# Scanning

* learn more about targets
* find potential attack openings
    * addresses of live hosts
    * network topologies
    * OSs of hosts
    * open ports
    * services running on hosts

## Network tracing

### IPv4 and IPv6

* important IPv4 headers
    * **TTL**: time to live
        * tells us how many hops a package needed to make
    * source and destination IP
* IPv6 properties
    * 128 bit addresses
    * simpler than IPv4


![IPv4 diagram](./img/ch03/ipv4_diagram.png)
![IPv6 diagram](./img/ch03/ipv6_diagram.png)

### tracing

* discover routes that packets take between systems
    * allows constructing network diagrams
* sends ICMP/UDP/TCP packets with varying TTL
* requires routers to properly report dropped packets
    * often disabled for performance/security reasons
* `traceroute` useful tool
* web-based [tools](https://tools.keycdn.com/traceroute) also available

## Scanning

* Nmap does it all

### TCP

* 16-bit ports
* sequence and ack number for reliable in-order delivery
* control bots track state
    * **URG**: urgent flag
    * **ACK**: acknowledge earlier packets
    * **PSH** (push): data should not be buffered
    * **RST**: reset connection
    * **SYN**: synchronisation, sends initial sequence number
    * **FIN**: indicate session can be closed
* half-open port scanning
    * only send SYN part of handshake
    * listen for response
        * SYN + ACK: port open
        * RST + ACK: port closed or blocked
        * ICMP port unreachable: likely blocked
        * no response: likely blocked
    * can take a while if no responses are sent
* large scans are bad
    * limit scope of scan
        * select subset of targets
        * only scan well-known ports initially
        * limit scan based on firewall information
    * temporarily tweak firewall to speed up scans
    * use parallel machines (be careful not to DoS)
    * scanrand & zmap tools

![TCP diagram](./img/ch03/tcp_diagram.png)

### UDP

* send empty UDP datagram and listen
    * UDP packet response: something is listening on target port
    * ICMP port unreachable: likely blocked
    * no response: multiple options
        * port is blocked by firewall
        * port only responds to specific format

### ARP

* Address Resolution Protocol
    * data link layer
    * translates IPv4 addresses to MAC addresses
    * scan local subnet for hosts
    * lots of traffic
    * can be detected by network intrusion detection systems (NIDS)

### ICMP

* Internet Control Message Protocol
* used for diagnostic purposes
    * error reporting
    * router discovery
    * redirect messages
* ping sweeps
* traceroute
* redirect messages expose network topology
* ICMP address mask requests: determine subnet used by target host