users of downtime or
unresponsive devices.
Introduction to Port Scanning
• Port scanning
• Method of finding which services are offered by a host computer
• Identifies vulnerabilities
• Port-scanning tools
• Identify vulnerable open ports and launch an exploit to attack the system
• Security testers must scan all ports when testing
• Not just well-known ports

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Introduction to Port Scanning

Source: Angry IP Scanner

Figure 5-1 Angry IP port scanner
interface

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Introduction to Port Scanning
• Port-scanning programs report:
• Open ports
• Allow access to applications and can be vulnerable to an attack
• Closed ports
• Don’t allow entry or access to a service
• Filtered ports
• Might indicate that a firewall is being used to allow specified traffic into or out of the
network

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 TCP and UDP both support 65,536 ports – 0-
65,535 (two bytes)

Ports 0-1023 are considered administrative and

require administrator-level privilege to listen on
those ports
Ports
Network services ‘bind to’ a port to listen on it

Open ports indicate an application listening

Using Port-Scanning Tools
• Port-scanning tools
• Hundreds are available
• Not all are accurate
• Be familiar with a variety of tools
• Practice often to gain proficiency
• Do not use one tool exclusively
• Some tools include:
• Nmap
• Nessus and OpenVAS

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 De facto port scanner is nmap

Supports multiple scan types

TCP scan types include SYN, Full connect, FIN, XMAS

Nmap
UDP scans supported

Default scan is about 1000 well-known ports

Port scans often require administrative privileges

 Takes advantage of three-way handshake

nmap sends SYN segment to target host

If port closed, the protocol definition says to respond

SYN Scan with a segment that has the RST flag set

If port is open, the protocol definition says to

respond with a SYN/ACK segment

If port is open, nmap sends RST message in response

to SYN/ACK to cancel the connection attempt
 Same, essentially, as SYN scan

Difference is nmap completes the three-way handshake to establish a

connection

Once connection is established, nmap tears the connection down

Full Connect
Scan More overhead with this and slightly more time consuming

A lot of half-open connections from a SYN scan may be more noticeable

In reality, all port scans are easily identified by modern networks and security
devices
 nmap sends out a FIN message, which is unnatural where
there is no connection

Protocol definition says respond with a RST if the port is

closed

FIN Scan If port is open, packet is dropped

nmap will flag open ports as open|filtered

Firewall dropping a packet for any reason will result in no

response, so nmap can’t tell if it’s open or the packet was
just dropped
 Same response as the FIN scan because the target host
responds in the same way

Flags FIN, PSH and URG are all set, making it appear as though
the packet is lit up like a Christmas tree (Xmas)

XMAS Scan
It was thought that an unnatural combination of flags would be
missed by firewalls and intrusion detection systems, so may get
through where more standard scans wouldn’t
This technique has been around so long, it won’t evade
anything
 Avoiding detection can be important – your IP may be blocked, so game over

Idle scan spoofs the source IP address

Zombie host used – zombie should be idle (not getting network traffic)
Idle Scan
nmap uses spoofed source address of zombie host

Zombie host OS increments initial sequence number based on traffic inbound

nmap can determine whether port is open based on the number of packets zombie
receives (the amount initial sequence number increments when nmap checks)
 UDP Scanning

• UDP is connectionless so there is no defined way of interacting

with a UDP port
• nmap sends UDP message to port
• Application may not respond but still be listening – if the right
message isn’t received, the application may simply ignore the
message
• Because there is no defined response, nmap can’t tell if the
message was ignored or dropped in the network, so
retransmits
• UDP scanning can be slow because of the number of
retransmits
Understanding NMAP Scripting Engine (NSE)

• Some tools might need to be

modified to better suit your
needs as a security tester
• Customized scripts
• Automates tasks
• Time-saving
• Requires basic
programming skills
Understanding NMAP Scripting Engine (NSE)

Wildcard Script Selection:

• Nmap can run multiple scripts using wildcards, selecting all scripts
matching a specified pattern.
• Example: Use smb2* to run all scripts related to the SMB protocol
version 2.
Triggering Script Execution:
• Nmap identifies open ports, such as port 445 (used for SMBv2 and
CIFS), and runs the relevant scripts automatically.
Service Information Gathering:
• Nmap scripts provide detailed information about services running
on open ports.
Script Repository Size:
• Nmap includes over 600 scripts for various tasks, including service
identification, vulnerability assessment, and exploitation.
Vulnerability Detection:
• More than 30 scripts specifically identify servers vulnerable to
known CVEs.
• Example: Scripts exist to detect vulnerabilities like DROWN
(Decrypting RSA with Obsolete and Weakened eNcryption) in SSLv2
servers.
Flexibility and Customization:
• Nmap's scripting engine allows targeted assessments of protocols,
vulnerabilities, and services.
Scripting Basics

