Ethical Hacking Tutorial

Network Scanning Practical For Ethical Hacking

Crafting UDP and TCP Packets Using HPING3

  1. Launch a command terminal. Write hping3 -c 3 and press Enter.

The meaning of -c 3 is that only three packets will be sent to the target machine. 

  1. Write hping3 --scan 1-3000 -S and press Enter.

--scan is meant to specify the port range to scan, whereas -S shows the SYN flag

  1. Write hping3 --udp --rand-source --data 500 and press Enter. It will run the UDP packet crafting.

  2. Now, write hping3 -S -p 80 -c 5 and press Enter. It will send the TCP SYN request to the target machine.

Here, the role of -S is to send a TCP SYN request to the target machine, whereas, -p represents the port through which the traffic will pass. -c shows the number of packets sent. 

  1. Write hping3 --flood and press Enter.

Network Scanning Using Colasoft Packet Builder

Dir-“Module 03 Scanning Networks\Packet Crafting Tools\Colasoft”

  1. The Colasoft Packet Builder GUI appears. Click the Toolbar option and select the Adapter icon.

If you see the Colasoft Packet Builder pop-up, close it.

  1. The Select Adapter window appears. Check the Adapter settings, and click OK.

  2. In the toolbar, click on Add for creating a new packet.

  3. From the Add Packet dialog box, choose ARP Packet template. You should set the Delta Time to 0.1 second. Then, click on OK.

  4. The list of added packets can be seen under the Packet List on the right-hand side of the window. 

Before sending a packet, the hackers will configure the source & destination IP addresses in the list of packets.

Colasoft Packet Builder comes with Decode Editor and Hex Editor which helps you to edit the decoding-information. You can find these editors in the left side of the window. 

Select the item to be edited by double clicking it. The Hex Editor shows the packet contents in raw hexadecimal, along with its ASCII equivalent. 

  1. Click on Send All in the menu bar. It will send all the packets in one go.

  2. Select the Burst Mode from the Send All Packets window, and click on Start

  3. After initiating the Burst Mode, close the window. 

After the configuration of source and destination IP addresses and sending the created packet, you can check it by performing a packet sniffer in the machine. 

Once the ARP packet is broadcasted in the network, the machines which are active will get the packet. For some, there will be ARP responses. You can check which machines are replying to the ARP packet using packet monitoring apps like Colasoft Packet Capture and WireShark. These applications keep a log of all the packets sent to the network. 

  1. For exporting the packets, click on Export > All Packets.

  2. The Save As window will show up. Select your preferred location to save the packets. Enter a filename and select Colasoft Packet File (*.cscpkt) from the Save as type dropdown. Click on the Save button. 

  3. The packet file will be exported and saved on the selected destination folder. You can use it for further references. 

So, this is how you build an ARP frame with the help of Colasoft Packet Builder and send it. 

Basic Network Troubleshooting Using MegaPing

Dir-“Module 03 Scanning Networks\Scanning Tools\MegaPing”

  1. The MegaPing (Unregistered) GUI will show up, where you can see the System Info.

  2. Choose the IP scanner from the left side, add the IP range in From & To fields. Click on Start.

  3. In MegaPing, the list of IP addresses can be found under the particular target range. Here, you can also check the TTL (time to live), Status (dead or alive), as well as the stats of the dead and alive hosts.

  4. Right click on an IP address, and click on Traceroute.

This is how an IP address in Windows Server 2021 is selected.

  1. MegaPing will now redirect you to the Traceroute section, where you can see the number of hops in a host machine. 

  2. From the left side, choose the Port Scanner. Write the IP address of the Windows Server 2012 machine below the Destination Address. Click on Add.

  3. Check the IP address and click on Start to initiate the listening of traffic to the specified IP address.

  4. MegaPing shows the list of ports related to Windows Server 2012. It also shows the port type, keyword, risk, port no., as well as description.

  5. Once the lab is completed, exit Megaping. 

This is how you scan the active hosts and run traceroute and Port scanning.

How to Scan Networks Using Nmap?

  1. Write nmap -O with the range of IP addresses in the Nmap-Zenmap GUI. Click on Scan to initiate the scanning of the subnet.

