How CyberCNS Discovers Assets and Vulnerabilities
Network scanning and port scanning—processes for learning about a network's structure and behavior—Let's start by defining the terms at their most basic:
Network scanning involves detecting all active hosts on a network and mapping them to their IP addresses.
Port scanning refers to the process of sending packets to specific ports on a host and analyzing the responses to learn details about its running services or locate potential vulnerabilities.
Methods of Network Scanning for Host Discovery
Host discovery, the process of determining what systems on a network are up and listening, is often the first step in a hostile network scanning action. Two protocols are most commonly used for host discovery: Address Resolution Protocol (ARP) scans and several types of Internet Control Message Protocol (ICMP) scans.
Since individual ARP requests are used to map IP addresses to MAC addresses on a local subnet, ARP requests can be sent out to many IP addresses on a Local Area Network (LAN) to determine which hosts are up based on the ones that respond with an ARP reply.
For network scanning outside of a local subnet, several types of ICMP packets can be used instead, including echo, timestamp, and address mask requests. Echo (or ping) requests are used to detect if another host can be reached, while timestamp messages determine the latency between two hosts. Address mask requests are intended to discover the subnet mask in use on the network.
Host discovery for each ICMP message type depends on receiving a corresponding reply from available hosts. If no response is received, it means either that there is no host listening at that address, that the request packet was blocked by a firewall or packet filter, or that the message type isn't supported by the destination device. ICMP echo requests that originate outside an internal network are commonly blocked by firewalls, but timestamp and address mask requests are less likely to be blocked.
Methods of Port Scanning
Once available hosts on a network have been found via networking scanning, port scanning can be used to discover the services in use on specific ports. In general, port scanning attempts to classify ports into one of three designations:
Open: the destination responds with a packet indicating it is listening on that port, which also indicates that whatever service was used for the scan (commonly TCP or UDP) is in use as well
Closed: the destination received the request packet but responds with a reply indicating that there is no service listening at the port
Filtered: the port might be open, but the packet has been filtered out by a firewall and dropped, so no reply is received
Types of TCP Scans
As previously mentioned, TCP and UDP are frequently the protocols used in port scanning. There are several methods of performing TCP scans:
SYN scans, the most common form of TCP scanning, involve establishing a half-open connection to the target port by sending a SYN packet and evaluating the response. The host replies by sending a SYN/ACK packet if the port is open or a RST response if the port is closed. It is also possible for a closed port to reply with an ICMP port unreachable message instead of a RST packet, though this is less common. A lack of any reply indicates that the port is filtered.
A higher level method of TCP scanning is the TCP connect scan, in which the scanner tries to connect to a port via TCP using the connect system call and the full TCP handshake process. This method is utilized less often than SYN scanning, since it requires more overhead in terms of packets and time and is more easily detectable.
NULL, FIN, and Xmas scans are three scan types that involve manipulating TCP header flags. Each of them results in a RST (or ICMP port unreachable) packet from a closed port and no response from an open or filtered port, and they require that the SYN, RST, and ACK bits are not set. NULL scans send packets with no flags set in their headers, while FIN scans have only the FIN bit set.
UDP Scanning
Like TCP scans, UDP scans send a UDP packet to various ports on a target system and evaluate the response to determine availability of the service and the host. Receiving a UDP packet in response indicates that the port is open, while an ICMP port unreachable error response signifies a closed port. If no response is received, the port could either be open or filtered by a firewall or packet filter.
ARP Scanning
The Arp scan network discovery Command is designed to map physical (MAC) addresses to logical (IP) addresses. The Address Resolution Protocol uses a simple message format containing one address resolution request or response.
The size of the ARP message depends on the upper layer and lower layer address sizes, which are given by the type of networking protocol (usually IPv4) in use and the type of hardware or virtual link layer that the upper layer protocol is running on. The message header specifies these types, as well as the size of addresses of each.
The message header is completed with the operation code for request (1) and reply (2). The payload of the packet consists of four addresses, the hardware and protocol address of the sender and receiver hosts.
The Arp-scan command uses the Address Resolution Protocol (ARP) to identify all active network assets that may not typically be recognised by network scanning devices.
The main purpose of the Arp-scan is to discover all the active devices within an IPv4 range, even those that are protected by a firewall that is created to hide the device’s presence. Whether using WIFI or ethernet, the IPv4 devices on your local-area network (LAN) are required to respond or they are unable to communicate.
The ARP Scan (also called ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment).
The ARP Scan shows all active devices even if they have firewalls. Devices cannot hide from ARP packets like they can hide from Ping. To find active IP addresses outside your subnet, use the Ping Scan.
SMB Discovery
SMB is a protocol commonly found in Microsoft Windows clients that has matured through the years. Despite the newer versions available, SMBv1 can still be found enabled in most systems for compatibility reasons. SMBv1 has an interesting feature that been abused for years, that is that SMBv1 servers return system information without authentication. The information available includes Windows version, build number, NetBIOS computer name, workgroup, and exact system time. This is useful information as it allows us to fingerprint systems without the noise from OS detection scan.