Network Scanning Types

Network scanning refers to the process of obtaining additional information and performing a more detailed reconnaissance based on the collected information in the footprinting phase.

In this phase, a number of different procedures are used with the objective to identify hosts, ports, and services in the target network. The whole purpose is to identify vulnerabilities in communication channels and then create an attack plan. 

Types of Network Scanning

TCP scanning TCP scanning uses the port scanning method. It scans all the ports in a system or network to find the ones that are open, half-open, or close. In case a port is found open, the OS will perform the TCP three-way handshake. The scanner will end the connection so that DoS attacks can be avoided.

When SYN is not a viable option, the most basic port scanners typically fall back on the operating system’s network features (described next). This mode is known as connect scan on Nmap, after the connect() system call on Unix. In order to prevent a Denial-of-Service attack, if a port is open, the operating system completes the TCP three-way handshake and the port scanner promptly kills the connection. If not, an error code is displayed. The benefit of using this scan mode is that the user doesn’t need special access. This method is “noisy”, particularly if it is a “portsweep”: the services can log the sender IP address and Intrusion detection systems can raise an alarm. 

SYN scanning – SYN scan is another form of TCP scanning. Rather than use the operating system’s network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as “half-open scanning”, because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed. If the port is closed but unfiltered, the target will instantly respond with a RST packet.

The usage of raw networking provides a number of benefits, including complete reporting of the responses and full control over the scanner’s ability to regulate the packets delivered and the timeout for responses. Which scan is less invasive on the target host is up for discussion. The benefit of SYN scan is that no connection is ever truly established with the individual services. However, some network stacks, particularly simple devices like printers, may experience issues as a result of the RST during the handshake. Either way, there are no convincing arguments.

UDP scanningUDP port scanners are used for finding the open ports in the user datagram protocol. If a port is found open, there will be an ICMP port unreachable response. 

Although there are technological difficulties, UDP scanning is also feasible. There is no equivalent to a TCP SYN packet in UDP because it is a connectionless protocol. However, the system will react with an ICMP port unreachable response if a UDP packet is delivered to a port that is not open. This scanning technique is used by the majority of UDP port scanners, which assume that a port is open if there is no response. However, this approach will erroneously claim that a port is open if it is blocked by a firewall. All ports will seem open if the port unreachable message is blocked. ICMP rate limiting is also a factor in this strategy.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g., nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g., nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet. 

However, it also considers those ports open which are blocked by firewalls or the ‘port unreachable’ message is blocked.

ACK scanning – ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.

Window scanning – Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1’s before it returns to the sender. Using this scanning technique with systems that no longer support this implementation returns 0’s for the window field, labeling open ports as closed.

FIN scanning – Since SYN scans are not surreptitious enough, firewalls are, in general, scanning for and blocking packets in the form of SYN packets. FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall.

Other scan types

Some more unusual scan types exist. These have various limitations and are not widely used. Nmap supports most of these.

  • Protocol scan – determines what IP level protocols (TCP, UDP, GRE, etc.) are enabled.
  • Proxy scan – a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy’s IP address as the source. This can also be done using some FTP servers.
  • Idle scan – Another method of scanning without revealing one’s IP address, taking advantage of the predictable IP ID flaw.
  • CatSCAN – Checks ports for erroneous packets.
  • ICMP scan – determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

Port Scanning

The act of systematically scanning a computer’s ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. Types of port scans

  • vanilla: the scanner attempts to connect to all 65,535 ports
  • strobe: a more focused scan looking only for known services to exploit
  • fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
  • UDP: the scanner looks for open UDP ports
  • sweep: the scanner connects to the same port on more than one machine
  • FTP bounce: the scanner goes through an FTP serverin order to disguise the source of the scan
  • stealth scan: the scanner blocks the scanned computer from recording the port scan activities.

Port scanning in and of itself is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system.

A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

In order to locate an active port, a port scan, also known as a portscan, is a process that sends client requests to a variety of server port addresses on a host. While not inherently malicious, hackers utilize this method to explore target machine services in order to take advantage of a service’s known weakness. However, the bulk of port scan usage are straightforward inquiries to see what services are offered on a distant machine and are not attacks.

To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used to search for a specific service, for example, an SQL-based computer worm may portsweep looking for hosts listening on TCP port 1433.

Some port scanners scan only the most common port numbers, or ports most commonly associated with vulnerable services, on a given host. The result of a scan on a port is usually generalized into one of three categories:

  • Open or Accepted: The host sent a reply indicating that a service is listening on the port.
  • Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
  • Filtered, Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:

  • Security and stability concerns associated with the program responsible for delivering the service – Open ports.
  • Security and stability concerns associated with the operating system that is running on the host – Open or Closed ports.

