How Network Scanner Work
Its a big question for new guys in hacking field and i can guarantee that more than 90 percent of existing hackers also doesn’t know about how the scanners actually work. What the script kiddie’s ( hackers dependent only on hack tools) do they just know how to scan the host, they don’t know how it actually works. Most of you have also used the tool NMAP and i know 90 percent of you still don’t know how it works. So don’t got frustrated if i tell you that if you don’t know about how the things actually works, you don’t know anything about it. You can never explore things that where else i can use it and other such innovative stuff.
There are lots of network scanners out there in the market and each supports the different set of features and each operates in slightly different way. But all the network scanner follow the same basic principles.
All the networking applications communicate with each other by sending packets(piece of data) back and forth. Scanners use this concept to determine the things, scanners send packets to computers(host) and receives a acknowledgement( packet) from the system. If a response is received, then the host is alive, else host is not active or dead or firewall is blocking the communication. But in case of NMAP, firewall almost never comes into picture as they have inbuilt firewall bypass feature set.
Note: Most of Large companies use a tool called Port Sentry whose only purpose is to frustrate the port scans. Additionally, some feature of firewall like SYN-cookies can make ports appear that they are closed but actually they are open. Cyberoam and Websense and Zone alarm(in expert mode) have this feature.
Most network scanners or we can say most network applications communicate using either the TCP or UDP protocols. Both protocols use the concept of ports to allow for multiple applications to run simultaneously on single IP address. Both UDP and TCP support 65,536 distinct ports, in windows operating system first 1024 ports are reserved for system processing. This in itself a huge topic, i will explain this later. Most applications work on their specific default ports but we can alter it whenever extra security or performance related issues are there. HTTP web servers typically run on TCP port 80, SMTP email servers almost use TCP port 25, DNS servers use UDP port 53 and list is endless. Just go to wikipedia to explore the services and application run on specific ports.
In windows 7, you can easily view which ports is being used by which application or service. Just go to start, in search type “ windows firewall with Advanced Security” (without quotes). Just click to open it, their you will find inbound rules and outbound rules which shows that that which port is currently being used by which application and this also allows you to open and close the specific ports for specific programs.
Network scanners determine what network application is running on a given computer by testing TCP and UDP ports to see whether they are supporting connections. If a TCP port 80 is open on a specific computer that it is assumed that it is running HTTP web server. Now we must know different types of scanning too. There are basically two types of Network scanning, TCP scanning and UDP scanning.
So today i am looking in little good mood, so lets learn that also today.
TCP Scanning
The main goal of TCP scan is to determine which TCP ports have applications listening(using) on them. For TCP scan, no actual communication with the listening application is needed as TCP scan allow you to get the information about which ports are open without completing the full connection. TCP connections use 3 way handshake protocol. To see whether application is listening the specific port, what scanner do is that it send a TCP SYN packet to the port and wait for the response. If the SYN/ACK packet is returned, then it means port is open. If RST packet is returned then it means that the port is closed.
Most important, if no response is received after some time, then the port is considered as filtered (i.e. some firewall or antivirus program is blocking the connections to the port) or there is no host alive with that IP address.
Now lets learn what is UDP scanning.
UDP Scanning
UDP scanning is little bit tricky and difficult than the TCP scanning. UDP works on Fire and forget protocol means we just send the packet and nothing is returned back so its quite difficult to find anything without response. Also we cannot determine that host is alive or dead or filtered. However, there is one ICMP concept which actually help the scanners to determine the open or closed ports. If a UDP packet is sent to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. The scanners assume that if any port has returned ICMP error then its closed, while the ports that didn’t answer are either open or filtered by the firewall.
That’s all the overall concept that what are network scanners, network scanning and how actually the network scanning works and different types of network scanning.