Using asterisk (*), you can perform scanning on the entire subnet or IP range. It helps in finding all the active hosts with Nmap.

  1. Nmap will perform scanning of the entire network and show details about all the hosts that were scanned. You can also see open ports, device types, operating system details, etc.

To see the details, scroll down or choose the IP address of a host from the list.

  1. Click on Ports/Hosts and select the IP address of a host. It will show all the open ports related to the selected host.

  2. To see the topology of the target network, click on Topology.

  3. To see the topology clearly, you can click on the Fisheye option.

  4. Click on Host Details and choose the IP address of a host to see the host details found during scan. 

  5. Click on Scans to see the scanning status.

  6. Click on Services and choose each service for listing the ports on which the service is running, version, state, etc.

  7. Write nmap --packet-trace along with IP address of the target machine in the Command text field.

  8. Click on Scan to initiate the scanning of the machine. 

Here, the target machine is Windows 10. The IP address will be unique for each machine.

Let the Profile field remain blank since you are doing a network inventory for the targeted machine.

The scanning process usually takes 5 to 10 minutes for completion. 

Nmap issues the --packet-trace command and sends the packets to the target machine. It then receives the responses in the form of packets for the ones sent.

  1. After sending the packet, you can see the packets sent and received from host to target and vice versa, in the Nmap Output tab.

  2. Click on Ports/Hosts to see more details about the scan results. It will show the Port, Protocol, Service, State, and Version of the scan.

  3. Write the IP address of the target machine in the Target field, choose Show comprehensive scan from the Profile dropdown, and click on Scan.

Here, Windows 10 is the target machine. IP address varies for each device or machine. The scanning usually takes 5 to 10 minutes for completion. 

  1. For running a Null Scan for an IP address, first create a new profile. For this, Click on Profile > New Profile, or Command Ctrl+P.

  2. In the Profile name, write Null Scan.

  3. Click on Scan in the Profile Editor. Choose Null Scan (-sN) from the TCP Scan drop-down. 

From the Non-TCP scans, choose None. From the Timing template list, choose Aggressive (-T4). Checkmark the Enable all advanced/aggressive options (-A) and click on Save Changes.

This configuration helps in setting Nmap for running null scan with the time template of -T4, while keeping the aggressive options enabled. 

  1. Write the target IP address in Zenmap main window for scanning. From the Profile dropdown, choose Null Scan, and click on Scan. Once Nmap is done with the scanning, it will show the results in Nmap Output.

Various Network Scanning Techniques Using Nmap

To check the availability of a port, TCP connect() scan makes use of normal TCP connection. In Xmas Scan, TCP segments are sent in the packet header along with the flags. It generates packets that are not legal, as per the RFC 793. 

In ACK Flag Scan, an ACK probe is sent with the random sequence number. In UDP Scan, a generic UDP packet is sent to the target. Whereas, IDLE Scan includes sending of spoofed packets to the target. 

In this lab, learn how to implement the the following types of network scanning techniques using Nmap:

  • TCP Connect Scan

  • Xmas Scan

  • ACK Flag Scan

  • UDP Scan

  • IDLE Scan


  1. Open the command-line terminal and write nmap -sST -T3 -A command. Press Enter. It will run a TCP Connect Scan of the Windows Server 2012 machine.

Here, -T switch is meant for timing template, -A switch for enabling detection of OS, version, script scanning, and traceroute. 

TCP Connect Scan is considered as the fundamental form of TCP scanning. The connect() system call in the OS is meant to open the connection to all the relevant ports on the machine.  

The connect() will run successfully if the port listens. Else, it means that the port can't be reached. A primary benefit of using this technique is that it doesn't require any special privileges.

  1. It will run a TCP scan in aggressive mode with the default timing (-T3). On completion of scanning, it will show the results. 

The scanning generally takes up to 5 minutes in completion. The results contain all the open ports, OS fingerprint, nbtstat, smb-os-discovery, smb version, etc. 

  1. Now, run an Xmas scan on the Firewall-enabled machine and check the results. Open the Windows Server 2012 machine, log in to it, and enable Windows Firewall.

  2. Return to the Kali Linux machine. 

Write nmap -sX -T4 in the command prompt. Press Enter to run Xmas scan with an aggressive timing of -T4.

