Once step 1 has been completed, you should have a solid understanding of our target and a detailed collection of gathered information. This data mainly includes our collection of IP addresses. Recall that one of the final steps in reconnaissance was to create a list of IP addresses that both belonged to the target and that we were authorized to attack. This list is the key to transitioning from step 1 to step 2. In step 1, we mapped our gathered information to attackable IP address. In step 2, we’ll map IP addresses to open ports and services.

It’s important to understand that it’s the job of most networks to allow at least some communication to flow into and out of their borders. Networks that exist in complete isolation with no Internet connection, no services like e-mail or traffic are very rare today. Each service, connection or potential connection to another network provides a potential foothold for an attacker. Scanning is the process of identifying live systems and the services that exist on those systems.Step 2 begins by breaking the scanning process into three different phases:

  1. Determining if a system is alive
  2. Port scanning the system
  3. Scanning the system for vulnerabilities

Later on this chapter, we’ll discuss tools that combine these phases into a single process; however, for the purpose of introducting and learning new material, it’s best for cover them separately.

Step 1 is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the last reliable and we should always continue with steps 2 and 3 regardless of the outcome of this step and make nothe of any machines that respond as alive.

Step 2 is the process of identifying the specific ports and services running a particular host.

Simply defined, ports provide a way or location for software and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers, software or devices. Prior to the interconnection of computers and networks, information was passed between machines through the use of physical media like floppy drives. Once computers were connected to a network, they needed an efficient means for communicating with each other. Ports were the answer. The use of multiple ports allows for simultaneous communication without the need to wait.

To further clarify this point for those of you who are unfamiliar with ports and computers, it may be helpful to consider the following analogy: Think of your computer as a house. There are many different ways that a person can enter the house. Each of the different ways to enter your house (computer) is like a computer port. Just like a port on a computer, all the entryways allow traffic to flow into and out of your home.

Imagine a house with unique numbers over each of the potential entry points. Most people will use the front door. However, the owners maty come in through the garage door. Sometimes, people enter the house from a backdoor or sliding glass door off the deck. An unconventional person may climb through a window or attempt to sqeeze through the doggie door.

Regardless of how you get into your house, each of these examples corresponds nicely with the analogy of computers and ports. Recall that ports are like gateways to your computer. Some ports are more common and receive lots of traffic (just like your front door); others are more obscure and rarely used (by humans) like the doggie door.

Many common services run on standard port numbers and can give attackers an indication as to the function of the target system. The following table provides a list of common ports and their corresponding services:

Port number Service
20 FTP Data transfer
21 FTP Control
22 SSH
23 Telnet
25 SMTP (E-Mail)
53 DNS

Obviously, there are many more ports and services. However, this list serves as a basic introduction to common ports that are utilized by organizations nowadays. You’ll see these services repeatedly as you begin to port scan your targets.

We need to pay special attention to the discovery of any open ports on our target systems. You should make detailed notes and save the output of any tool run in the second step. Remember, every open port is a potential gateway into the target system.

The final step in scanning, the third one, vulnerability scanning. Vulnerability scanning is the process of locating and identifying known weaknesses in the services and software running on a target machine. The discovery of known vulnerabilities on a target system can be like finding pot of gold at the end of a rainbow. Many systems today can be exploited with little or no skill when a machine is discovered to have a known vulnerability.

It’s important to mention that there’s a difference in the severity of various vulnerabilities. Some vulnerabilities may present little opportunities for an attacker, whereas other will allow you to completely take over and control a machine with a single click of a button. We’ll discuss the various levels of vulnerabilities in more detail later in this chapter.