Scanning and Enumeration

After the footprinting phase, general information about the target has been gathered. The scanning and enumeration phase digs deeper to collect finer details such as active hosts, open ports, running services, and network topology.

• Scanning: The act of actively interrogating a target (hosts, ports, services) to solicit information.

• Enumeration: The process of compiling lists of items (ports, hosts, users, shares) from gathered data.

Note: Scanning and enumeration apply both externally (perimeter) and internally (after a compromise). The process is typically iterative as new findings inform further scans.

Common objectives of network scanning:

• Identify hosts on a network
• Identify open and closed ports on each host
• Fingerprint operating systems (Windows, Linux, macOS)
• Discover running services and versions
• Enumerate processes and application behavior
• Detect security systems (firewalls, IDS/AV)
• Map system and network architecture
• Identify potential vulnerabilities

Exploring Scanning Techniques

There are many scan types (port scan, host discovery, vulnerability scan). Before port scanning, simple reachability checks like ping and traceroute are commonly used.

Ping and ICMP

ping uses ICMP Echo Request (Type 8) and Echo Reply (Type 0) to test reachability.

ping 192.168.100.54

ping cnn.com

Observables from ping:

• Round-trip time (latency): Helps diagnose communication problems.

• Time To Live (TTL): The remaining hop count. As packets traverse routers, the TTL decrements by one.

TTL Calculation and OS Fingerprinting

Different operating systems use different initial TTL values (Unix typically starts at 64; Windows typically starts at 128). Received TTL to estimate distance and identify the OS.

Formula: $Initial\ TTL - Received\ TTL = Hops$

Unix Example:

• Response: Reply from 4.2.2.1: bytes=32 time=27ms TTL=56
• Calculation: $64 - 56 = 8$. The system is likely a Unix machine ~8 hops away.

Windows Example:

• Response: Reply from 192.3.41.183: bytes=32 time=61ms TTL=112
• Calculation: $128 - 112 = 16$. The system is likely a Windows machine ~16 hops away.

Traceroute

traceroute (Linux/macOS) or tracert (Windows) maps the route packets take to the target by incrementing TTL values and observing intermediate routers. Use it to infer network topology and likely choke points.

Understanding Service Enumeration

After discovering responsive hosts, enumerate services (HTTP, SMTP, SSH, etc.) by performing port scans and version detection.

Ports Overview

• Each host exposes up to 65,535 TCP and 65,535 UDP ports.
• The first 1024 are "well-known ports" (HTTP=80, HTTPS=443, SSH=22, etc.).
• The IANA registry lists official assignments.
• Services can run on non-standard ports, so always investigate unexpected open ports.

Banner Grabbing

A primary method of service enumeration often performed during or after port scanning.

• Technique: Connecting to an open port (e.g., via Telnet or Netcat) and reviewing the initial text "banner" sent by the server.
• Goal: To identify the specific software name and version (e.g., Apache/2.4.41 (Ubuntu)).
• Defense: Administrators often obscure or change default banners to confuse attackers.

How Port Scans Work (TCP Basics)

TCP uses flags and a three-way handshake to establish connections:

1. SYN : Initiate
2. SYN/ACK : Response
3. ACK : Finalize

Other flags and semantics:

• RST (Reset): Means the port does not accept requests (commonly indicates closed port).

• FIN (Finish): Used to gracefully close a session.

• PSH (Push): Tells the system to pass data directly to the application (no buffering).

• URG (Urgent): Process data immediately.

Common TCP Scan Types

• TCP Connect scan (-sT): Completes the full TCP handshake. Reliable but noisy and easily detected. If the port is open and available, it will reply with SYN/ACK; if the port is closed or non-responsive, it will reply with RST/ACK.

• TCP SYN scan (-sS): "Half-open" or stealth scan as it does not complete the TCP handshake. Sends SYN and interprets SYN/ACK (open) or RST (closed) without sending the final ACK. Harder to log.

• TCP FIN scan: Sends a FIN packet, requesting to close a non existing connection at a target port. Useful on some Unix systems (closed ports return RST).

• TCP NULL scan: No flags set in the packets. Illegal packet that can elicit specific responses from different OS stacks.

• TCP ACK scan: Sends packets with the ACK flag to map to trip the firewall rules and ACLs (access control list) response to know if ACL is in place.

• TCP Xmas scan: Sets FIN, PSH, and URG flags (illogical combination "lit up like a Christmas tree"). Closed ports should return RST.

• Idle/Zombie Scan (-sI) : An advanced stealth technique. Allows an attacker to scan a target without sending packets from their own IP.

  • Uses a "Zombie" host (a machine with low traffic and predictable IP ID sequences). The attacker infers port status by monitoring the Zombie's IP ID increments.

UDP Scanning

Unlike TCP, UDP is connectionless.

• Stateless: No handshake is performed.

• Reliability: Open UDP ports often do not respond (empty packet), while closed ports send an ICMP "Port Unreachable" message.

• Speed: UDP scanning is significantly slower because the OS limits the rate of ICMP error messages, and Nmap must wait for timeouts to assume a port is open/filtered.