It will show the result, including the open & filtered ports, which means the target machine has the firewall configured on it. 

  1. Turn the Windows Firewall off.

  2. Write nmap -sA -v -T4 in the command-line terminal. Press Enter

It will start the ACK Scan and show the port deposition. 

Hackers use a random sequence number while sending an ACK probe packet. If there is no response, the port is filtered. Unfiltered response represents that the port is closed. 

  1. Write nmap -Pn -p 80 -sI command and press Enter

In case the port on the target machine is closed, enforce IDLE scab by probing other ports. Other port numbers can also be tested. 

  1. Now, rather than checking the systems one by one, perform a ping sweep to check all the alive systems on the network.

Write nmap -sP 10.10.10.* in the terminal window and press Enter. It will run the scan on the entire subnet for the alive systems. 

  1. Using this way, you can also apply several more scanning techniques, like Inverse TCP Flag Scan and Stealth Scan for finding open ports, services active on the ports, etc. 

Once the lab is complete, close the terminal window and the Windows firewall window.

How to Scan Networks Using NetScanTools Pro?

This lab is aimed to help you understand how to run ARP Ping Scan, DHCP Server Discovery, Ping Scan, and Port Scan with NetScanTools Pro. 

Dir=“Module 03 Scanning Networks\Ping Sweep Tools\NetScan Tools Pro”

  1. Open NetScanTools Pro.

  2. Click on Start the DEMO once the Reminder window opens.

If you choose the Launch NetScanTools Pro on the installation wizard, the Reminder window will show up as soon as you click Finish.

  1. Click on Start NetScanTools Pro Demo once the DEMO Version window appears.

  2. Click on Manual Tools (All) and choose the ARP Ping tool.

ARP Ping tool helps in sending ARP packets to the target IP address. You can find the response time for the request you sent, even for hidden devices and those that don't respond to pings. You can also use it for searching various devices having the same IP address on a Local Area Network (LAN).

  1. A dialog box will show up with the explanation of the ARP Ping Tool. Click on OK

  2. Choose Send Broadcast ARP and then choose Unicast ARP radio button. Write the IP address of Windows 10 in the Target IPv4 Address field. Click on Send Arp.

  3. NetScanTools Pro will show the Response time and the MAC Address of the target machine.

  4. Click on ARP Scan (MAC Scan) tool under Manual Tools (all).

ARP Scan, sometimes, also known as MAC Scan, will send the ARP packets to the IPv4 addresses entered in the Start and End IP Address entry boxes. 

  1. A dialog box will show up with the explanation of ARP Scan tool. Click on OK

  2. Write the IP addresses in Starting IPv4 Address and Ending IPv4 Address tables. Click on Do Arp Scan

  3. It will display the IP addresses and MAC addresses of all the devices on the LAN, along with Hostname and I/F Manufacturer.

  4. From the list of manual tools, click on Ping Scanner under Manual Tools (all).

Using the Ping Scanner Tool, you can see the active devices on the network.

  1. A dialog box will show up with the explanation of the tool. Click on OK.

  2. Click on Use Default System DNS. Write the range of IP addresses in the Start IP and End IP tables. Click on Start

  3. Once the Ping Scanner notice pop-up comes, click on I Accept.

  4. Select a browser to see the Ping Scan Result

  5. The report will appear in the browser, showing the number of active IP addresses for specified ranges. Check the results and close the browser. 

  6. Click on Port Scanner under Manual Tools (all).

The tool will check the active ports on the target device.

  1. A dialog box will show up with the explanation of the Port Scanner tool. Click on OK.

  2. Write the IP Address in the Target Hostname or IP Address field. Choose TCP Full Connect and click on Scan Range of Ports

  3. When the Port Scanner notice comes up, click on I Accept.

  4. NetScanTools Pro will show all the ports and destinations.

  5. Close the NetScanTools Pro window. 

Using the above scanning techniques, you can find a list of devices on a network, along with their IP and MAC addresses, open ports, etc. Hackers can choose the target host and port to make entry into the network and do malicious activities, like sniffing, ARP poisoning, etc.

How to Avoid Scanning Detection Using Decoy IP Addresses?

