Common Network Attack Strategies: Network Scanning - dummies

Common Network Attack Strategies: Network Scanning

By Edward Tetz

Network scanning is a useful tool for administrators to conduct internal audits; it’s also useful for a network attack. Network scanning enables you to identify the systems on your network, the services they may be offering — and the services with known vulnerabilities or systems that the IT staff thought were removed from the network years ago.

One of the most common general purpose network scanners is Nmap, or network map, with its Windows-based Zenmap. From the attack perspective, this tool is part of most attacker’s information-gathering arsenal. With a list of systems, operating systems, and running services, she can pick the weakest members of your network herd.

As an internal auditing tool, use Zenmap to verify available IP addresses on a network. By providing Zenmap a network ID and few seconds, it can provide you with a list of used IP addresses, matching MAC addresses, DNS names for those systems, open ports on those systems, and even the OS type for the hosts that it has found.

The following code is an example of the type of information you can see from a Zenmap or an Nmap scan of a system. It discovered the following:

  • This is an Ubuntu Linux computer.

  • This machine shares files out to Windows-based computers.

  • This machine hosts a website.

  • This machine is running VMware Server.

  • This host supports SSH and VNC as remote access methods.

  • This host is running a mail server and an FTP server.

Starting Nmap 5.21 ( ) at 2011-04-15 02:01 Atlantic Daylight Time
NSE: Loaded 36 scripts for scanning.
Initiating ARP Ping Scan at 02:01
Scanning [1 port]
Completed ARP Ping Scan at 02:01, 0.30s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:01
Completed Parallel DNS resolution of 1 host. at 02:01, 0.00s elapsed
Initiating SYN Stealth Scan at 02:01
Scanning [1000 ports]
Discovered open port 445/tcp on
Discovered open port 111/tcp on
Discovered open port 5900/tcp on
Discovered open port 53/tcp on
Discovered open port 21/tcp on
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Discovered open port 25/tcp on
Discovered open port 443/tcp on
Discovered open port 139/tcp on
Discovered open port 8222/tcp on
Discovered open port 902/tcp on
Discovered open port 8009/tcp on
Discovered open port 8333/tcp on
Discovered open port 1984/tcp on
Discovered open port 2049/tcp on
Completed SYN Stealth Scan at 02:01, 1.53s elapsed (1000 total ports)
Initiating Service scan at 02:01
Scanning 16 services on
Completed Service scan at 02:03, 116.14s elapsed (16 services on 1 host)
Initiating RPCGrind Scan against at 02:03
Completed RPCGrind Scan against at 02:03, 0.03s elapsed (2 ports)
Initiating OS detection (try #1) against
NSE: Script scanning
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:03
Completed NSE at 02:03, 25.06s elapsed
NSE: Script Scanning completed.
Nmap scan report for
Host is up (0.0014s latency).
Not shown: 984 closed ports
21/tcp   open  ftp             vsftpd 2.2.2
22/tcp   open  ssh             OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
| ssh-hostkey: 1024 5b:6d:35:57:65:42:7f:8a:73:7e:00:e3:89:f9:15:bf (DSA)
|_2048 4d:6e:be:c4:3b:0c:55:f5:46:dd:b8:05:05:1c:94:ea (RSA)
25/tcp   open  smtp            Exim smtpd 4.71
| smtp-commands: EHLO linux Hello isc-l0065.local [], SIZE 52428800, PIPELINING, HELP
53/tcp   open  tcpwrapped
80/tcp   open  http            Apache httpd 2.2.14 ((Ubuntu))
|_html-title: Ed's Web Page Test Zone
111/tcp  open  rpcbind         2 (rpc #100000)
| rpcinfo:  
| 100000  2        111/udp  rpcbind   
| 100003  2,3,4   2049/udp  nfs       
| 100005  1,2,3  43439/udp  mountd    
| 100021  1,3,4  52866/udp  nlockmgr  
| 100024  1      57570/udp  status    
| 100000  2        111/tcp  rpcbind   
| 100003  2,3,4   2049/tcp  nfs       
| 100024  1      35177/tcp  status    
| 100005  1,2,3  41859/tcp  mountd    
|_100021  1,3,4  41980/tcp  nlockmgr  
139/tcp  open  netbios-ssn     Samba smbd 3.X (workgroup: NET)
443/tcp  open  ssl/http        Apache httpd 2.2.14 ((Ubuntu))
|_html-title: Ed's Web Page Test Zone
445/tcp  open  netbios-ssn     Samba smbd 3.X (workgroup: NET)
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
1984/tcp open  bigbrother?
2049/tcp open  nfs             2-4 (rpc #100003)
5900/tcp open  vnc             VNC (protocol 3.7)
8009/tcp open  ajp13           Apache Jserv (Protocol v1.3)
8222/tcp open  http            VMware Server 2 http config
|_html-title: VMware Server 2
8333/tcp open  ssl/http        VMware Server 2 http config
|_html-title: VMware Server 2
MAC Address: 00:22:15:BA:93:1C (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.19 - 2.6.31
Uptime guess: 11.438 days (since Sun Apr 03 15:32:20 2011)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=203 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: linux; OSs: Unix, Linux
Host script results:
| nbstat:  
|   NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     LINUX<00>            Flags: <unique><active>
|     LINUX<03>            Flags: <unique><active>
|     LINUX<20>            Flags: <unique><active>
|     x01x02__MSBROWSE__x02<01>  Flags: <group><active>
|     EDTETZ.NET<1d>       Flags: <unique><active>
|     EDTETZ.NET<1e>       Flags: <group><active>
|_    EDTETZ.NET<00>       Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:  
|   OS: Unix (Samba 3.4.7)
|   Name: UnknownUnknown
|_  System time: 2011-04-15 01:59:48 UTC-3
1   1.41 ms
Read data files from: C:Program FilesNmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 147.66 seconds
           Raw packets sent: 1021 (45.684KB) | Rcvd: 1016 (41.416KB)

What does this information allow an attacker to do? Well, it gives an attacker a fairly complete list of services that are offered by this network device, and if he wants to find a way onto a network, he can examine this list of services offered for a service that is known to be weak and use that as a method or path to gain access to the system.

For example, if an attacker has found a Windows computer telling him that TCP port 3389 is available, he can run Remote Desktop Connection (mstsc.exe) to connect to that computer and try a number of common passwords for the Administrator account, or he can run some tools or exploit some known weaknesses in the Windows OS.