Scanning

Network scanning penetration testing guide covering host discovery, port scanning, service enumeration, web enumeration, and vulnerability scanning techniques using tools like Nmap, Gobuster, and Nuclei for ethical hacking and security assessments.

Network scanning is a critical phase in penetration testing that involves discovering active hosts, identifying open ports, enumerating services, and gathering information about target systems. This section covers the methodology and tools used for comprehensive network reconnaissance.

Scanning Methodology

The scanning phase typically follows this workflow:

Host Discovery - Identify active systems on the target network
Port Scanning - Discover open ports and services on discovered hosts
Service Enumeration - Gather detailed information about running services
Web Enumeration - Specialized enumeration for web applications and services
Vulnerability Scanning - Identify security weaknesses and known vulnerabilities

Best Practice: Always start with host discovery before port scanning to avoid wasting time on non-existent hosts. Use stealth techniques when appropriate to avoid detection.

Setting Environment Variables

Before beginning scanning activities, set environment variables for commonly used targets:

export RHOST=192.168.0.1
export RPORT=80
export RDOMAIN=target.com

These variables can be referenced in commands using $RHOST, $RPORT, and $RDOMAIN.

Quick Reference: Common Scanning Workflows

Basic Network Scan

# 1. Discover hosts
nmap -sn $RHOST/24 -oG - | awk '/Up$/{print $2}' > hosts.txt

# 2. Scan common ports on discovered hosts
nmap -A -iL hosts.txt -oA scan_results

# 3. Review results
cat scan_results.nmap

Stealth Scan Workflow

# 1. Host discovery with TCP probes
nmap -sn -PS22,80,443 $RHOST/24

# 2. Stealth port scan
nmap -sS -T2 -f -D RND:10 $RHOST

# 3. Service enumeration
nmap -sC -sV -p- $RHOST

Web-Focused Scan

# 1. Port scan for web services
nmap -p 80,443,8000,8080,8443 $RHOST

# 2. Web enumeration
gobuster dir -u http://$RHOST -w /usr/share/wordlists/dirb/common.txt

# 3. Vulnerability scanning
nuclei -u http://$RHOST

Complete Vulnerability Assessment

# 1. Service and version detection
nmap -sV -p- $RHOST -oA service_scan

# 2. Nmap vulnerability scripts
nmap --script vuln $RHOST

# 3. Search for known exploits
searchsploit $(grep "version" service_scan.nmap | head -1)

# 4. Web vulnerability scanning
nikto -h http://$RHOST
nuclei -u http://$RHOST -s critical,high

In this section

Host Discovery
Host discovery techniques for penetration testing, including ping sweeps, ARP scans, and Nmap host discovery methods to identify active systems and live hosts on target networks during security assessments.
Port Scanning
Port scanning techniques for penetration testing using Nmap, including TCP SYN scans, UDP scans, firewall evasion, and comprehensive port enumeration methods to identify open services and potential attack vectors.
Service Enumeration
Service enumeration techniques for penetration testing to gather detailed information about running services, including version detection, banner grabbing, and configuration analysis using Nmap, Netcat, and specialized tools to identify vulnerabilities and attack paths.
Web Enumeration
Web enumeration techniques for penetration testing using Gobuster, Ffuf, Dirb, and Nuclei to discover directories, files, virtual hosts, API endpoints, and security weaknesses in web applications during security assessments.
Vulnerability Scanning
Vulnerability scanning guide for penetration testing using Nmap NSE scripts, SearchSploit, OpenVAS, and specialized scanners to identify security weaknesses, misconfigurations, CVEs, and known vulnerabilities in systems and services.

Exploitation & Enumeration

Browse Hacknotes