Tools to Scan Systems as Part of an Ethical Hack
Using scanning systems for ethical hacks can be a good way to gather information. Active information gathering produces more details about your network and helps you see your systems from an attacker’s perspective. For instance, you can
Use the information provided by your Whois searches to test other closely related IP addresses and hostnames. When you map out and gather information about a network, you see how its systems are laid out. This information includes determining IP addresses, hostnames (typically external but occasionally internal), running protocols, open ports, available shares, and running services and applications.
Scan internal hosts when and where they are within the scope of your testing. These hosts might not be visible to outsiders, but you absolutely need to test them to see what rogue employees and other insiders can access. A worst-case situation is that the hacker has set up shop on the inside. Just to be safe, examine your internal systems for weaknesses.
If you’re not completely comfortable scanning your systems, consider first using a lab with test systems or a system running virtual machine software, such as the following:
Scan and document specific hosts that are accessible from the Internet and your internal network. Start by pinging either specific hostnames or IP addresses with one of these tools:
The basic ping utility that’s built in to your operating system
The site www.whatismyip.com shows how your gateway IP address appears on the Internet. Just browse to that site, and your public IP address (your firewall or router — preferably not your local computer) appears. This information gives you an idea of the outermost IP address that the world sees.
Scan for open ports by using network scanning tools:
Scan network ports with NetScanTools Pro or Nmap.
Scanning internally is easy. Simply connect your PC to the network, load the software, and fire away. Just be aware of network segmentation and internal intrusion prevention systems (IPSs) that may impede your work. Scanning from outside your network takes a few more steps, but it can be done.
The easiest way to connect and get an outside-in perspective is to assign your computer a public IP address and plug that workstation into a switch or hub on the public side of your firewall or router.
Physically, the computer isn’t on the Internet looking in, but this type of connection works just the same as long as it’s outside your firewall and router. You can also do this outside-in scan from home or from a remote office location.