What Is Network Scanning? 105
It is not unknown for an ethical hacker to engage in the network scanning
phase and emerge with a better diagram of the network environment
than the client has. Why is this possible? Well, with the rapid growth of
networks, adoption of technology, large support teams, and personnel
turnover, the client’s knowledge of their own network may have become
obscured somewhat. In some cases the people who designed the network
created the initial diagram, but after they left the company or went to new
positions the diagram was never updated as new technology was adopted.
Therefore, the diagram became outdated and highly innaccurate. As an
ethical hacker you should be prepared to encounter this situation as well
as be ready to suggest improvements to policy and operating procedures
that would prevent this from recurring. Remember that if the client doesn’t
know what their own environment looks like, they have no idea what
should and shouldn’t be there.So what, as a pen tester, should you be looking to uncover and how can you reveal this
information? The information you are looking to reveal can be quite varied, but generally
you are keeping an eye out for things like:
■ IP addresses and open/closed ports on live hosts
■ Information on the operating system(s) and the system architecture
■ Services or processes running on hosts
Scanning is a set of procedures used to identify hosts, ports, and services on a target
network. Scanning is considered part of the intelligence-gathering process an attacker uses
to gain information about the targeted environment.
Expect the information that is gathered during this phase to take a good amount of
time to analyze, which will vary depending on how good you are at reading the resulting
information. If you have performed your initial reconnaissance well, however, this process
should not be complicated. Your knowledge will help you not only target your initial scans
better, but also better determine how to decipher certain parts of the results, as you will
see later.
When you are performing your network scanning process, keep in mind that scanning
typically breaks down into one of three types:
Port Scanning Port scanning is when you send carefully crafted messages or packets to
a target computer with the intent of learning more about it. These probes are typically
associated with well-known port numbers or those less than or equal to 1024. Through the
careful application of this technique, you can learn about the services a system offers to the
network as a whole. It is even possible that during this process you can tell systems such as
mail servers, domain controllers, and web servers from one another. In this book the pri-
mary tool we will use in port scanning is Fyodor’s Nmap, which is considered by many to
be the definitive port scanner.
Network Scanning Network scanning is designed to locate all the live hosts on a net-
work (the hosts that are running). This type of scan will identify those systems that may be
attacked later or those that may be scanned a little more closely.