Phases of Ethical Hacking

Ethical hacking typically follows a structured methodology:

1. Reconnaissance (Footprinting): Gathering initial information about the target. (Covered in a previous lesson!)
2. Scanning: Identifying active hosts, open ports, services, and vulnerabilities. This is where we focus today.
3. Gaining Access: Exploiting identified vulnerabilities to gain entry into the system.
4. Maintaining Access: Ensuring persistent access for further testing or reporting.
5. Clearing Tracks: Removing all traces of the ethical hack.
6. Reporting: Documenting findings, vulnerabilities, and recommendations.

Scanning: The Core of Discovery

Scanning is the systematic process of probing a target network or system to identify potential entry points and weaknesses. It's like taking an X-ray of the target's infrastructure.

The primary goals of scanning are to discover:

• Live Hosts: Which devices are active on the network?
• Open Ports: Which communication channels are open on these devices?
• Running Services: What applications or services are listening on those open ports (e.g., web server, FTP server, SSH)?
• Operating Systems & Versions: What OS and software versions are in use, which might have known vulnerabilities?
• Vulnerabilities: Specific weaknesses in configurations, software, or network design.

Types of Scanning

Scanning encompasses various specialized techniques:

1. Port Scanning

Identifies which ports on a target system are open, closed, or filtered. Open ports indicate active services that could be exploited.

• TCP Connect Scan: Completes a full TCP handshake.
• SYN Scan (Half-Open Scan): Sends SYN packets but doesn't complete the handshake, making it stealthier.
• UDP Scan: Probes UDP ports.

2. Network Mapping (Network Discovery)

Identifies devices on a network and their relationships, creating a topology map. This includes identifying active hosts, routers, firewalls, and other network devices.

3. Vulnerability Scanning

Identifies known security weaknesses (vulnerabilities) in systems, applications, and network devices. These scanners compare detected services and software versions against databases of known vulnerabilities.

4. Web Application Scanning

Specifically targets web applications to find vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), broken authentication, etc.

Common Scanning Tools & Commands

A variety of tools are used for different scanning purposes:

1. Nmap (Network Mapper)

A powerful open-source tool for network discovery and security auditing. Excellent for port scanning and OS detection.

# Basic port scan on a target
nmap example.com

# Scan common ports with service version detection
nmap -sV example.com

# Scan a specific range of IPs for live hosts (ping scan)
nmap -sn 192.168.1.0/24

# Scan all 65535 TCP ports
nmap -p- example.com

# OS detection and version detection
nmap -A example.com
            

2. Nessus

A widely used commercial vulnerability scanner. It identifies vulnerabilities, misconfigurations, and compliance issues.

# Nessus is typically used via its web interface; no direct command-line for full scans.
# Example of a conceptual command-line interaction (for API/scripting):
# nessuscli scan --target example.com --policy "Basic Network Scan" --output-format html
            

3. OpenVAS (Open Vulnerability Assessment System)

An open-source vulnerability scanner, often used as an alternative to Nessus. It provides a comprehensive suite of vulnerability tests.

# OpenVAS is primarily used via its Greenbone Security Assistant web interface.
# Command-line tools exist for specific tasks, e.g., to update feeds:
# greenbone-nvt-sync
            

4. Wireshark (for Network Analysis post-scan)

While not a scanner itself, Wireshark is invaluable for analyzing the packets generated during scans or for deeper inspection of network traffic.

# Capture traffic on eth0
wireshark -i eth0

# Filter for SYN packets (during a SYN scan)
tcp.flags.syn == 1 and tcp.flags.ack == 0
            

Interpreting Scan Results

Raw scan data needs careful analysis to be useful. This involves:

1. Understanding Port States

• Open: An application is actively listening for connections on this port. This is a potential entry point.
• Closed: No application is listening, but the port is accessible.
• Filtered: A firewall, filter, or other network device is blocking the port, preventing Nmap from determining if it's open or closed. This indicates a security control.

2. Identifying Services & Versions

Knowing the exact service and its version (e.g., Apache HTTP Server 2.4.41) is crucial. You can then cross-reference this with vulnerability databases (like CVE details) to find known exploits.

3. Prioritizing Vulnerabilities

Not all vulnerabilities are equally critical. Prioritize based on:

• Severity: High, Medium, Low (e.g., using CVSS scores).
• Exploitability: How easy is it for an attacker to exploit?
• Impact: What would be the consequence if exploited?

Ethical Considerations & Legal Aspects

Ethical hacking, especially scanning, must always be conducted with strict adherence to legal and ethical guidelines:

1. Obtain Explicit Permission

Never scan or test systems without prior, explicit, written permission from the owner. Unauthorized scanning is illegal and can lead to severe penalties.

2. Scope Definition

Clearly define the scope of the engagement. What systems, networks, and applications are you allowed to scan? What types of scans are permitted?

3. Confidentiality

Maintain strict confidentiality of any sensitive information discovered during the scanning process.

4. Non-Disruptive Testing

Aim for non-disruptive scanning. Avoid actions that could crash systems, consume excessive bandwidth, or cause denial of service, unless explicitly permitted and planned.

5. Legal Frameworks

Be aware of local and international laws related to cybersecurity, data privacy (e.g., GDPR, CCPA), and unauthorized access.

Countermeasures & Defense

Organizations can implement various measures to defend against malicious scanning and reduce their attack surface:

1. Firewalls

Configure firewalls to block unnecessary ports and filter suspicious traffic (e.g., excessive ICMP requests, unusual port probes).

2. Intrusion Detection/Prevention Systems (IDS/IPS)

Deploy IDS/IPS to detect and potentially block scanning activities. They can identify patterns indicative of port scans, vulnerability scans, and other reconnaissance efforts.

3. Network Segmentation

Divide networks into smaller, isolated segments to limit the lateral movement and discovery capabilities of an attacker if one segment is compromised.

4. Patch Management

Regularly update and patch operating systems, applications, and network devices to fix known vulnerabilities that scanners might detect.

5. Secure Configurations

Harden systems by disabling unnecessary services, changing default credentials, and applying security best practices.

6. Obfuscation & Deception

Employ techniques like port knocking or honeypots to mislead attackers or make scanning more difficult and time-consuming.

Conclusion

Scanning is an indispensable phase in ethical hacking, providing the insights needed to identify and address security weaknesses. When performed ethically and responsibly, it is a powerful tool for enhancing cybersecurity.

Key takeaways:

• Scanning is Discovery: It maps your digital assets and their vulnerabilities.
• Tools are Enablers: Nmap, Nessus, OpenVAS are powerful, but understanding their output is key.
• Ethics are Paramount: Always obtain permission and adhere to legal and ethical boundaries.
• Defense is Multi-Layered: Firewalls, IDS/IPS, patching, and secure configurations are vital.

Scan smart, stay secure!