Listen to this Post
Introduction:
Network discovery is the foundational step in both offensive security and defensive cyber operations, where attackers map target environments to identify assets and defenders monitor for these reconnaissance activities. This article provides a technical deep dive into the mechanics of network scanning, the tools used, and the critical commands for detecting and mitigating these initial incursions.
Learning Objectives:
- Understand the fundamental techniques of external and internal network scanning.
- Learn to use common discovery tools like Nmap and advanced detection methods.
- Implement defensive commands and configurations to identify and alert on scanning activity.
You Should Know:
1. The Fundamentals of Host Discovery with Nmap
Nmap is the quintessential tool for network exploration. The initial phase of any attack involves discovering live hosts.
`nmap -sn 192.168.1.0/24`
This command performs a “ping scan” to enumerate live hosts without doing port scanning. It uses ICMP echo requests, TCP SYN packets to port 443, TCP ACK packets to port 80, and ICMP timestamp requests.
`nmap -PS22,80,443 192.168.1.0/24`
This is a TCP SYN Ping scan. It sends SYN packets to the specified ports (22, 80, 443) to see if hosts respond, which can bypass basic filters that block ICMP.
`nmap -PU53 192.168.1.100`
This command uses a UDP Ping, sending a UDP packet to port 53 (DNS). A host that responds with an ICMP port unreachable error is alive.
Step-by-step guide:
To discover hosts on your network, replace the IP range with your own. The `-sn` flag is for discovery only. For networks that block ICMP, use the `-PS` or `-PU` switches to probe common TCP/UDP ports instead.
2. Mastering Port Scanning Techniques
Once hosts are discovered, the next step is port scanning to identify services.
`nmap -sS 192.168.1.100`
The classic TCP SYN “half-open” scan. It initiates a connection with a SYN packet but never completes it, making it fast and relatively stealthy.
`nmap -sT 192.168.1.100`
TCP Connect scan, which completes the full three-way handshake. This is used when the user lacks raw packet privileges.
`nmap -sU -p 53,67,68,69,123 192.168.1.100`
UDP scan for specified common UDP ports. UDP scanning is significantly slower and less reliable than TCP.
`nmap -sV -sC 192.168.1.100`
This command combines version detection (-sV) and the default script scan (-sC), which provides detailed information about the service and runs a suite of safe NSE (Nmap Scripting Engine) scripts.
Step-by-step guide:
Start with a SYN scan (-sS) for a quick overview. Follow up with `-sV -sC` on interesting ports to enumerate service versions and gather vulnerability data. Always be mindful of the target’s acceptable use policy.
3. Detecting Nmap Scans with Firewall Logs
Defenders can identify scanning activity by analyzing firewall and system logs.
Windows (PowerShell): `Get-WinEvent -FilterHashtable @{LogName=’Security’; ID=5157} | Where-Object {$_.Message -like “Nmap”}`
This command queries the Windows Security log for Event ID 5157 (a packet was filtered) and looks for entries containing “Nmap” in the message, which may appear in the process path.
Linux (iptables): `iptables -I INPUT 1 -p icmp –icmp-type 8 -m limit –limit 1/s -j LOG –log-prefix “ICMP Ping Scan: “`
This rule logs ICMP echo requests (ping) that exceed 1 per second, a common indicator of a ping sweep.
<
h2 style=”color: yellow;”> Linux (ufw): `sudo ufw log grep ‘DPT=’
` To search your UFW firewall log for connection attempts to specific destination ports.
Step-by-step guide:
Configure your firewall to log dropped/allowed packets. Regularly parse these logs for patterns, such as rapid, sequential connection attempts from a single source IP address to multiple ports (horizontal scanning) or multiple ports on a single host (vertical scanning).
4. Advanced Scanning with Nmap Scripting Engine (NSE)
NSE allows for powerful, automated discovery and vulnerability detection.
`nmap –script smb-os-discovery 192.168.1.100`
This script uses the SMB protocol to discover the operating system, computer name, and other details about a Windows host.
`nmap –script http-enum 192.168.1.100`
Enumerates common web application directories and files, which is a common vertical scanning technique.
`nmap –script ssl-cert 192.168.1.100`
Retrieves a server’s SSL certificate, which can reveal hostnames, validity periods, and the certificate authority.
Step-by-step guide:
Use NSE scripts to augment your reconnaissance. The `–script` flag can be combined with discovery and port scans. Always review the script’s purpose with `nmap –script-help