• Similar to DOS batch programming

• A script or batch file
• Text file that contains multiple commands that are usually entered manually at the command
prompt
• If you find that you are using repetitive commands to perform the same task, that task is a good
candidate for scripting
• Best way to learn how to create a script
• Create a script by doing it

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 - Provides an alternative to nmap’s command-line interface (CLI).
- Users select scan types from a dropdown menu rather than inputting commands
manually.
- Automatically adjusts the command line in response to selected scan types.

Zenmap
nmap’s GUI
overlay
• Other scanners are available for port scanning
• massscan can be used for high-speed scanning
and parameters are the same as for nmap
• hping provides the ability to manually craft
packets and send to target Nmap not
• hping can also be used to scan a network
alone
• Megaping is a scanner that runs on Windows
systems and does many types of scans
• Metasploit is not generally known for port
scanning, but it can be used as a port scanner
massscan
• Masscan is a high-performance
network port scanner designed for
speed.
• It is capable of scanning the entire
internet in a short amount of time,
making it an essential tool for large-
scale reconnaissance.
• Unlike traditional scanners, it is
highly optimized for raw packet
handling and operates similarly to
nmap but with a focus on rapid
scanning.
• Commonly, vulnerability scanners use a database of
signatures to identify vulnerabilities in target systems
• This may be from application banners and matching
version numbers
• Vulnerability scanners do not generally attempt to exploit
any vulnerability
• Vulnerability scanners do not identify previously unknown
vulnerabilities

Vulnerability Scanners
 Common Vulnerabilities and Exposures (CVE)
project

Managed by MITRE, a defense contractor

Vulnerability scanners will commonly scan

CVEs against CVEs – published vulnerabilities

They can also scan for misconfigurations, which

are not necessarily CVEs

The CVE database includes well-defined details

in a standard format, regardless of vendor
[Link] Vulnerabilities
[Link]
 False Positive – scanner identified a
vulnerability that doesn’t exist

True Positive – scanner identified a

vulnerability that does exist

Positive vs. False Negative – scanner didn’t identify a

vulnerability where one exists
Negative
True Negative – scanner didn’t identify a
vulnerability where no vulnerability exists

False negative is the scariest since you have

no awareness of the existing vulnerability
Common Vulnerability
Scanners
• OpenVAS – open source, forked from last open
source version of Nessus, but now entirely its
own product
• Nessus – one of the early vulnerability scanners,
has a Home/Essentials version available for
personal use
• Nexpose – from Rapid7, which also maintains
Metasploit, a free version of this is available
• Qualys – commercial scanner
OpenVAS
Nessus
Packet Crafting
and Manipulation
• Creating, altering, or mangling network packets
to test and analyze systems and applications.
• This process bypasses traditional operating
system behaviors, enabling security
professionals to simulate unusual or malicious
traffic, identify vulnerabilities, and assess
system responses to unexpected inputs.
• Tools like hping, packETH, and fragroute
provide robust capabilities for crafting and
manipulating packets at various layers of the
network stack.
Evasion
• Methods used to bypass network security
mechanisms such as firewalls, intrusion detection
systems (IDS), and intrusion prevention systems
(IPS).
• Aim to prevent detection, avoid blocking, or
obscure the origin of malicious or testing activity.
• Nmap can create decoys as it’s scanning, to hide
the scanning activity
• Nmap can also perform fragmentation, which may
get by some network security devices since the
device may not bother to reassemble
 • Port scanning is used to identify
listening applications/services
• Multiple types of TCP scans – SYN, Full
connect, FIN, XMAS, etc
• Vulnerability scanners are used to
Summary identify known vulnerabilities
• Generally, vulnerability scanners do not
exploit vulnerabilities
• Vulnerability scanners may refer to the
CVE database of known and published
vulnerabilities
Lab / Research
Assignment
• Research the nmap tool and discuss its
capabilities and limitations
• Use nmap to scan a target (Metasploitable
is a good target to use)
• Identify all open TCP ports using at least
two scanning techniques
• Identify all open UDP ports
• Use a second scanner to confirm nmap
results
• Identify and explain any differences in any
of the scan results