After gathering information through footprinting and reconnaissance, the next phase in ethical hacking and penetration testing is network scanning and enumeration. This step helps identify live hosts, open ports, services, and vulnerabilities within a target network.
Both black hat hackers (malicious attackers) and white hat hackers (ethical hackers) use scanning and enumeration techniques to discover security weaknesses. Understanding these concepts is crucial for securing networks and preventing unauthorized access.
1. What is Network Scanning?
Definition:
Network scanning is the process of actively probing a network to detect live systems, open ports, running services, and vulnerabilities.
Objectives of Network Scanning:
Identify live hosts on the network.
Detect open ports and running services.
Gather information about operating systems and network topology.
Find vulnerabilities in services and applications.
Types of Network Scanning:
- Ping Scan – Checks if hosts are online.
- Port Scan – Identifies open ports and services.
- Service Scan – Detects running applications.
- OS Fingerprinting – Determines the operating system.
- Vulnerability Scan – Finds security weaknesses.
Tools Used:
- Nmap – The most popular network scanning tool.
- Zenmap – GUI version of Nmap.
- Angry IP Scanner – Simple network scanner.
- Advanced IP Scanner – Detects network devices.
2. What is Enumeration?
Definition:
Enumeration is the process of extracting detailed system and network information from a target. It involves direct interaction with the system to gather:
Usernames and Groups
Network Shares and Resources
Routing Tables
Active Directory Information
Objectives of Enumeration:
🔹 Identify valid user accounts and system details.
🔹 Extract shared resources such as network folders.
🔹 Detect weak security settings.
Tools Used:
- NetBIOS commands (nbtstat) – Lists shared folders and users.
- SNMP Enumeration Tools – Extracts device details.
- LDAP Enumeration – Queries Active Directory.
3. Network Scanning Techniques
A. Ping Sweep
A ping sweep checks which hosts are active on a network by sending ICMP echo requests.
Tools:
pingcommand- Nmap (
nmap -sn <IP Range>)
Countermeasure: Block ICMP requests using firewalls.
B. Port Scanning
Port scanning identifies open ports and services running on a system.
Common Port States:
- Open – The service is accepting connections.
- Closed – The port is not in use.
- Filtered – A firewall is blocking access.
Common Scanning Methods:
🔹 TCP Connect Scan (nmap -sT <IP>): Checks all open TCP ports.
🔹 SYN Scan (nmap -sS <IP>): Stealth scan to avoid detection.
🔹 UDP Scan (nmap -sU <IP>): Finds open UDP ports.
Tools:
- Nmap – Industry-standard network scanner.
- Masscan – Faster alternative to Nmap.
Countermeasure: Configure firewalls to limit port access.
C. OS Fingerprinting
OS fingerprinting helps attackers determine which operating system is running on a target device.
Techniques:
- Active Fingerprinting – Sends malformed packets to identify OS responses.
- Passive Fingerprinting – Observes network traffic to detect OS details.
Tools:
- Nmap (
nmap -O <IP>) - p0f (Passive OS fingerprinting tool)
Countermeasure: Use network intrusion detection systems (IDS) to block fingerprinting attempts.
4. Enumeration Techniques
A. NetBIOS Enumeration
NetBIOS (Network Basic Input/Output System) allows computers to share resources. Attackers use it to extract:
Shared folders and files
Usernames and groups
Commands:
nbtstat -A <IP>– Lists NetBIOS names.net view \\<IP>– Shows shared folders.
Countermeasure: Disable NetBIOS over TCP/IP if not needed.
B. SNMP Enumeration
SNMP (Simple Network Management Protocol) allows network devices to share status updates. Attackers use it to:
Extract network device details
Find running processes
Tools:
snmpwalk– Queries SNMP information.- SNMP-check – Retrieves system details.
Countermeasure: Disable SNMP if not used or use strong community strings.
C. LDAP Enumeration
LDAP (Lightweight Directory Access Protocol) is used for Active Directory queries. Attackers use it to:
Extract usernames and organizational units (OUs).
Find employee email addresses.
Tools:
ldapsearch– Queries LDAP servers.- Softerra LDAP Browser – GUI-based tool.
Countermeasure: Limit anonymous access to Active Directory.
5. Countermeasures Against Scanning and Enumeration
How to Prevent Unauthorized Scanning and Enumeration?
Use Firewalls & IDS/IPS – Block port scans and unauthorized traffic.
Disable Unused Services – Close unnecessary open ports.
Limit SNMP & NetBIOS Access – Restrict network enumeration techniques.
Implement Strong Authentication – Use multi-factor authentication for sensitive services.
Monitor Network Traffic – Detect suspicious scanning activities.