Govur University Logo
--> --> --> -->
Govur University Logo
Sign In
...
Home All Courses Engineering and Technology Courses Certified Ethical Hacker (CEH) Flashcard

Detail the process of network scanning using tools like Nmap, including the use of different scan types and their specific applications.



Network scanning is a fundamental process in cybersecurity, involving the use of tools like Nmap to discover hosts, services, and vulnerabilities within a network. Nmap, short for Network Mapper, is a powerful and versatile open-source tool that allows users to probe networks and gather information about them. The process involves sending various types of network packets to a target and analyzing the responses to determine characteristics of the network. It’s crucial for both offensive and defensive security practices. Ethical hackers use it to identify vulnerabilities, while network administrators use it for network monitoring and management. The depth and sophistication of Nmap are evidenced by the variety of scan types it offers.

The most common scan types include TCP SYN scans, TCP connect scans, UDP scans, and various other specialized scans. The TCP SYN scan, often referred to as a half-open scan, is a very popular and versatile scan. It sends a SYN (synchronize) packet to each target port, initiating a TCP connection handshake. If a port is open, the target will respond with a SYN-ACK (synchronize-acknowledge) packet. Nmap, upon receiving this SYN-ACK, then sends a RST (reset) packet to terminate the connection before it fully establishes, hence the term 'half-open'. This method is preferred because it is quicker and less likely to log an attempt. SYN scan is often used to determine which services are running on the target machine and is usually the first scan executed due to its stealth and speed. For example, if you want to quickly identify open ports on a server, you can use a command like "nmap -sS target_ip".

The TCP connect scan, another standard scan type, completes the full three-way handshake. It sends a SYN packet and if it receives a SYN-ACK, Nmap sends an ACK packet to fully establish the TCP connection. Upon this connection, a RST packet is immediately sent to terminate the connection. This scan type is less stealthy than SYN because the entire handshake is completed. It is often used when SYN scans are blocked, or when operating in an environment where the full TCP handshake is necessary to obtain reliable results. For example, when a network device blocks SYN packets, then a command like "nmap -sT target_ip" can be used.

UDP scans are utilized to discover open UDP ports, which are often used for services such as DNS, SNMP, and DHCP. Unlike TCP, UDP does not have a handshake process, making UDP scanning more complex and prone to inaccuracies. An Nmap UDP scan sends an empty UDP packet to each specified port. If no response is received, Nmap interprets this as the port being open. If an ICMP port unreachable error is received, the port is classified as closed. Because of the nature of UDP which is connectionless, they can be less reliable because the lack of a handshake may result in dropped packets and inaccurate results. For example, to check if a DNS server is accessible on a particular device use a command like "nmap -sU -p 53 target_ip".

In addition to these basic scans, Nmap provides more specialized scans, such as FIN scans, NULL scans, and Xmas scans. These are less common but are often used for evasion or identifying specific network quirks. They leverage the different ways TCP flags can be set to illicit responses from a target. For example, a FIN scan sends a TCP packet with the FIN flag set, expecting a response when a port is closed. These scans are useful in some scenarios to bypass firewalls or Intrusion Detection Systems that may be configured to detect SYN scans. Nmap provides many other advanced scan types including version detection, OS detection, and service detection which further extend its capabilities. Version detection attempts to determine the exact version of software running on the discovered open ports. OS detection attempts to fingerprint the operating system of the target system by analyzing its response to various TCP packets.

In practice, Nmap usage involves combining these scan types with additional options to target specific ports, addresses, and network protocols. For example, a common use of Nmap is to perform a stealth SYN scan on a specific range of IP addresses and only target common web application ports 80, and 443 which would be done by a command like "nmap -sS -p 80,443 192.168.1.1-100". Understanding the nuances of each scan type and their specific applications is vital for performing effective network security assessments, identifying vulnerable systems, and enabling better network security practices.