Filtered ports do not tend to present vulnerabilities. 

Ping Sweep

A machine is active on the network, should be found before attack. It is accomplished by a ping sweep. Although ping is found on every system running TCP/IP, but is restricted by many organizations.

Ping is used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer and back. The name comes from active sonar terminology which sends a pulse of sound and listens for the echo to detect objects underwater.

Options and results differ significantly depending on the implementation (see man ping for the system you are using). They often involve altering the payload’s size, the number of tests, and the number of hops (TTL). Many systems come with a companion program called ping6 that is used for testing with Internet Protocol version 6. (IPv6). Statistical summaries of the answer packets received, including the minimum, maximum, mean round-trip times and standard deviation of the mean, are typically included in the test findings.

Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply. It measures the time from transmission to reception (round-trip time) and reports any packet loss. If the target device is unreachable, a request time out is returned. Ping is a useful tool to identify active machines and to measure the speed at which packets are moved from one host to another or to get details like the TTL.


Ping does have a couple of drawbacks: First, only one system at a time is pinged and second, not all networks allow ping. To ping a large amount of hosts, a ping sweep is usually performed. Programs that perform ping sweeps typically sweep through a range of devices to determine which ones are active. Some of the programs that will perform ping sweeps include Angry IP Scanner, Pinger, WS_Ping_ProPack. Network scan tools, Super Scan and Nmap.

Ping sweep is a method that can establish a range of IP addresses which map to live hosts.

The classic tool used for ping sweeps is fping, which traditionally was accompanied by gping to generate the list of hosts for large subnets, although more recent version of fping include that functionality. Well-known tools with ping sweep capability include nmap for Unix systems, and the Pinger software from Rhino9 for Windows NT.

OS Fingerprinting

OS fingerprinting is the process of determining the operating system used by a host on a network.

Types of OS fingerprinting are

  • Active fingerprinting – Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
  • Passive fingerprinting – Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn’t put any traffic on a network.

Fingerprinting techniques – Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems. Common techniques are based on analysing:

  • IP TTL values
  • IP ID values
  • TCP Window size
  • TCP Options (generally, in TCP SYN and SYN+ACK packets)
  • DHCP requests
  • ICMP requests
  • HTTP packets (generally, User-Agent field).
  • Running services
  • Open port patterns

The IP TTL value Various OSes set the TTL on outgoing packets to different levels. Different numbers are used for the initial window size by the TCP Window Size OS vendors. The IP DF Alternative Not every OS provider approaches fragmentation in the same way. A three-bit field called the IP Type of Service (TOS) Option TOS regulates the priority of particular packets. Once more, not every vendor applies this option the same way. The IP Identification Number (IPID), IP options, TCP options, and even ICMP are other things that can be investigated. When analyzing packets from a NAT device, many passive fingerprinters get confused.

Tools used for active fingerprinters is Nmap and for passive fingerprinters are NetworkMiner, p0f and Satori

Active fingerprinting is more powerful than passive fingerprint scanning because the hacker doesn’t have to wait for random packets, but, active fingerprinting is not as stealthy as passive fingerprinting. Active fingerprinting has a much higher potential for being discovered or noticed. Some methods used in active fingerprinting are

  • The FIN probe A FIN packet is sent to an open port, and the response is recorded. Although RFC 793 states that the required behavior is not to respond, many OSes such as Windows will respond with a RESET.
  • Bogus flag probe As you might remember from Table 3.7, there are only six valid flags in the 1 byte TCP header. A bogus flag probe sets one of the used flags along with the SYN flag in an initial packet. Linux will respond by setting the same flag in the subsequent packet.
  • Initial Sequence Number (ISN) sampling This fingerprinting technique works by looking for patterns in the ISN number. Although some systems use truly random numbers, others, such as Windows, increment the number by a small fixed amount.
  • IPID sampling Many systems increment a systemwide IPID value for each packet they send. Others, such as older versions of Windows, do not put the IPID in network byte order, so they increment the number by 256 for each packet.
  • TCP initial window This fingerprint technique works by tracking the window size in packets returned from the target device. Many OSes use exact sizes that can be matched against a database to uniquely identify the OS.
  • ACK value Again, vendors differ in the ways they have implemented the TCP/IP stack. Some OSes send back the previous value +1, whereas others send back more random values.
  • Type of service This fingerprinting type tweaks ICMP port unreachable messages and examines the value in the type of service (TOS) field. Whereas some use 0, others return different values.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *