Skip to main content

Scanning & Enumeration

 Scanning & Enumeration – In cybersecurity course

(Follows Footprinting & Reconnaissance)  


1. Introduction to Scanning & Enumeration  

Scanning → Identifying live hosts, open ports, and services.  

Enumeration → Extracting detailed info (users, shares, services, banners).  


Key Objectives:  

- Discover network topology (devices, firewalls, routers).  

- Identify vulnerable services (misconfigurations, outdated software).  

- Gather user accounts, shares, and system data for exploitation.  


2. Scanning Techniques & Types 

A. Host Discovery (Finding Live Systems)  

- Ping Sweep – Checks which IPs respond to ICMP.  

  bash

  nmap -sn 192.168.1.0/24

  

ARP Scanning (Local network, bypasses firewalls).  

  bash

  arp-scan -l


  B. Port Scanning (Finding Open Ports)  

|       Scan Type       |      Description                         |        Command                     |

|---------------------|-----------------------------------------|---------------------------------|

|   TCP Connect Scan | Completes full 3-way handshake (noisy) | `nmap -sT 192.168.1.1`          |

|       SYN Stealth Scan   |        Half-open scan (stealthier)            | `nmap -sS 192.168.1.1`          |

|     UDP Scan       |       Checks UDP services (slow but critical) | `nmap -sU 192.168.1.1`          |

|             ACK Scan        |       Bypasses stateless firewalls           | `nmap -sA 192.168.1.1`          |


C. Service & OS Detection  

- Banner Grabbing – Identifies service versions.  

  bash

  nc -nv 192.168.1.1 80

  ```

- OS Fingerprinting – Detects OS via TCP/IP stack.  

  bash

  nmap -O 192.168.1.1


D. Vulnerability Scanning  

- Nmap NSE Scripts – Automated exploit checks.  

  bash

  nmap --script vuln 192.168.1.1

- Nessus/OpenVAS – Comprehensive vulnerability assessment.  


---

3. Enumeration Techniques 

A. NetBIOS Enumeration (Windows Networks) 

- Finds shares, users, groups.  

  bash

  nmblookup -A 192.168.1.1

  nbtscan 192.168.1.0/24


B. SNMP Enumeration 

- Extracts device info, configs via SNMP.  

  bash

  snmpwalk -c public -v1 192.168.1.1


C. LDAP Enumeration  

- Queries :- Active Directory users, groups.  

  bash

  ldapsearch -x -h 192.168.1.1 -b "dc=example,dc=com"


D. SMB Enumeration  

- Lists shares, users, permissions.  

  bash

  smbclient -L //192.168.1.1

  enum4linux -a 192.168.1.1


E. DNS Enumeration 

- Extracts DNS records, subdomains, mail servers.  

  `bash

  dnsrecon -d example.com


4. Advanced Scanning & Evasion 

A. Firewall Evasion Techniques  

- Fragmenting Packets (-f` in Nmap).  

- Decoy Scanning (Hide among fake IPs).  

  bash

  nmap -D RND:10 192.168.1.1

- Timing Adjustments (-T0` slow, -T5` aggressive).  


B. Proxy & VPN Scanning 

- Use Proxychains to anonymize scans.  

  bash

  proxychains nmap -sT 192.168.1.1


5. Hands-On Lab Exercises  

Exercise 1: Basic Network Scan  

bash

nmap -sS -p 1-1000 -A 192.168.1.1

- Interpret results: Open ports, services, OS.  

Exercise 2: SMB Enumeration  

bash

enum4linux -a 192.168.1.1

- Find: Shares, users, password policies.  


Exercise 3: Vulnerability Scanning  

bash

nmap --script vuln 192.168.1.1

-Check for: Heartbleed, Shellshock, misconfigurations.  


6. Countermeasures 

- Disable unnecessary services.  

- Use strong firewall rules (block ICMP, restrict port scans).  

- Patch systems & disable legacy protocols (SMBv1, SNMPv1).  

- Monitor logs for scanning activity.  

Nmap tools guide: A Complete Network scanning guide about one of the Best Network scanner Tools Nmap with Practical experience Click here for Download Book

7. Tools Summary  

|    Tool              |           Purpose                          |

|-------------------|--------------------------------------|

|   Nmap       | Network scanning, OS detection       |

|   Netcat    | Banner grabbing, manual port checks  |

| enum4linux   | SMB/NetBIOS enumeration           |

|       snmpwalk    | SNMP data extraction                 |

|  Nessus       | Automated vulnerability scanning     |


8. Next Steps   

- Proceed to Module 4: System Hacking (password cracking, privilege escalation).  

Module 4: System Hacking & Exploitation 

- Practice on Hack The Box (HTB) / TryHackMe (THM).  


Need deeper dives on any tool (e.g., Nmap scripting, Metasploit integration)?

Comments

Post a Comment

Popular posts from this blog

Bug Bounty Hunter – The Professional Vulnerability Hunter

A Bug Bounty Hunter is a cybersecurity researcher who finds and reports security flaws in websites, apps, and systems in exchange for cash rewards (bounties) from companies like Google , Facebook , and Uber.  💰 How Bug Bounties Work    1. Target Selection – Choose a program (e.g., HackerOne, Bugcrowd).   2. Recon & Testing – Hunt for vulnerabilities (e.g., SQLi, XSS, RCE).   3. Submit a Report – Document the bug with PoC (Proof of Concept).   4. Get Paid – Rewards range from  $50 to $500,000+ per bug.   You can download book from here 🔥 Top Bug Bounty Platforms  |    Platform     |     Popular Programs   |    Avg. Payout |   |-------------|---------------------|------------|   |    HackerOne   | Uber, Twitter, GitHub | $500–$20K |   |     Bugcrowd    | AWS, Tesla, Cisco | $300–$15K | ...
Post a Comment
Read more

Vulnerability Assessor – The Proactive Security Specialist

A Vulnerability Assessor is a cybersecurity professional who identifies, classifies, and prioritizes security weaknesses in systems, networks, and applications before attackers exploit them. Unlike penetration testers (who exploit flaws), assessors focus on discovery and risk analysis.  🔍 Core Responsibilities 1. Vulnerability Scanning       - Run automated scans (Nessus, Qualys, OpenVAS).      - Identify CVEs, misconfigurations, and outdated software.   2. Risk Assessment & Prioritization       - Rate vulnerabilities using CVSS scores.      - Focus on critical risks (e.g., RCE, SQLi).   3. Compliance Auditing     - Check adherence to PCI DSS, HIPAA, NIST.   4. Reporting & Remediation Guidance    - Provide actionable fixes (patching, hardening).  Key Tools & Technologies                ...
Post a Comment
Read more

Red Teamer – The Elite Offensive Security Role

A Red Teamer is an advanced cybersecurity professional who simulates real-world attacks like advanced threat actors (APT groups, nation-states) to test an organization's defenses. Unlike penetration testers (who focus on finding vulnerabilities), Red Teams emulate stealthy, targeted attacks to evade detection.   🔥 Core Responsibilities   1. Adversary Emulation    - Mimic real APTs (MITRE ATT&CK framework).      - Use custom malware, C2 frameworks (Cobalt Strike, Sliver).   2. Physical & Social Engineering      - Phishing, USB drops, impersonation attacks.   3. Evasion & Lateral Movement      - Bypass EDR/XDR, AV, and SIEM detection.      - Privilege escalation, domain persistence.   4. Reporting & Purple Teaming      - Help Blue Team improve detection rules.  🛠️ Top Red Team Tools |   Category...
Post a Comment
Read more