Penetration Test Scanning 101

Our goal is to gain more information about our target by interacting with it and this is one of the most important phases of penetration testing because it sets a baseline for the things you might target next. We want to learn about the topology of the target environment while scanning, as this will help us understand how different systems in the environment connect with each other and help you plan your attack. We also want to understand the different operating system running on the machines we are scanning.

As we scan, we make observations and carefully note all of the TCP and UDP ports open on each of the systems, we can then use this information to run service specific tools to find additional information, like service vendors and version numbers. Make a note of all potential vulnerabilities each service may be suffering from by keeping the version number in mind. If you weren't able to enumerate a version number, test different vulnerabilities based on the systems behaviors and responses.

Before You Start Scanning

Before performing these scans it's important to remember that performing these scans has the potential to crash systems and that you should never scan a system that does not belong to you without permission, it's illegal.

Scanning is usually performed hastily, so take your time. First perform a network sweep to gain a list of potential targets. Then run network tracing to figure out the topology of the network. Next you will conduct more rigorous port scans to enumerate OS and service details and finally, initiate vulnerability scans on those applications. Let's do it together.

At times, these things may not be performed in this order due to the scope of the test or client requirements. If you are conducting penetration tests, you may have to skip some tests because the client says you can’t perform that scan. It is important to remember that clients are the ones paying you so always follow the scope of the test and only perform the scans you are allowed to. Always obtain legal document because companies may not care if you found a vulnerability without their permission, many will try to sue you for disclosing the vulnerability, so always ask for permission.

Penetration Scanning Checklist

This list is not an A to B roadmap, a lot of the time you will miss something and have to rescan multiple times and this is normal.

• Find the network topology
• Find the operating system types of discovered hosts.
• Find open ports and network services in a target
  environment.
• Find the network addresses of live hosts, firewalls, routers, etc.
• Find a list of potential vulnerabilities.
• Don’t use tools that make a lot of noise; it can potentially crash the host or even make the host aware of our presence, reduce these risks as much as you can.

A Box Full Of Scans

Lets take a closer look at the different kinds of penetration testing scans you will probably need to run on your targets sooner or later:

Network tracing - Usually the first step, when we try to figure out the topology of the network which will help us in planning our attacks.

Network Sweeping - We try to figure out which of the addresses in the range are in use. We do this by sending our ICMP packets and listening carefully, if we get a response we know that an address is in use, giving us awareness of the active systems.

OS Scanning/ Fingerprinting - In this scan we try to enumerate the OS of the target system. This is done by sending a crafted packet which checks for the response of the system. Since every OS has a different behavior over the network, these specific crafted packets can check which OS is responding. Sometimes we want to be less noisy on the system so you can also perform a passive fingerprinting scan which won’t send any packets but will receive them. Based on the response, you can decide what OS the system is and we can also figure out the OS of a system via HTTP headers. Direct and indirect banner grabbing can grab OS data, hosts often announce their OS to anyone trying to make a connection to them through banners.

Port Scanning - In this scan we try to figure out the different TCP and UDP ports that are open on the system. Primarily there are two types of port scans; SYN scan and FIN scan. Remember these scans can be intensive and might bring the system down so be careful.

Application / Application Version - In this scan we try to figure out the different applications that are running on these ports. Some ports have assigned applications. Ports 1 through 1024 have applications assigned applications but you should still try to figure out the application version using application specific scans.

Vulnerability Scanning - In this scan we try to find out if the application is vulnerable to any known vulnerabilities which stem from unpatched or mis-configured applications.

As attackers we only need one of the millions of known vulnerabilities to be present on a system, not to mention human errors and the misconfiguration and I have massive respect to blue teamers on the defense side.

Top Scanning Tips

• Perform scans only to the subnets you are allowed to.
• Perform scans on the IP address and not on the domain name.
• Most scanning tools can output their scanning results, use that feature.
• Plan on how you are going to perform the scans and in what order because this can change based on your scope.
• Always share scan results with your team and brainstorm on potential vulnerabilities for that application version, unless you flying solo and conducting the test on your own of course.
• If you are scanning a really large network, then check the firewall and only scan ports that will make it through the firewall rules.
• When performing a scan also run a packet sniffer. It will help you visualize what the scan is doing and how that particular scan tool works. (Not necessarily capturing them in a file but rather just looking at them)

Wait There Is More

This is an introductory article to a series of articles I plan to write about scanning, articles will dive into depth and cover all the different types of scanning, while explaining the tools used to perform these scans.I thoroughly enjoyed writing this and hope that whoever reads this learns at least something from these posts because that was my only goal. I would like to thank Luke for helping me edit and also Medjay for proofreading this.

Main Image Credit : The awesome piece of artwork used to head this article is called 'Top City View' and it was created by graphic designer Gleb Kuznetsov.