Port Scanning Issues & Cautions

• Network Disruption: Poorly planned scans can cause outages on fragile networks.

• Heavy Traffic/Latency: Large scans introduce network load. Schedule scans during maintenance windows when possible.

  • System Crashes: Some vulnerability scans can crash services; always test on non-production systems first.

  • False Positives: Services using nonstandard ports can be misidentified.

  • False Negatives: Resource exhaustion on the scanning host or target can hide results.

Scanning Countermeasures

• Firewall Policies: Deny-all by default, allow only required traffic.

• IDS/IPS: Detect and block suspicious scanning patterns.

• Network Segmentation: Breaking a network into logical segments makes broad scans more difficult.

• SIEM/Alerting: Detect scanning patterns and raise alerts.

• Endpoint Protection: Detect and block scanning activity on specific hosts.

Nmap : Network Scanning Tool

Nmap (Network Mapper) is a widely used open-source scanner for host discovery, port scanning, OS/service detection, traceroute, and more.

Packet Tracing with Nmap

To display packet-level activity while scanning (viewing headers, TTL, Sequence numbers):

# Show packet trace

sudo nmap -Pn -sS 4.2.2.1 -p 1-1024 --packet-trace

• -Pn: Skip host discovery (treat host as up).
• -sS: TCP SYN scan.
• --packet-trace: Show all packets sent/received.

Controlling Nmap Timing/Speed

Use -T0 to -T5 to adjust general timing templates of scanning modes:

• -T0 (Paranoid): Very slow (every 5 mins) with no parallel packets, serial processing. Evades IDS and SIEMs.

• -T1 (Sneaky): Slow (every 15s) and no parallel packets.

• -T2 (Polite): Gentle (0.4s wait). Good for fragile networks.

• -T3 (Normal): Default. Parallel scanning enabled, gives quick feedback.

• -T4 (Aggressive): Recommended for modern, reliable networks. will never wait more than 1.25 seconds between responses before sending the next packet.

• -T5 (Insane): Fastest (0.3s wait). High risk of packet loss or detection.

Fine-grained Timing Options

For advanced tuning beyond the templates:

• --host_timeout: Max time (ms) spent on a single host.

• --max_rtt_timeout: Max wait time for a probe response (Default: 9,000ms).

• --min_rtt_timeout: Forces Nmap to wait at least this long (helps on variable networks).

• --initial_rtt_timeout: Sets initial timeout before auto-adjustment (Default: 6,000ms).

• --max_parallelism: Limits the number of simultaneous probes.

• --scan_delay: Sets a minimum wait time between sending individual probes.

Output Formats

• -oN: Normal text output.
• -oX: XML output (useful for importing into other tools).
• -oG: Grepable output.
• -oA: Output in all three formats.

Other Useful Switches:

• -v: Increase verbosity.
• --open: Show only open ports.
• --iflist: Show interfaces and routes (debugging).
• --resume: Resume an aborted scan using the log file.

Nmap Scripting Engine (NSE)

NSE extends Nmap with scripts for discovery, version detection, vulnerability scanning, and malware detection.

Invocation Methods:

• -sC: Run default scripts (equivalent to --script=default).

• --script=<category>: Run scripts by category (e.g., safe, vuln, discovery).

• Boolean Logic: sudo nmap --script="(discovery and safe) and not smb*" <target>

Script Categories

• Safe: Minimal impact.
• Intrusive: May crash systems or leave logs.
• Auth: Tests authentication (password guessing).
• Malware: Checks for backdoors/malware.
• Vuln: Checks for known vulnerabilities.
• Discovery: DNS lookups, network info.

Script Locations and Database

• Location (Linux): Typically /usr/share/nmap/scripts.
• Location (Windows): Inside the Nmap installation directory.
• scripts.db: A file in the scripts directory serving as an inventory.
• Finding Scripts: You can use grep to identify scripts in a category:

grep version /usr/share/nmap/scripts/script.db

Zenmap (Nmap GUI)

Zenmap provides a graphical interface with preconfigured profiles.

Common Profiles:

• Intense scan: -T4 -A -v
• Intense scan, no ping: -T4 -A -v -Pn
• Quick scan: -T4 -F
• Slow comprehensive scan: Uses many switches (-sS -sU -PE -PP etc.) for maximum coverage.

Mapping the Network (Topology)

Zenmap includes a Topology tab (Fisheye view) that visually maps the network.

• It creates a graphic showing the localhost connected to discovered targets.
• Controls allow adjusting the "spread factor" and "interest factor" to visualize relationships and distance between nodes.

Enumeration

Using Port scanning tools (such as Nmap) to discover devices and services on a network. The next step in security testing is enumeration, the process of extracting the following information from a network:

• Resources or shares on the network
• Network topology and architecture
• Usernames or groups assigned on the network
• Information about users and recent logon times

Enumeration goes beyond passive scanning of a network to find open ports. For example, sometimes this process entails guessing passwords after determining a username.

NBTscan ("NBT" stands for NetBIOS over TCP/IP), a tool for enumerating Windows OSs that's part of the Kali Linux suite of security tools.