After making a list of attack-able IPs from Reconnaissance phase, we need to work on phase 2 of Ethical hacking i.e., Scanning. Process of scanning is divided into 3 parts.
- Determine if system is on and working.
- Finding ports on which applications are running.
- Scanning target system for vulnerabilities.
Ping and Ping Sweeps :
Simplest way to check if a system is alive is to ping that system’s IP address. A ping is a special form of packet called ICMP packet. On pinging a device IP, an ICMP echo request message is sent to target, and target system send an Echo reply packet in response of echo request message.
Echo reply message tells other valuable information other than telling whether system is alive. It also tells round trip time of packets i.e, time taken by ping message to reach back to us from target system. It also provides information about packet loss which can be helpful in determining reliability of network.
A ping sweep is a method of pinging a list of IP automatically. Pinging a large list of IPs can be time-consuming and problematic. Tool for Ping sweep is Fping. Fping can be invoked by following command.
Fping -a -g 172.16.10.1 172.16.10.20
- The “-a” switch is used to show a list of only alive IP in our output.
- “-g” switch is used to specify a range of IP.
- In above command range of IP is 172.16.10.1 to 172.16.10.20.
Port Scanning :
In a Computer, there are a total of 65, 536 (0-65, 535) ports. Depending upon nature of communication and application using a port, it can be either UDP or TCP. Scanning system for checking which ports are alive and which ports are used by different applications gave us a better idea about target system.
Port Scanning is done by a tool called Nmap. Nmap is written by Gordon “Fyodor” Lyon. It is available in both GUI and command-line interface.
nmap -sT/U -p 172.16.10.5
- “-s” is used to specify connection type.
- -sT means TCP and -sU means UDP connection.
- “-p” means to scan all ports of target IP.
Vulnerability Scanning :
Vulnerability is a weakness in software or system configuration that can be exploited. Missing patches may result in the vulnerability of software.
Software vendors regularly provide patches for known issues. Some Vulnerability leads to remote code execution which is a holy grail of hacking. One of the tools for vulnerability scanning is Nessus. It can be downloaded from website nessus.org. It contains thousands of plugins for vulnerability scanning. A plugin is a small block of code send to target system IP for purpose of vulnerability scanning.