Scanning is a crucial tool in the arsenal of penetration testers as well as hackers out to inflict catastrophic damage on your computer server or web site.
Without scanning, there’s no possibility for exploitation of your system.
Scanning in short provides the raw material for attackers or penetration testers to work on.
When a penetration tester starts scanning a host (computer/server, IP address, web site etc), he is basically identifying ‘live’ systems and any and all services on the host.
Note: Again, as I’ve said in the past do not attempt any kind of scanning on computer systems unless you have legal authorization to do so or you’re doing it on systems owned by you for learning purposes.
In scanning, the first step is to check if a computer or server is ‘live’ by doing a Ping test.
Besides telling you that a host is ‘live,’ a ping also provide information on the time taken by an ICMP Echo Request packet to reach the host and return.
If you have Kali Linux installed on your PC, you can run fping for a wider suite of ping tests.
With fping, you can check individual IPs, do a sweep of multiple IP addresses, send pings indefinitely, have only ‘alive’ hosts show up in the ping results etc.
Note: But don’t expect to always get a response from a ping request. Some servers are configured not to respond to a ping.
So even if you don’t get a response from ping tests, you must proceed to the next two types of scanning:
* Port Scanning
* Vulnerability Scanning
Let’s examine each of these scanning types in some detail.
So what does port scanning do?
With port scanning, you’re checking to see what ports and services are running on a particular host (i.e. IP address).
Since ports are gateways into the system that penetraton testers and hackers are looking to test and attack respectively, they pay great attention to them.
Kali Linux comes with multiple scanners including dmitry, nmap, zenmap and unicornscan.
Most scanners are command line tools but you can also find a few GUI scanners like zenmap.
vulnerability scans are meant to identity weaknesses on the target system.
Once a vulnerability is discovered (they could be unfixed patches of software, holes in WordPress plugins etc), it’s time for penetration testers and hackers to uncork the champagne bottle.
Experts recommend perimeter scanning before moving to the target.
Perimeter devices include computers, routers, servers and firewalls.
While the impatient may scoff, keep in mind that perimeter scanning is extremely useful in building an internal network map.
If you’re using Kali Linux, multiple tools like golismero, WPscan etc that are available for vulnerability scanning.
For instance, wpscan can be used to scan for all plugins or just vulnerable plugins in a WordPress blog.
On Kali Linux, to run a comprehensive reconnaissance and vulnerability scan on example you’d run:
Not all vulnerability scanners are free tools.
Some scan tools like Nessus cost $1,500 per year for individuals while the enterprise version for teams runs up to $5,000 a year. But you can download a non-commercial home version of Nessus for free.
Related Penetration Testing Content:
Penetration Testing Part 2 – Reconnaissance
There’s Money in Penetration Testing