CEH Course Pt.2 – Scanning

After footprinting and reconnaissance, scanning is the second phase of information gathering that hackers use to size up a network. Scanning is where they dive deeper into the system to look for valuable data and services in a specific IP address range. Network scans are also a key tool in the arsenal of ethical hackers, who work to prevent attacks on an organization’s infrastructure and data.

It is in this phase that we get to know:

  • Live systems on the network by pinging
  • Find out services that are run on target
  • Find the TCP and UDP ports and services
  • Find the Operating System running on the target

Types of Scanning

  1. Port Scanning : To find open ports and services on target
  2. Network Scanning:  Find IP address in the network of the target
  3. Vulnerability Scanning: Find weakness or vulnerabilities on the target

Read CEH Questions for Exam here >  CEH QUESTIONS

Now, I am posting contents from this aswesome link/src

How to Remember Your TCP Flags

Many people are familiar with the concept of a mnemonic [nəˈmɑnɪk] — a memory device that uses a phrase based on the first letter of words in a series. Perhaps the most popular of these in the field of networking is the one for the OSI Model (All People Seem To Need Data Processing).

Well, for those that deal with TCP/IP a lot, I thought it might be helpful to have a mnemonic for the TCPflags as well. What I’ve come up with and use regularly is:

Unskilled Attackers Pester Real Security Folks

[32] Unskilled = URG
[16] Attackers = ACK
[08] Pester = PSH
[04] Real = RST
[02] Security = SYN
[01] Folks = FIN

AD : Kali Linux For Ethical Hacking > Video Tutorials in Youtube >  https://www.youtube.com/playlist?list=PLEG4CvuvNZdfWvG8lVEBSHJJ8O3cbtWCu


TCP flag information is most helpful to me when looking for particular types of traffic using Tcpdump. It’s possible, for example, to capture only SYNs (new connection requests), only RSTs(immediate session teardowns), or any combination of the six flags really. As noted in my own little Tcpdump primer, you can capture these various flags like so:

Find all SYN packets
tcpdump 'tcp[13] & 2 != 0'

Find all RST packets
tcpdump 'tcp[13] & 4 != 0'

Find all ACK packets
tcpdump 'tcp[13] & 16 != 0'

Notice the SYN example has the number 2 in it, the RST the number 4, and the ACK the number 16. These numbers correspond to where the TCP flags fall on the binary scale. So when you write out:


…that corresponds to:

32 16 8 4 2 1


So as you read the SYN capture tcpdump 'tcp[13] & 2 != 0', you’re saying find the 13th byte in the TCP header, and only grab packets where the flag in the 2nd bit is not zero. Well if you go from right to left in the UAPRSF string, you see that the spot where 2 falls is where the S is, which is the SYN placeholder, and that’s why you’re capturing only SYN packets when you apply that filter.

# tcpdump 'tcp[13] & 2 != 0' 

Scanning Methodology

  1. Check for Live Systems
    1. nmap, zenmap, hping2,
  2. Check for Open Ports
    1. namp, zenmap, hping2
  3. Service identification
  4. Banner Grabbing/OS Fingerprinting
    1. nmap, telnet
  5. Vulnerability Scanning
    1. Nessus, Retina, SAINT, Core Impact, MBSA (Microsoft Baseline Security Analyzer)
  6. Draw Network Diagrams of Vulnerable Hosts
  7. Prepare Proxies
  8. Attack


NESSUS -Nessus® is the industry’s most widely-deployed vulnerability, configuration, and compliance scanner.

SAINT -The SAINT (Security Administrator’s Integrated Network Tool) network vulnerability scanner was based on SATAN (Security Administrators Tool for Analyzing Networks) which was developed by Dan Farmer and Wietse Venema and released in 1995. The SAINT scanner screens every live system on a network for TCP and UDP services. For each service it finds running, it launches a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive information about the network.[1]

Core Impact — See more at: http://www.coresecurity.com/core-impact-pro#sthash.1KiPh0Df.dpuf

  • Scan network servers, workstations, firewalls, routers and various applications for vulnerabilities.
  • Identify which vulnerabilities pose real threats to your network.
  • Determine the potential impact of exploited vulnerabilities.
  • Prioritize and execute remediation efforts.

Retina – http://go.beyondtrust.com/

Retina Community gives you powerful vulnerability management across your entire environment. For up to 256 IPs free, Retina Community identifies network vulnerabilities (including zero-day), configuration issues, and missing patches across operating systems, applications, devices, and virtual environments. Manage your network security with Retina Community:

MBSA (Microsoft Baseline Security Analyzer) – Uses the Windows update agent (WUA) to remotely scan the security state of computers on a network.  MBSA alerts administrators to security vulnerabilities on client computers.