You should know how to perform networking in a way that your attempts are not detected by the network security tools, firewalls, IDS, etc.

Here, you will use multiple decoy IP addresses for avoiding detection from firewalls and IDS. 

  1. Turn ON the Windows Defender Firewall on your Windows 10 system before getting started with this lab.

  2. Open Wireshark and double-click on Ethernet to initiate capturing of network traffic.

  3. Open a command terminal, write nmap -f and press Enter. Since you have turned ON the Windows Firewall, the status of ports will be shown Filtered. 

  4. Write nmap -mtu 8 and press Enter. It will help you to send small packets, rather than sending the complete packet in one go. 

This command sends the packets and scans the target machine with a Maximum Transmission Unit Size of 8 bytes.

  1. Write nmap -D RND: and press Enter. It will scn the multiple decoy IP addresses. Nmap will transmit various packets with unique IP addresses, along with your attacker IP address.

  2. You can view that the requests have arrived from different unknown IP addresses.

How to Draw Network Diagram Using SolarWinds Network Topology Mapper?

While doing security assessment, you will need to create a target network diagram with the IP range received during the information gathering stage. 

SolarWinds Network Topology Mapper is a tool to automatically find the network and produce a detailed network diagram. You can export it to Visio or MS Office. The tool will identify the new devices and updates to network topology. Network Topology Mapper makes it simple to manage inventory for hardware and software assets, resolve reporting requirements for PCI compliance, as well as other regulatory needs. 

This lab is aimed to help you learn how to use Network Topology Mapper for creating a network topology diagram of the target network. 

Dir=“Module 03 Scanning Networks\Network Discovery Tools\Network Topology Mapper”

  1. Click on Evaluation once the SolarWinds license pop-up comes.

  2. Click on No, I would not like to participate when the Help SolarWinds Improve window comes. Then click on OK.

  3. After installation, the SolarWinds Network Topology Mapper will come. Click on Close

  4. When the SolarWinds pop-up comes, click on Continue Evaluation

  5. Now, the main window of the SolarWinds Network Topology Mapper will open, along with the welcome screen. Click on New Network Scan on the Welcome Screen. 

  6. When the Set a Maps Password window opens, write a password in the New Password field. Re-enter the same in the next field. Click on Save

  7. In the Network Discovery Scan window, find the SNMP Credentials section. Here, choose Private in the Stored Credentials section, and choose Public in Discovery Credentials. Click on Next

  8. When the WMO Credentials section shows up, click on Next.

  9. When the VMware Credentials section shows up, click on Next.

  10. Now, the Network Selection section will show up, click on IP Ranges. Write the IP address range in the Start Address and End Address field. Click on Next

  11. In the Discovery Settings section, write the name for Scan Name and click on Next

  12. The Scheduling section will show up. From the Frequency dropdown, choose Once and click on Yes, run this discovery now. Click on Next

  13. In the Summary section, click on Discover.

  14. It will start scanning the network for live hosts. 

  15. You can view the scan results in the primary window of the SolarWinds Network Topology Mapper. 

  16. Expand Node Display Options, as well as Map Layouts nodes. In the IP address option, you can see the IP addresses for the nodes in the layout. 

  17. Right-click on a node, choose Node Properties, to see the details about a node. 

  18. The Details will open, showing the information about a selected node.

Analyze the network diagram and close the window. 

  1. Right-click on a node, choose Integration with Windows Tools, and click on Remote Desktop.

  2. In the Windows Security, enter the credentials of the Windows 8 user, and press Enter

  3. When the Remote Desktop Connection pop-up comes, click on Yes

  4. It will successfully set the Remote Desktop Connection. You can view and use other options, like Ping, Telnet, and Traceroute. Hackers can also use this tool to create network diagrams, find the active hosts on a network, run Ping, Telnet, etc. 

  5. Close the Remote Desktop Connection. 

Check the network diagrams. After that, you can go through the other features and finally close the application.

How to Use Angry IP Scanner to Check Live Systems?

Angry IP Scanner is an efficient tool for scanning IP addresses and ports. It pings and checks whether an IP address is alive, determines MAC address, scan ports, etc. 

