Home / CME / How Network Scanners work Tutorial by Hackingloops

How Network Scanners work Tutorial by Hackingloops

Hello Friends, lets proceed to topics of our next hacking class of . Today we will learn about how network scanner works. Every network attack requires an IP address and port number of the vulnerable host in order to launch the attack. For example, you have discovered an Apache server exploit which is ready for use, you need the IP address and sometimes the port number( if server is running on custom or non standard port) of the vulnerable host running Apache server. Here the Network scanners will come into picture, network will provide you all of this information, they will not only tell you the IP address and port number of the host but they will also tell you which application is running on which specific port.

Note: This article is for Education Purposes only.

There is lot more things about network scanners, that i cannot explain about them, but i will try to cover as much as i can. So lets start learning more about Network scanners, Suppose you don’t have any intention or goal to hack any particular user or network, so just for fun you run  a network scanner against a host or subnet for scanning its details and what you will get is such a critical information that you cannot get by any other means. Nowadays, network scanner also provides you the complete topology of the networks within few seconds.

How Network Scanners work Tutorial by Hackingloops
Network scanners Working

Most of us only think that scanners are only for determining IP address, port number and application running on specific ports, but my dear friends you will be also get shocked to know that we can also use Network scanner to determine the firewall rules and other access control specific policies like authentication, authorization and privileges escalation etc.

This was the brief about Network scanning and Network scanners. Now let’s learn how the scanners actually work.

How Network Scanner Work
Its a big question for new guys in hacking field and i can guarantee that more than 90 percent of existing hackers also doesn’t know about how the scanners actually work. What the script kiddie’s ( hackers dependent only on hack tools) do they just know how to scan the host, they don’t know how it actually works. Most of you have also used the tool and i know 90 percent of you still don’t know how it works. So don’t got frustrated if i tell you that if you don’t know about how the things actually works, you don’t know anything about it. You can never explore things that where else i can use it and other such innovative stuff.

There are lots of network scanners out there in the market and each supports the different set of features and each operates in slightly different way. But all the network scanner follow the same basic principles.
All the networking applications communicate with each other by sending packets(piece of data) back and forth. Scanners use this concept to determine the things, scanners send packets to computers(host) and receives a acknowledgement( packet) from the system. If a response is received, then the host is alive, else host is not active or dead or firewall is blocking the communication. But in case of NMAP, firewall almost never comes into picture as they have inbuilt firewall bypass feature set.
Note: Most of Large companies use a tool called Port Sentry whose only purpose is to frustrate the port scans. Additionally, some feature of firewall like SYN-cookies can make ports appear that they are closed but actually they are open. Cyberoam and Websense and Zone alarm(in expert mode) have this feature.
Most network scanners or we can say most network applications communicate using either the TCP or UDP protocols. Both protocols use the concept of ports to allow for multiple applications to run simultaneously on single IP address. Both UDP and TCP support 65,536 distinct ports, in windows operating system first 1024 ports are reserved for system processing. This in itself a huge topic, i will explain this later. Most applications work on their specific default ports but we can alter it whenever extra or performance related issues are there. HTTP web servers typically run on TCP port 80, SMTP email servers almost use TCP port 25, DNS servers use UDP port 53 and list is endless. Just go to wikipedia to explore the services and application run on specific ports.

In windows 7, you can easily view which ports is being used by which application or service. Just go to start, in search type “ windows firewall with Advanced Security” (without quotes).  Just click to open it, their you will find inbound rules and outbound rules which shows that that which port is currently being used by which application and this also allows you to open and close the specific ports for specific programs.

Network scanners determine what network application is running on a given computer by testing TCP and UDP ports to see whether they are supporting connections. If a TCP port 80 is open on a specific computer that it is assumed that it is running HTTP web server. Now we must know different types of scanning too. There are basically two types of Network scanning, TCP scanning and UDP scanning.
So today i am looking in little good mood, so lets learn that also today.

TCP Scanning
The main goal of TCP scan is to determine which TCP ports have applications listening(using) on them.  For TCP scan, no actual communication with the listening application is needed as TCP scan  allow you to get the information about which ports are open without  completing the full connection. TCP connections use 3 way handshake protocol. To see whether application is listening the specific port, what scanner do is that it send a TCP SYN packet to the port and wait for the response. If the SYN/ACK packet is returned, then it means port is open. If RST packet is returned then it means that the port is closed. 
Most important, if no response is received after some time, then the port is considered as filtered (i.e. some firewall or antivirus program is blocking the connections to the port) or there is no host alive with that IP address.
Now lets learn what is UDP scanning.

UDP Scanning
UDP scanning is little bit tricky and difficult than the TCP scanning. UDP  works on Fire and forget protocol means we just send the packet and nothing is returned back so its quite difficult to find anything without response. Also we cannot determine that host is alive or dead or filtered. However, there is one ICMP concept which actually help the scanners to determine the open or closed ports. If a UDP packet is sent to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. The scanners assume that if any port has returned ICMP error then its closed, while the ports that didn’t answer are either open or filtered by the firewall.

That’s all the overall concept that what are network scanners, network scanning and how actually the network scanning works and different types of network scanning.
If you have any issues or queries ask in form of comments.. It take lot of time to write such a detailed tutorials, little appreciation comment can do the work. So don’t feel shy to comment.

About Lokesh Singh

Hello Friends, i am Lokesh Singh, certified Ethical hacker ( CEH, SSA, CSIF , CISSP). Have 8+ years of extensive experience in Ethical Hacking, Cyber Security and Penetration Testing domain.

Leave a Comment