MODULE 4: INTRODUCTION TO NETWORK SCANNING
An IP address or Internet Protocol address is a logical address that is used to identify hosts on a
given network. It consists of four fields, called octets, that are made up of numeric digits. The
octets are parted from each other with the help of periods or dots. There are five classes of IP
addresses, class A, B, C, D and E. All these classes have a particular IP address range associated
with it. An exampl of a class A IP address is 10.1.2.3
In the world of hacking, an IP address is like a residence address for a particular device that is
connected to a network. It is difficult for humans to remember IP addresses, therefor, the
conversion from an IP address to a domain name is usually done using DNS. For example, for the
domain name 'www.abcd.com', the IP address of 22.214.171.124 could be the address to which the
domain name gets resolved to when a hacker wants to navigate to the target website. On a global
scale, the IP address ranges are assigned by IANA.
There are many online tools / websites available to trace any IP Address details. For example:
http://whatismyipaddress.com/. This website provides the IP Address Information such as Internet
Service Provider name and organization, Type of Connection, City with location, region with
Packet Internet Groper or PING is command to check whether a host connected to a network is
live or not. A host is considered to be live if it replies back to the ping requests, and if it does not
reply back to the ping request then it is considered to either be behind a firewall, or offline. Ping
uses the Internet Control Message Protocol or ICMP protocol. Hackers use this protocol for their
hacking activities, but error identification and notification were the primary goals behind the
creation of this protocol.
The following is the way PING works:
Attacker ICMP (Echo Request) Host
The target host will send a reply if it is connected to internet:
Host Echo Reply (ICMP) Attacker
The target host will not respond if it is not connected to internet:
Host No Response Attacker
Multiple PING request can be sent to several different computer systems using the PING sweeping
method. It is a lot faster than merely PINGING a host as in PING a request to only one host can
be sent at a given time.
Using Traceroute for network information
One can find out the way in which devices are connected in a network by using the traceroute
command. One can also find out the information regarding the network's class, and topography,
which can be used to discover possible weak points in a network that could be exploited by an
attacker. Critical information regarding a target network and the target computer systems can be
found out with the help of traceroute, and hence, every security professional should know how to
use it. Traceroute was initially created for troubleshooting network issues. The path between two
systems can easily be found out using the traceroute command.
Countermeasures against tracerouting:
1. It is a possibility that a traceroute probe was sent if there is an outgoing ICMP port
unreachable message. This should be monitored properly and blocked as necessary.
2. Large number of outgoing ICMP time exceeded error messages should be disabled and the
traffic should be monitored.
3. UDP port scanning should be disabled.