Ethical Hacking - Scanning and Enumeration

Port Scanning and System Enumeration

Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are open on the target device. Once open, applications or services can be discovered. At this point, further information is typically gathered to determine how best to target any vulnerabilities and weaknesses in the system.


Port Scanning Steps

Port scanning is one of the key steps of ethical hacking. Before a system can be attacked the hacker must determine what systems are up, what applications are running, and what what versions the applications are.

1. Determining If The System Is Alive

  • Network Ping Sweeps

2. Port Scanning

  • Nmap - As you might guess, the name “nmap” implies that the program was ostensibly developed as a network mapping tool. Well, as you can imagine, such a capability is attractive to the folks that attack networks, not just network and system administrators and the network support staff. Of all the tools available it is nmap that people just seem to keep coming back to. The familiar command line interface, the availability of documentation, and the generally competent way in which the tool has been developed and maintained, are all attractive to us. Nmap performs a variety of network tricks. To learn more check out the NMAP tutorial.

  • Nmap - Interesting options
    • -f fragments packets
    • -D Launches decoy scans for concealment
    • -I IDENT Scan – finds owners of processes (on Unix systems)
    • -b FTP Bounce
  • Port Scan Types
    • TCP Connect scan
    • TCP SYN scan
    • TCP FIN scan
    • TCP Xmas Tree scan (FIN, URG, and PUSH)
    • TCP Null scan
    • TCP ACK scan
    • UDP scan

Nmap hacking tutorial


3. Banner-Grabbing

Many services announce what they are in response to requests. Banner grabbers just collect those banners the easiest way to banner grab:

telnet <ipaddress> 80

4. Operating System Fingerprinting

  • Active Stack Fingerprinting
    • Nmap
    • Xprobe2
  • Passive fingerprinting
    • siphon
    • p0f


The process of enumeration, finding find what services are running, versions, open shares, account details, or possible points of entry. One such target is SMB. While SMB makes it possible for users to share files and folders, SMB offers access on Windows computers via the IPC$ share. This share, the IPC$, is used to support named pipes that programs used for interprocess (or process-to-process) communications. Because named pipes can be redirected over the network to connect local and remote systems, they also enable remote administration.

1. Attacking Null Sessions

The Windows Server Message Block (SMB) protocol hands out a wealth of information freely. Null Sessions are turned off by default in Win XP, Server 2003, Vista, and Windows 7 but open in Win 2000 and NT.

Null Session Tools

  • Dumpsec
  • Winfo
  • Sid2User
  • NBTenun 3.3

2. Enumerating Windows Active Directory via LDAP, TCP/UDP 389 and 3268. Active Directory contains user accounts and additional information about accounts on Windows DC's. If the domain is made compatible with earlier versions of Windows, such as Win NT Server, any domain member can enumerate Active Directory

3. Targeting Border Gateway Protocol (BGP). The de facto routing protocol on the Internet. BGP is used by routers to help them guide packets to their destinations. It can be used to find all the networks associated with a particular corporation

Defense with Port Knocking

Port knocking is a rather esoteric method of preventing session creation with a particular port. Port knocking is not currently implemented by default in any stack, but we may soon see patches to permit the use of knocking protocols. The basis of port knocking is the digital analog of the secret handshake. Through the use of timing, data sent with SYN packets, number of SYN packets sent, sequence of ports hit, and other options, a client authorizes itself to access a port. While useful for obscuring the existence of a port, port knocking is simply another layer of authentication. Links can still be saturated through DoS attacks, RST attacks can still kill connections, and sessions can still be hijacked and sniffed. A paranoid system administrator may care to use a port knocking daemon to add an extra layer of security to connections, but securing the connection through a PKI certificate exchange is much more likely to yield tangible security benefits.

Scanning and Enumeration Links

Some links to learn more about scanning and enumeration include:

Port scans legal, judge says (12/18/2000)

Port Scanning and its Legal Implications (2004)

Nmap Tutorial

A Simple Guide to Nmap Usage

YouTube - Trinity Nmap Hack - Matrix Reloaded



Nessus Vulnerability Scanner

Nessus Technical Guide

Very simple Nessus installation [Archive] - Ubuntu Forums

How to install the vulnerability scanner Nessus | Ubuntu Linux

fping - a program to ping hosts in parallel

Hping - Wikipedia, the free encyclopedia

Tutorial: Hping2 Basics

Smurf attack - Wikipedia, the free encyclopedia

Preventing Smurf Attacks

Advanced Bash-Scripting Guide

NetBios Howto

NetBIOS NULL Sessions: The Good, The Bad, and The Ugly

Null session attacks: Who's still vulnerable?

NULL sessions restrictions of server and workstation RPC operations

Null session in Windows XP

Listing usernames via a null session on Windows XP

Download Winfo -- NetBIOS Null Session Enumeration Tool

NetBIOS Suffixes (16th Character of the NetBIOS Name) - DumpSec and Hyena

Description of the Windows File Protection feature