647 words
3 minutes
Network Scanning and Enumeration Techniques
Network scanning and enumeration form the foundation of any penetration test or security assessment. Done well, they reveal the real attack surface, reduce guessing, and guide the next steps. Done poorly, they create noise, miss critical services, or cause outages.
Why Scanning Matters
Before you can exploit anything, you need to know what is actually there. Scanning reveals:
- Live hosts and open ports
- Service banners and versions
- Network topology and segmentation
- Hidden services and misconfigurations
- Potential attack paths
Recon Workflow (Professional Flow)
- Scope and rules of engagement
- Host discovery (identify live targets)
- Port discovery (open TCP and UDP)
- Service detection (versions, banners, protocols)
- Targeted enumeration (protocol-specific checks)
- Validation (confirm findings with secondary tools)
- Documentation (clean notes, evidence, and risk)
Essential Tools
1. Nmap - The Gold Standard
Basic scan:
nmap -sCV target.comFull port scan:
nmap -p- --min-rate 1000 -T4 target.comUDP scan (top ports):
nmap -sU --top-ports 100 target.comStealth scan (SYN):
nmap -sS -T2 target.comService detection:
nmap -sV --version-intensity 7 target.com2. Masscan - High-Speed Discovery
Use for initial port discovery when large ranges are in scope:
masscan 10.0.0.0/8 -p1-65535 --rate 10000 -oG masscan.gnmapThen verify results with Nmap.
3. Rustscan - Fast Port Discovery + Nmap
rustscan -a target.com -- -sV -sC4. Netcat and Socat
Quick banner grabbing:
nc -nv target.com 80Port Scanning Techniques
SYN Scan (Half-Open)
nmap -sS target.comFast and stealthy. Sends SYN packets and analyzes responses.
Connect Scan
nmap -sT target.comMore reliable on networks that block raw packets.
UDP Scan
nmap -sU target.comSlower but essential for UDP services (DNS, SNMP, TFTP, QUIC).
NULL, FIN, XMAS Scans
nmap -sN target.com # NULL scannmap -sF target.com # FIN scannmap -sX target.com # XMAS scanBypass some legacy firewalls that only monitor SYN packets.
Host Discovery (Ping Sweeps)
nmap -sn 192.168.1.0/24nmap -Pn target.com # skip ping if ICMP blockedUse multiple probes if ICMP is blocked:
nmap -PE -PP -PM -PS22,80,443 -PA80,443 10.10.10.0/24Service Enumeration (High-Value Ports)
HTTP / HTTPS (80, 443, 8080, 8443)
whatweb target.comnikto -h target.comgobuster dir -u http://target.com -w wordlist.txtCheck titles, frameworks, and hidden endpoints.
SSH (22)
nmap -p22 --script ssh2-enum-algos target.comnmap --script ssh-auth-methods target.comSMB (445)
nmap --script smb-enum-* -p445 target.comenum4linux -a target.comsmbclient -L target.com -U guest%DNS (53)
dig A target.comnslookup target.comdnsenum target.comFTP (21)
nmap -p21 --script ftp-anon,ftp-syst target.comSMTP (25, 587)
nmap -p25,587 --script smtp-enum-users target.comSNMP (161)
nmap -sU -p161 --script snmp-info target.comsnmpwalk -v2c -c public target.comRDP (3389)
nmap -p3389 --script rdp-enum-encryption target.comAdvanced Techniques
Operating System Detection
nmap -O target.comNSE Scripts (Targeted Checks)
nmap --script vuln target.comnmap --script default,safe -sV target.comFirewall Evasion
nmap -f target.com # fragment packetsnmap -D RND:10 target.com # decoy scannmap --source-port 53 target.com # source port spoofingTiming and Performance
nmap -T5 target.com # fastestnmap -T0 target.com # slowestPractical Tips
1. Always Confirm Host is Up
nmap -sn 192.168.1.0/24nmap -Pn target.com2. Save Results for Reporting
nmap -oA scan_results target.comnmap -oX results.xml target.comnmap -oG results.gnmap target.com3. Scan Specific Ranges
nmap -p80 target.comnmap --top-ports 100 target.comnmap -p1-1000,3000-4000 target.comReal-World Scenarios
Scenario 1: Web Application Assessment
nmap -p80,443,8080,8443 -sV target.comwhatweb target.comgobuster dir -u http://target.com -w wordlist.txtScenario 2: Internal Network Mapping
nmap -sn 192.168.1.0/24nmap -p- -sV -sC 192.168.1.100Scenario 3: Firewall Testing
nmap -f -D RND:5 -sS target.comnmap -Pn -sV --script firewall-bypass target.comCommon Mistakes
- Scanning too aggressively and causing outages
- Ignoring UDP services
- Skipping version detection
- Trusting a single tool output
- Not documenting evidence and timestamps
Countermeasures and Defense
Network Level
- Firewalls with least exposure
- IDS/IPS to detect scan patterns
- Segmentation of critical systems
Host Level
- Local firewall rules
- Disable unused services
- Patch vulnerable services
Monitoring
# Detect scanning attemptstcpdump -n -nn -s 0 -X -i eth0 port 80
# Monitor half-open connectionsnetstat -ant | grep SYN_RECVAutomated Reconnaissance
Multi-Tool Script (Baseline)
#!/bin/bashTARGET=$1
# Nmap scannmap -sCV -oA ${TARGET}_nmap $TARGET
# Web enumerationnikto -h $TARGET -output ${TARGET}_nikto.txt
# Directory brute forcegobuster dir -u http://$TARGET -w /usr/share/wordlists/dirb/common.txt -o ${TARGET}_dirs.txt
# DNS enumerationdig +short ANY $TARGET > ${TARGET}_dns.txtClean Reporting Notes
Always record:
- Timestamp and scan scope
- Command used and parameters
- IPs, ports, services, versions
- Screenshots or logs as evidence
Summary
Effective network scanning combines the right tools, techniques, and interpretation skills. Always remember:
- Get permission before scanning
- Start with discovery, then deepen
- Validate findings with multiple tools
- Document everything clearly
Simple Advice
Start slow with basic scans, then increase depth based on findings. Never skip service version detection, it often unlocks the next step.
X : http://x.com/cat0x01github : http://github.com/cat0x01