Scanning & Enumeration – In cybersecurity course
(Follows Footprinting & Reconnaissance)
1. Introduction to Scanning & Enumeration
Scanning → Identifying live hosts, open ports, and services.
Enumeration → Extracting detailed info (users, shares, services, banners).
Key Objectives:
- Discover network topology (devices, firewalls, routers).
- Identify vulnerable services (misconfigurations, outdated software).
- Gather user accounts, shares, and system data for exploitation.
2. Scanning Techniques & Types
A. Host Discovery (Finding Live Systems)
- Ping Sweep – Checks which IPs respond to ICMP.
bash
nmap -sn 192.168.1.0/24
ARP Scanning (Local network, bypasses firewalls).
bash
arp-scan -l
B. Port Scanning (Finding Open Ports)
| Scan Type | Description | Command |
|---------------------|-----------------------------------------|---------------------------------|
| TCP Connect Scan | Completes full 3-way handshake (noisy) | `nmap -sT 192.168.1.1` |
| SYN Stealth Scan | Half-open scan (stealthier) | `nmap -sS 192.168.1.1` |
| UDP Scan | Checks UDP services (slow but critical) | `nmap -sU 192.168.1.1` |
| ACK Scan | Bypasses stateless firewalls | `nmap -sA 192.168.1.1` |
C. Service & OS Detection
- Banner Grabbing – Identifies service versions.
bash
nc -nv 192.168.1.1 80
```
- OS Fingerprinting – Detects OS via TCP/IP stack.
bash
nmap -O 192.168.1.1
D. Vulnerability Scanning
- Nmap NSE Scripts – Automated exploit checks.
bash
nmap --script vuln 192.168.1.1
- Nessus/OpenVAS – Comprehensive vulnerability assessment.
---
3. Enumeration Techniques
A. NetBIOS Enumeration (Windows Networks)
- Finds shares, users, groups.
bash
nmblookup -A 192.168.1.1
nbtscan 192.168.1.0/24
B. SNMP Enumeration
- Extracts device info, configs via SNMP.
bash
snmpwalk -c public -v1 192.168.1.1
C. LDAP Enumeration
- Queries :- Active Directory users, groups.
bash
ldapsearch -x -h 192.168.1.1 -b "dc=example,dc=com"
D. SMB Enumeration
- Lists shares, users, permissions.
bash
smbclient -L //192.168.1.1
enum4linux -a 192.168.1.1
E. DNS Enumeration
- Extracts DNS records, subdomains, mail servers.
`bash
dnsrecon -d example.com
4. Advanced Scanning & Evasion
A. Firewall Evasion Techniques
- Fragmenting Packets (-f` in Nmap).
- Decoy Scanning (Hide among fake IPs).
bash
nmap -D RND:10 192.168.1.1
- Timing Adjustments (-T0` slow, -T5` aggressive).
B. Proxy & VPN Scanning
- Use Proxychains to anonymize scans.
bash
proxychains nmap -sT 192.168.1.1
5. Hands-On Lab Exercises
Exercise 1: Basic Network Scan
bash
nmap -sS -p 1-1000 -A 192.168.1.1
- Interpret results: Open ports, services, OS.
Exercise 2: SMB Enumeration
bash
enum4linux -a 192.168.1.1
- Find: Shares, users, password policies.
Exercise 3: Vulnerability Scanning
bash
nmap --script vuln 192.168.1.1
-Check for: Heartbleed, Shellshock, misconfigurations.
6. Countermeasures
- Disable unnecessary services.
- Use strong firewall rules (block ICMP, restrict port scans).
- Patch systems & disable legacy protocols (SMBv1, SNMPv1).
- Monitor logs for scanning activity.
7. Tools Summary
| Tool | Purpose |
|-------------------|--------------------------------------|
| Nmap | Network scanning, OS detection |
| Netcat | Banner grabbing, manual port checks |
| enum4linux | SMB/NetBIOS enumeration |
| snmpwalk | SNMP data extraction |
| Nessus | Automated vulnerability scanning |
8. Next Steps
- Proceed to Module 4: System Hacking (password cracking, privilege escalation).
Module 4: System Hacking & Exploitation
- Practice on Hack The Box (HTB) / TryHackMe (THM).
Need deeper dives on any tool (e.g., Nmap scripting, Metasploit integration)?
0 Comments