Network Scanning for Penetration Testing

Network Scanning

Network scanning is a crucial process that involves identifying active devices, systems, and their network services within a targeted environment. The primary goal of network scanning is to gather detailed information about the network topology, connected devices, open services, and potential vulnerabilities. This process helps penetration testers map out the network, understand its structure, and identify potential entry points for further exploitation.

Navigation

Subnets and CIDR
Network Address Discovering
NetBIOS and SMB Enumeration
ARP and ICMP Scanning
Wireless Network Scanning

Working with Network Ranges, Subnets and CIDR

Effective penetration testing involves a thorough understanding of network ranges, subnets, and CIDRs (Classless Inter-Domain Routing). This foundational knowledge allows testers to accurately map, scan, and exploit target networks. Generally, a target network scope is provided in either a list of IPs, a CIDR range or a start and end IP range. The following are some tools and techniques for working with the above to prepare for network scans.

mapCIDR is developed to ease load distribution for mass scanning operations, it can be used both as a library and as an independent CLI tool. This tool can be used to expand subnet ranges for a given CIDR etc. Download here: https://github.com/projectdiscovery/mapcidr

mapcidr -cidr 10.1.1.0/24                        #Get list of IPs for a give CIDR
echo "10.1.0.0-10.1.0.200" | mapcidr             #Get list of IP's for a given IP range
mapcidr -cidr 10.1.1.0/24 -sbc 10 -silent        #Slice given CIDR or list of CIDR by CIDR count or slice into multiple and equal smaller subnets
mapcidr -cidr 10.1.0.0/16 -sbh 20000 -silent     #Slice given CIDR for equal number of host count in each CIDR

mapcidr -cidr 10.1.1.0/29 >> 10_1_1_0.txt        #Will give you all the IP addresses in the newtork from CIDR and copy to file
echo 10.1.0.0/16 | mapcidr -count -silent        #Count number of hosts for a given CIDR or list of CIDR

Network Address Discovering

Once you have your scope, and by using the techniques above, have your subnets, ranges, or files of IP addresses to work with. The next step is to perform network scanning which helps identify live hosts on a network, their IP addresses, and associated MAC addresses. These can then be cross-checked or added to the given scope for the next phases such as vulnerability scanning and port scanning.

Netdiscover

Netdiscover is a network reconnaissance tool used primarily for active and passive network scanning. It is effective at identifying live hosts and their details, providing a baseline understanding of the network layout. You can download the tool here: https://github.com/netdiscover-scanner/netdiscover

netdiscover -i eth0           #Basic network scan on a specific interface
netdiscover -r 10.1.1.0/24    #Scan a specific IP range

fping

fping is a fast ping sweep tool that can check the reachability of multiple IPs at once. You can download fping here: https://github.com/schweikert/fping

fping -g 10.1.1.0/24            #Ping sweep of a subnet
fping -a -q -g 10.1.1.0/24      #Display only alive hosts

NetBIOS and SMB Enumeration

NetBIOS and SMB scanning allow the enumeration of hostnames, workgroups, and shares within a network.

nbtscan

nbtscan is a tool you can use to scan for NetBIOS name information in a subnet, helping enumerate Windows network resources. You can download nbtscan here: https://github.com/bonsaiviking/nbtscan

nbtscan 10.1.1.0/24          #Scan the network for NetBIOS names
nbtscan -v 10.1.1.1          #Verbose output of NetBIOS details

smbmap

smbmap is an excellent tool for scanning SMB shares across networks. You can find it here: https://github.com/ShawnDEvans/smbmap.

smbmap -H 10.1.1.1                                              #Enumerate SMB shares on a host
smbmap -H 10.1.1.0/24                                           #Enumerate SMB shares on a subnet

ARP and ICMP Scanning

The following tools help in discovering devices on a network by using ARP and ICMP requests.

arp-scan

arp-scan is used to discover hosts within a local network using ARP packets. You can find the tool here: https://github.com/royhills/arp-scan

arp-scan --interface=eth0 --localnet     #Scan the entire local subnet
arp-scan -I eth0 10.1.1.0/24             #Scan a specific subnet

hping3

Another valuable tool for network discovery is hping3. It is a tool capable of sending custom ICMP, TCP, and UDP packets. You can download it here: https://github.com/antirez/hping

hping3 -1 10.1.1.0/24            #ICMP scan to detect live hosts
hping3 -2 10.1.1.1 -p 445        #UDP ping to detect open services

Wireless Network Scanning

For scanning and discovering wireless networks, the following tools are essential.

Kismet

Kismet is an open-source sniffer, WIDS, wardriver, and packet capture tool for Wi-Fi, Bluetooth, BTLE, wireless thermometers, airplanes, power meters, Zigbee, and more. It is a good tool for wireless network detecting and packet sniffing for penetration tests. You can find it here: https://www.kismetwireless.net/

kismet -c wlan0               #Start monitoring WiFi networks on wlan0

Airodump-ng

Airodump-ng is part of the Aircrack-ng suite and is used for scanning nearby wireless networks. You can download Airodump-ng here: https://www.aircrack-ng.org/

airodump-ng wlan0mon          #Scan for nearby wireless networks