Book Image

Network Scanning Cookbook

By : Sairam Jetty
Book Image

Network Scanning Cookbook

By: Sairam Jetty

Overview of this book

Network scanning is a discipline of network security that identifies active hosts on networks and determining whether there are any vulnerabilities that could be exploited. Nessus and Nmap are among the top tools that enable you to scan your network for vulnerabilities and open ports, which can be used as back doors into a network. Network Scanning Cookbook contains recipes for configuring these tools in your infrastructure that get you started with scanning ports, services, and devices in your network. As you progress through the chapters, you will learn how to carry out various key scanning tasks, such as firewall detection, OS detection, and access management, and will look at problems related to vulnerability scanning and exploitation in the network. The book also contains recipes for assessing remote services and the security risks that they bring to a network infrastructure. By the end of the book, you will be familiar with industry-grade tools for network scanning, and techniques for vulnerability scanning and network protection.
Table of Contents (10 chapters)


Today's network environments have a complex structure consisting of firewalls, DMZ, and network devices such as switches and routers. These devices consist of complex access lists and virtual network configurations, which makes it difficult to generalize any activity. A shift in any of the preceding configurations could result in a change of the architecture of the whole network.

If we are looking to perform an IP-based scan on any of the network components, we have to be sure that all the data packets generated are reaching the destination intact and are not being impacted by any of the devices or solutions in between. For example, if Alice is scanning Bob's computer over the network and both of them are separated by a firewall, where Bob's subnet is configured to be in WAN Ping Block Mode as a part of which ping packets will be identified and dropped at the firewall level, Alice's host discovery scans for Bob's computer will result in a false positive that machine is not live.

In order to perform a successful security profiling using a Network Vulnerability Scan, the following factors need to be considered:

  • Scope of the scan
  • Network architecture
  • Network access

Scope of the scan

If we are required to perform a vulnerability assessment for a specific application's infrastructure, it is very important to identify the data transmission sources and the components involved in the end-to-end communication. This will allow the penetration tester to perform the vulnerability scan on this scope and identify vulnerabilities specific to this application. Instead, if we choose to scan the subnets or a broader range of IP addresses, we might end up highlighting unnecessary vulnerabilities, which most of the time leads to confusion during the remediation phase. For example, if we are looking to audit a web-based application, we might be looking to include a web application, application server, web server, and database server as part of the audit scope.

Network architecture

It is always important to understand the placement of the IP address or the component on which we are performing vulnerability scanning. This will help us to customize our approach and to reduce false positives. For example, if Alice is trying to scan a web application hosted behind a web application firewall, she needs to customize the payloads or the scripts used to identify vulnerabilities using techniques such as encoding, to ensure that the payloads are not blocked by the web application firewall.

Network access

When tasked to perform Network Vulnerability Scans on a huge network, it is very important to know whether proper access has been provided to your appliance or host to perform the scanning activity. A network vulnerability scan performed without proper network access will yield incomplete results. It is always recommended to have the scanner appliance or host IP address to be whitelisted across the network devices to obtain full access to the scope of the scan.