Scanning

Scanning is a process used to identify active hosts and open

services/ports on a target system, often with the goal of assessing
security vulnerabilities. This process is essential for penetration testing,
security assessments, or ethical hacking, as it helps uncover potential
weaknesses in a network or system.

Types of Scanning:

1. Port Scanning

2. Vulnerability Scanning

Port Scanning Techniques (TCP and UDP):

TCP Scanning Techniques:

Port scanning in TCP can be conducted using different methods to probe

the system and understand which services are running. Some common
TCP port scanning techniques are:

1. TCP Connect Scan:

o This method involves completing the full three-way handshake

to establish a connection. It is easy to detect because it
involves establishing a complete connection to the target port.

2. TCP FIN Scan:

o This scan sends a FIN (Finish) flag to the target port, which is
used to terminate a connection. Normally, no response should
be received if the port is closed, but a reset (RST) signal is
sent for open ports, which can help in identifying open ports.

3. TCP SYN Scan:

o This is one of the most popular scanning techniques. It only

sends the SYN (synchronize) flag, initiating the handshake
process. If the port is open, a SYN-ACK response is received.
The scan doesn't complete the handshake, making it
stealthier than a full TCP connection scan.

4. TCP XMAS Scan:

o This scan sends a packet with the FIN, URG, and PSH flags set.
These flags are not typically used together, which can confuse
the target system. It is stealthier but can be detected by
modern firewalls and intrusion detection systems (IDS).
 o

5. TCP NULL Scan:

o In this method, no flags are set in the packet, which can

confuse the target system because there is no flag indicating
the purpose of the packet. The response behaviour helps
determine whether the port is open or closed, though it is less
commonly used due to detection issues.

UDP Scanning:

While UDP scanning is generally less reliable than TCP scanning due to the
nature of UDP's connectionless protocol, it can still be important for
discovering open services on a network.

 UDP Scan: This scan sends a packet to a target port and waits for a
response. If there is no response, it is assumed the port is open (or
filtered by a firewall). If a response is received (such as an ICMP port
unreachable message), it is considered closed.

Each scanning technique has different levels of effectiveness and stealth,

making it suitable for different scenarios depending on the target and the
assessment’s objectives.

Network Sniffing

Network sniffing is the process of capturing and analyzing data packets

that travel through a network. It is a critical technique used in network
monitoring, security assessments, and troubleshooting. It involves using a
tool (known as a packet sniffer) to intercept and log the network traffic
in real-time, allowing users to inspect the contents of data packets sent
over the network.

Network sniffing can be performed for legitimate purposes, such as

network management and security monitoring, but it can also be used for
malicious purposes, such as intercepting sensitive information like
passwords, usernames, and other confidential data.

How Network Sniffing Works

1. Packet Capture:

o When data is transmitted across a network, it is divided into

packets that contain the data being sent, along with various
metadata (such as source and destination IP addresses,
protocol types, etc.).
 o A packet sniffer intercepts these packets and stores them for
analysis.

2. Promiscuous Mode:

o For sniffing to be effective, the network interface card (NIC) of

the system running the sniffer must be set to promiscuous
mode. This mode allows the NIC to capture all network traffic,
even traffic that is not addressed to the system itself.

3. Analysis of Captured Data:

o After packets are captured, they can be analyzed using

various protocols and filters. This allows an administrator or
attacker to examine the data for useful information such as:

 IP addresses, MAC addresses

 Communication protocols (TCP, UDP, HTTP, etc.)

 Application-level data (web traffic, emails, etc.)

Common Uses of Network Sniffing

1. Network Monitoring:

o Administrators use sniffers to monitor traffic on the network to

identify bottlenecks, unusual traffic patterns, or performance
issues.

2. Security Auditing:

o Security professionals use sniffers to detect suspicious

activity, such as the presence of malware or unauthorized
data exfiltration.

3. Troubleshooting:

o Sniffing helps diagnose network problems such as connectivity

issues, latency, or packet loss by analyzing packet flow and
identifying where the breakdown occurs.

4. Packet Reconstruction:

o Sniffers can be used to reconstruct sessions (like web

browsing or file transfers) by collecting and reassembling the
captured packets.

5. Malicious Purposes:

o Eavesdropping: Attackers may use sniffers to capture

sensitive information like usernames, passwords, credit card
 numbers, etc., especially in unsecured networks (e.g., open
Wi-Fi).

o Man-in-the-Middle Attacks (MITM): An attacker could

intercept communications between two parties, potentially
altering or injecting malicious data into the communication.

Popular Network Sniffing Tools

1. Wireshark:

o One of the most popular and powerful packet analyzers. It

supports various protocols and offers detailed filtering options
to examine traffic closely.

2. Tcpdump:

o A command-line-based sniffer that is widely used in Unix/Linux

systems. It is powerful and flexible but requires knowledge of
command-line operations.

3. EtherApe:

o A graphical tool that visualizes network traffic in real-time,

showing how devices are communicating and identifying high-
traffic patterns.

4. WiFi Pineapple:

o A device designed for penetration testers, commonly used for

sniffing and performing man-in-the-middle attacks on wireless
networks.

Ethical Considerations

While network sniffing is an essential tool for network administration and

security testing, it can be illegal and unethical when performed without
authorization. Unauthorized sniffing is a violation of privacy, can lead to
theft of sensitive data, and can result in legal consequences.

 Ethical Hacking: When performed as part of a security assessment

or penetration test (with proper consent), sniffing helps identify
vulnerabilities.

 Legal Use: Network sniffing should only be performed within the

boundaries of authorized networks and for legitimate purposes.

Prevention of Malicious Sniffing

1. Encryption:
 o Use encrypted communication protocols (e.g., HTTPS,
SSL/TLS) to protect data in transit from being easily
intercepted.

2. VPN (Virtual Private Network):

o Encrypt network traffic between devices, especially when

using public or unsecured networks like Wi-Fi.

3. Secure Network Design:

o Use techniques like VLANs (Virtual Local Area Networks) to

segment sensitive traffic and minimize exposure to sniffing
attacks.

4. Port Security:

o Disable unused network ports and use port-based

authentication to limit unauthorized access to the network.

5. Intrusion Detection Systems (IDS):

o Deploy IDS/IPS systems that can detect sniffing activity by

monitoring unusual network traffic patterns.

2. Tcpdump

 Overview: Tcpdump is a command-line packet analyzer, widely

used for capturing and analyzing network traffic. It's ideal for users
who prefer a lightweight, terminal-based approach.

 Features:

o Command-line interface (CLI), suitable for remote or server

environments.

o Detailed packet capture with filtering options.

o Supports various network interfaces.

o Allows packet capture based on IP, port, and other protocols.

 Platform: Linux, Unix, macOS, Windows (via WinDump)

 Use Cases:

o Command-line-based packet sniffing.

o Capturing network traffic in environments with limited

resources.

 Website: Tcpdump