While scanning a network during security assessment, there may be a need for scanning the devices on a network within the specified IP range. This lab will demonstrate how to scan and detect such network devices using Angry IP Scanner. 

Dir=“Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner”

  1. From the Start menu, open the Angry IP Scanner.

  2. It will start and show a Getting Started window. Click on Close.

  3. Enter the IP range as to in the IP Range fields.

Click on the Preferences icon.

  1. It will open the Preferences window. From the Scanning tab, find the Pinging, and choose the Pinging Method as Combined UDP+TCP.

  2. In the Ports tab, find the Port Selection and enter the range as 1-1000.

  3. In the Display tab, find Display in the results lists section, and choose Alive hosts (responding to ping). Click on OK.

  4. Click on Start to initiate scanning of the IP range entered. 

  5. Angry IP Scanner will start the scanning process and show the list of alive hosts detected. 

The scanning process usually takes up to 20 minutes to complete.

  1. After scanning, the Scan Statistics window will show up. Check the total number of alive hosts, and click on Close.

  2. You can view the IP addresses along with their hostnames and open ports. To see the details about an IP address, double-click on it. 

  3. Once you have analyzed the results, close the Angry IP Scanner application.

How to Scan Network Traffic Going Through a Computer’s Adapter Using IP-Tools?

IP-Tools come with numerous functionalities and provide TCP/IP utilities through one program. It can be used for several types of activities, like network monitoring, spoofing, filtering, decoding, and parsing. 

Adapter Statistics program can also give textual and graphical data with support for the majority of network protocols.

When doing scanning, your attempts should not be limited to one method or type. You should use different tools and techniques. In this lab, let's understand how you can detect live hosts and open ports in a network with IP-Tools.

Dir=“Module 03 Scanning Networks\Scanning Tools\IP-Tools”

  1. When 'This program will install IP-Tools 2.70. Continue' pop-up shows us, click on Yes.

Follow the steps recommended by the installation wizard and complete the installation.

  1. The primary window of the IP-Tools will show up, with Local Info by default.

In case the app doesn't start automatically, launch IP-Tools from the Start menu.

  1. Click on the Name Scanner tab. Write in the From Addr. field, and in the To Addr. field. Click on Start

The scanner will enumerate the system names in the IP range and show them. 

  1. Click on Port Scanner. Write in the From Addr. field, and in the To Addr. field. Click on Start.

Port scanner will initiate the scanning for open ports in the hosts and show them.

  1. Click on UDP Scanner. Write in From Addr. field, and in To Addr. field. Click on Start.

UDP scanner will initiate the scanning for open UDP ports in the hosts and show them.

  1. Click on Ping Scanner. Write in From Addr. field, and in To Addr. field. Click on Start.

Ping scanner will initiate the scanning for alive hosts on the network, and show them. 

  1. Check the results and analyze them. 

How to Identify Target System OS Using Wireshark?

The purpose of identifying the target system operating system is to find the vulnerabilities in the system that can be exploited for additional attacks. 

OS can be identified by having a look at its TTL and TCP Window Size in the IP header of the 1st packet in a TCP session.

Here, packet-sniffing tools like Wireshark will be used to sniff the responses from the target machine. It will help in looking at the TTL and TCP window sizes.

  1. Open the Wireshark app. (Target)

  2. Double-click on Ethernet to initiate the capturing of network packets.

  3. (Attacker Windows) Open Command Prompt.

  4. Write ping in Command Prompt and press Enter. It will ping the Windows Server 2016 machine.

  5. Come back to the Windows Server 2016 machine and choose ICMP packet. Open the Internet Protocol Version 4 in the Packet Details pane. Note the TTL value.

  6. Click on Capture > Restart. If a pop-up shows up, click on Continue Without Saving.

  7. Open a command terminal in Ubuntu. Write ping and press Enter. Once a few packets are sent, press Ctrl+C to stop the pings.

  8. Come back to the Windows Server 2016 machine. Click on Windows Server 2016 and choose ICMP packet from Ubuntu. Open Internet Protocol Version 4 in the Packet Details. Note the TTL value.

  9. Do a comparison of all the TTL values to find the operating system of the target machines.

It’s Quiz Time!

Did you find this article helpful?