Scanning

Network Scanning

Network scanning is a critical phase in penetration testing that involves discovering active hosts, identifying open ports, enumerating services, and gathering information about target systems. This section covers the methodology and tools used for comprehensive network reconnaissance.

Scanning Methodology

The scanning phase typically follows this workflow:

Host Discovery - Identify active systems on the target network
Port Scanning - Discover open ports and services on discovered hosts
Service Enumeration - Gather detailed information about running services
Web Enumeration - Specialized enumeration for web applications and services
Vulnerability Scanning - Identify security weaknesses and known vulnerabilities

Best Practice: Always start with host discovery before port scanning to avoid wasting time on non-existent hosts. Use stealth techniques when appropriate to avoid detection.

Setting Environment Variables

Before beginning scanning activities, set environment variables for commonly used targets:

export RHOST=192.168.0.1
export RPORT=80
export RDOMAIN=target.com

These variables can be referenced in commands using $RHOST, $RPORT, and $RDOMAIN.

Quick Reference: Common Scanning Workflows

Basic Network Scan

# 1. Discover hosts
nmap -sn $RHOST/24 -oG - | awk '/Up$/{print $2}' > hosts.txt

# 2. Scan common ports on discovered hosts
nmap -A -iL hosts.txt -oA scan_results

# 3. Review results
cat scan_results.nmap

Stealth Scan Workflow

# 1. Host discovery with TCP probes
nmap -sn -PS22,80,443 $RHOST/24

# 2. Stealth port scan
nmap -sS -T2 -f -D RND:10 $RHOST

# 3. Service enumeration
nmap -sC -sV -p- $RHOST

Web-Focused Scan

# 1. Port scan for web services
nmap -p 80,443,8000,8080,8443 $RHOST

# 2. Web enumeration
gobuster dir -u http://$RHOST -w /usr/share/wordlists/dirb/common.txt

# 3. Vulnerability scanning
nuclei -u http://$RHOST

Complete Vulnerability Assessment

# 1. Service and version detection
nmap -sV -p- $RHOST -oA service_scan

# 2. Nmap vulnerability scripts
nmap --script vuln $RHOST

# 3. Search for known exploits
searchsploit $(grep "version" service_scan.nmap | head -1)

# 4. Web vulnerability scanning
nikto -h http://$RHOST
nuclei -u http://$RHOST -s critical,high

In this section

Host Discovery
Techniques for identifying active systems.
Port Scanning
Methods for discovering open ports
Service Enumeration
Service enumeration gathers detailed information about running services, including versions and configurations, to identify weaknesses and viable attack paths.
Web Enumeration
Identifying security weaknesses and CVEs
Vulnerability Scanning
Vulnerability scanning identifies security weaknesses, misconfigurations, and known vulnerabilities in systems and services.

Browse Hacknotes