What is Network Scanning?
Network scanning is the process of identifying active devices, open ports, and running services in a target environment. It is a critical step in the reconnaissance and enumeration phases of ethical hacking, allowing security professionals to map a targetβs network surface.
π‘ Types of Network Scans
1. Host Discovery (Ping Sweep)
Identifies which IP addresses are active (live) on a network. Common tools include Nmap with ICMP, ARP, or TCP SYN probes.
2. Port Scanning
Detects which TCP/UDP ports are open or filtered. Reveals running services and possible entry points.
3. Service Enumeration
Determines what services and versions are running on the open ports. Useful for identifying vulnerable software.
π Common Tools Used
- Nmap: The most powerful and flexible network scanner
- Masscan: Ultra-fast scanner (10M packets/second)
- Netcat: Simple banner grabbing and connection tool
- Zenmap: GUI for Nmap β good for visualization
βοΈ Step-by-Step: How to Scan a Network
Step 1: Identify Active Hosts
nmap -sn 192.168.1.0/24This command performs a ping sweep across the subnet, showing which hosts are up.
Step 2: Perform a Basic Port Scan
nmap 192.168.1.10Scans the 1000 most common ports on the host 192.168.1.10.
Step 3: Aggressive Scan with Version Detection
nmap -A -T4 192.168.1.10Performs OS detection, version detection, script scanning, and traceroute. -T4 speeds up the scan moderately.
Step 4: Full TCP Port Scan
nmap -p- 192.168.1.10Scans all 65,535 TCP ports on the target host.
Step 5: UDP Scan (Slower)
nmap -sU -p 53,67,123 192.168.1.10Scans specific UDP ports like DNS (53), DHCP (67), and NTP (123). Note: UDP scans are inherently slower.
π Real-World Scenario
You're tasked with auditing a company subnet 10.0.0.0/24. You perform the following steps:
# Step 1: Discover live hosts
nmap -sn 10.0.0.0/24
# Step 2: Port scan one host
nmap -sS -p- 10.0.0.15
# Step 3: Service version detection
nmap -sV -p 22,80,443 10.0.0.15
# Step 4: Scan for known vulnerabilities
nmap --script vuln -p 80,443 10.0.0.15These scans help identify exposed services and potential vulnerabilities, preparing for exploitation or further analysis.
π‘ Pro Tips
- Start with stealthy scans on external targets (e.g., SYN scan
-sS) - Use timing templates wisely (
-T1for stealth,-T5for speed) - Avoid scanning production systems during business hours
- Document findings: open ports, services, versions, anomalies
- Use VPN or a secure jump box when scanning from remote