Network Scanning

What is Network Scanning?

Network scanning is a fundamental technique in cybersecurity used to discover devices, services, and vulnerabilities on a network. It involves sending various types of requests to a range of IP addresses and analyzing the responses to gather information. The primary goals of network scanning are to identify active hosts, discover open ports on those hosts, determine the services listening on those ports, and often to fingerprint the operating system and application versions.

Network scanning is distinct from vulnerability scanning, though often used as a precursor. While network scanning identifies what is there, vulnerability scanning typically identifies what weaknesses those identified services and systems might have. Both offensive and defensive security professionals utilize network scanning to map out network topography, discover unknown assets, and identify potential entry points.

How Network Scanning Works

Network scanning typically involves several key stages:

1. Host Discovery (Ping Scan): The first step is to identify which IP addresses on a network correspond to live hosts. This is often done using ICMP (ping) requests, ARP requests (on local networks), or by sending TCP SYN packets to common ports. A response indicates a live host.

2. Port Scanning: Once live hosts are identified, the next step is to determine which TCP and UDP ports are open on each host. Different types of port scans exist:

   • TCP SYN Scan (Half-Open Scan): Sends a SYN packet and checks for a SYN/ACK response. If received, the port is open. A RST packet indicates a closed port. This is stealthier as it doesn't complete the TCP handshake.
   • TCP Connect Scan: Completes the full TCP handshake. Less stealthy but useful when SYN scans are blocked.
   • UDP Scan: Sends UDP packets to ports and listens for ICMP port unreachable messages, which indicate a closed port. Lack of response often suggests an open or filtered port.
   • Xmas, FIN, NULL Scans: Manipulate TCP flags to bypass basic firewalls and intrusion detection systems.

3. Service and Version Detection: After identifying open ports, scanners attempt to determine the actual service running on each port (e.g., HTTP, SSH, FTP) and its specific version (e.g., Apache 2.4.x, OpenSSH 7.x). This is often achieved through banner grabbing or sending protocol-specific probes.

4. Operating System Fingerprinting: Analyzing the responses to specific probes and packets (e.g., TTL values, TCP window sizes, ICMP error messages) to deduce the operating system of the target host.

Tools like Nmap are industry standards for active network scanning, providing comprehensive capabilities for all these stages.

Network Scanning in Security Research

For security researchers, penetration testers, and defenders, network scanning is a vital component of security operations:

• Attack Surface Mapping: Identifying all active devices and services, especially those exposed to the internet or critical internal networks. This helps define the scope of a security assessment.
• Vulnerability Assessment: The information gathered (open ports, service versions, OS) is the foundation for identifying known vulnerabilities. An unpatched web server or an old SSH daemon discovered via scanning immediately flags a security risk.
• Compliance Auditing: Ensuring that only authorized services are running on specific ports and that system configurations adhere to security policies.
• Rogue Device Detection: Identifying unauthorized devices connected to the network that could pose a security risk.
• Threat Hunting: Scanning the internet for specific indicators of compromise (IoCs) or patterns of activity associated with known threat actors.

How to Find/Use Network Scanning with Zondex

While Zondex doesn't perform active network scanning against specific targets on demand, it acts as a global, pre-computed network scanner. It constantly scans the entire internet, indexing vast amounts of data about internet-facing devices, their open ports, services, and operating systems. This allows security professionals to perform passive network discovery at scale without directly interacting with targets. Here are practical Zondex queries for leveraging its network scan data:

• Find all devices with a specific port open globally: port:22 (for SSH)
• Discover web servers (port 80 and 443) running in a specific country: port:80,443 country:US
• Identify devices with RDP (Remote Desktop Protocol) exposed in a particular organization: org:"Example Corp" port:3389
• Locate hosts running a specific database service: service:mysql
• Search for devices known to have many open ports, indicating a potentially misconfigured or broad attack surface: num_ports:>10 country:GB
• Find all devices with an SSH service and an HTTP service, potentially indicating a web server with remote management: port:22 AND port:80

Zondex provides a powerful aggregated view of the internet's network scan data, enabling efficient and extensive network reconnaissance.

Key Takeaways

• Network scanning discovers live hosts, open ports, and services on a network.
• It involves host discovery, port scanning (SYN, Connect, UDP), and service/OS detection.
• Crucial for attack surface mapping, vulnerability assessment, and compliance.
• Zondex provides a global, passive network scan database for efficient reconnaissance.
• Leveraging Zondex's indexed data saves time and avoids active target interaction.