Lesson 2 Network Scanning & Reconnaissance

60 minutes

Network Scanning & Reconnaissance

Reconnaissance is the first phase of any penetration test. It involves gathering as much information as possible about the target system, network, or organization before attempting to exploit vulnerabilities.

Types of Reconnaissance

Passive Reconnaissance

Gathering information without directly interacting with the target system. This includes:

WHOIS lookups
DNS enumeration
Social media research
Google dorking
Public records

Active Reconnaissance

Directly interacting with the target system to gather information:

Port scanning
Network mapping
Service enumeration
OS fingerprinting
Banner grabbing

Network Scanning Techniques

1. Host Discovery

Identifying live hosts on a network:

# Ping sweep to find live hosts
nmap -sn 192.168.1.0/24

# ARP scan for local network
nmap -PR 192.168.1.0/24

# TCP SYN ping
nmap -PS 192.168.1.0/24

2. Port Scanning

Different types of port scans serve different purposes:

Scan Type	Nmap Option	Description	Stealth Level
TCP Connect	-sT	Completes full TCP handshake	Low
TCP SYN	-sS	Half-open scan, more stealthy	Medium
UDP Scan	-sU	Scans UDP ports	Variable
FIN Scan	-sF	Sends FIN packets	High

3. Service and Version Detection

# Service version detection
nmap -sV 192.168.1.100

# Aggressive scan with OS detection
nmap -A 192.168.1.100

# Specific scripts for service enumeration
nmap --script=http-enum 192.168.1.100 -p 80,443

Information Gathering Tools

Nmap

Network mapper for host discovery and port scanning

nmap -A target.com

Nslookup/Dig

DNS lookup utilities for domain information

dig target.com ANY

Whois

Domain registration information

whois target.com

Python Script: Advanced Port Scanner

#!/usr/bin/env python3
import socket
import threading
import argparse
from datetime import datetime

class PortScanner:
    def __init__(self, target, threads=100):
        self.target = target
        self.threads = threads
        self.open_ports = []
        
    def scan_port(self, port):
        """
        Scan a single port
        """
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(1)
            result = sock.connect_ex((self.target, port))
            
            if result == 0:
                self.open_ports.append(port)
                # Try to grab banner
                try:
                    sock.send(b'HEAD / HTTP/1.0\r\n\r\n')
                    banner = sock.recv(1024).decode().strip()
                    print(f"Port {port}: Open - {banner[:50]}...")
                except:
                    print(f"Port {port}: Open")
            
            sock.close()
        except Exception as e:
            pass
    
    def scan_range(self, start_port, end_port):
        """
        Scan a range of ports using threading
        """
        print(f"Scanning {self.target} from port {start_port} to {end_port}")
        print("-" * 50)
        
        threads = []
        for port in range(start_port, end_port + 1):
            thread = threading.Thread(target=self.scan_port, args=(port,))
            threads.append(thread)
            thread.start()
            
            # Limit concurrent threads
            if len(threads) >= self.threads:
                for t in threads:
                    t.join()
                threads = []
        
        # Join remaining threads
        for t in threads:
            t.join()
        
        print("-" * 50)
        print(f"Scan completed. Open ports: {sorted(self.open_ports)}")
        return sorted(self.open_ports)

def main():
    parser = argparse.ArgumentParser(description='Advanced Port Scanner')
    parser.add_argument('target', help='Target hostname or IP address')
    parser.add_argument('-p', '--ports', default='1-1000', 
                       help='Port range (e.g., 1-1000 or 80,443,8080)')
    parser.add_argument('-t', '--threads', type=int, default=100,
                       help='Number of threads (default: 100)')
    
    args = parser.parse_args()
    
    # Parse port range
    if '-' in args.ports:
        start_port, end_port = map(int, args.ports.split('-'))
    else:
        ports = [int(p) for p in args.ports.split(',')]
        start_port, end_port = min(ports), max(ports)
    
    # Create scanner and scan
    scanner = PortScanner(args.target, args.threads)
    open_ports = scanner.scan_range(start_port, end_port)
    
    # Service identification for open ports
    if open_ports:
        print("\nCommon services on open ports:")
        services = {
            21: 'FTP', 22: 'SSH', 23: 'Telnet', 25: 'SMTP',
            53: 'DNS', 80: 'HTTP', 110: 'POP3', 143: 'IMAP',
            443: 'HTTPS', 993: 'IMAPS', 995: 'POP3S'
        }
        
        for port in open_ports:
            service = services.get(port, 'Unknown')
            print(f"  Port {port}: {service}")

if __name__ == "__main__":
    main()

Reconnaissance Checklist

Pre-Engagement Information Gathering

Target Organization

Company information
Employee details (LinkedIn)
Email formats
Physical locations
Technology stack

Network Infrastructure

IP address ranges
Domain and subdomain enumeration
DNS records
Network topology
Open ports and services

Exercise

Hands-On Practice

Objective: Perform reconnaissance on a test target (use your own system or a VM).

Use nmap to perform a ping sweep on your local network
Conduct a port scan on your own system
Try different scan types (-sS, -sT, -sU) and compare results
Use service detection (-sV) to identify services
Document your findings in a simple report format

Remember: Only scan systems you own or have permission to test!

Common Ports Reference

Well-Known Ports (0-1023)

21: FTP
22: SSH
23: Telnet
25: SMTP
53: DNS
80: HTTP
443: HTTPS

Registered Ports (1024-49151)

1433: SQL Server
3306: MySQL
3389: RDP
5432: PostgreSQL
8080: HTTP Proxy
8443: HTTPS Alt

Lesson 2 of 10

Lessons