Hfnetchk -a command line tool from Microsoft that can be used to determined  the security state of computers on the network.

Nessus 5.2

Menus for creating Policies

  • General Settings
    • Performance
      • Reduce Parallel Connections on Congestion
    • Basic
    • Advanced
      • Safe checks only?
    • Port Scanning
      • IP range
  • Credentials
    • Windows Credentials
    • SSH settings
    • Kerberos configurations
    • Cleartext protocol settings
  • Plugins  – enabled plugins are green.  Partial enabled are blue.
  • Preferences
    • Database Compliance Checks
    • Global variable settings


Hping2 uses TCP to send packets.  Hping2 is a network utility that can be used for scans or to create network packets for testing.  For example to connect the connectivity between two hosts if you feel ICMP is being filtered.


-0 –rawip :Specify a raw IP packet

-1 or –icmp to specify an ICMP packet

-2 or –udp to specify a UDP packet

Microsoft Windows OS do NOT respond to an ICMP Echo Request message directed to a network or broadcast address.

On a network with 20 host, 10 windows & 10 linux and OSX, only 10 will respond to this scan because it is directed to the broadcast address:

hping2 -c 1 -1 






The Nmap syntax is simple:

nmap <scan options> <target>

Multiple scan options (or switches) are available, and combining them can produce several scan options. The “s” commands determine the type of scan to perform, the “P” commands set up ping sweep options, and the “o” commands deal with output. The “T” commands deal with speed and stealth, with the serial methods taking the longest amount of time. Parallel methods are much faster because they run multiple scans simultaneously. Nmap switches you’ll definitely see on the exam are -sS (SYN scan), -sA (ACK scan), -sO (protocol scan), -sX (XMAS scan), and all of the “T” commands.

NMAP Sample syntax

Enumerating the hosts on a couple of segments

nmap -sP -oA hostlist.active,

This does a PING sweep in order. 
-R makes it do a reverse DNS lookup for every address, whether a host is up or not.

A basic SYN scan of a slash 24

nmap -sS -T4 -vv -r -sV -O -n -F -oA test208 208.22.79.*

-F makes it faster by skipping most of the default ports.
-r makes it scan the ports in order.
-sV detects service versions.
-O detects OS versions.

A SYN scan to look for useless services on a bunch of segments

nmap -sS -PN -T4 -oA echochargentest -p T:7,19 -v -r 172.16.20,21,22,5,6,7,16.*
nmap -sS -PN -T4 -oA testsmallservices -p T:7,9,13,17,19,U:7,9,13,17,19 -v -r 192.168.1.*
-PN tells it not to PING first, just check for the open ports.

Looking for web applications

nmap -PN -sT -A -p T:80,443,8080,8888,8088 -oA webapps -T4 192.168.1,2.*

Looking for certain specific services

nmap -sS -sV -PN -T4 -oA testsmtp -p T:25 -v -r 192.168.1.*
nmap -sU -sV -PN -T4 -oA tftptest -p U:69 -v -r 192.168.1.*
nmap -sSU -sV -PN -T4 -oA tftptest -p T:25,U:69 -v -r 192.168.1.*

-sS does a SYN scan; -sU does a UDP scan.
-sV does version detection.

Useful additional parameters

-A Enable OS detection, version detection, script scanning, and traceroute.

Dashes can be used to specify a range of IP.  Commas can be used to specify a list of IP.

For example: 10.1-3.9.0/24 .  If the digit on the left side “1-3” is missing, a “0” is assumed.10.-3.9.0/24 is valid.

Commas: nmap -sS 10.12,22,32,43,52.9.0/24 is a valid syntax for a STEALTH or SYN scan.


–dns-servers [,[,…]]
Specify your own DNS servers to use as resolvers for reverse queries
-p U:53,111,137,T:21-25,80,139,8080
Specify a list of UDP and TCP ports to scan
Print out extensive debugging info about what version scanning is doing.
Normal output.
Grepable output. Prints: Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status.
The following table shows the expected responses for different scans.  Note that many do not work on Windows.

This is the source for this article. https://mywebclasses.wordpress.com/category/ceh/ceh-03-scanning-network/  Before posting here, I filtered it. So, for all article go to given link.

Prepared by : @acharya_bijay (twitter) | studentvideotutorial (Youtube)

ethical hacking tutorial, ethical hacking online course, hacking courses for beginners, ethical hacking training online, scanning in ethical hacking, network scanning in ethical hacking, scanning tutorial hacking, nmap tutorial hacking, best nessus tutorial hacking




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s