Network Scanning Tools: Discovery and Security Assessment
Network scanning tools are essential for discovering devices, identifying services, assessing security, and troubleshooting network issues. Understanding how to use these tools effectively is crucial for network administrators, security professionals, and IT support. This comprehensive guide covers popular network scanning tools, their uses, and best practices.
What is Network Scanning?
Network scanning is the process of identifying active devices, open ports, running services, and potential vulnerabilities on a network.
Types of Network Scans
Host discovery (ping sweep):
Purpose: Find active devices
Method: Send ICMP/ARP requests
Result: List of responsive hosts
Use: Network inventory
Learn more about ICMP, ARP, and ping & traceroute.
Port scanning:
Purpose: Identify open ports
Method: Test TCP/UDP ports
Result: List of accessible services
Use: Security assessment, troubleshooting
Service detection:
Purpose: Identify running services
Method: Analyze port responses
Result: Service versions
Use: Inventory, vulnerability assessment
Vulnerability scanning:
Purpose: Find security weaknesses
Method: Test for known vulnerabilities
Result: Security report
Use: Security hardening
OS detection:
Purpose: Identify operating systems
Method: TCP/IP fingerprinting
Result: OS type and version
Use: Inventory, compatibility
Popular Network Scanning Tools
Nmap (Network Mapper)
Overview:
Type: Port scanner and network discovery
Platform: Cross-platform (Linux, Windows, macOS)
License: Open source (GPL)
Use: Most versatile network scanner
Basic usage: ```bash
Scan single host
nmap 192.168.1.1
Scan IP range
nmap 192.168.1.1-254
Scan subnet
nmap 192.168.1.0/24
Scan multiple hosts
nmap 192.168.1.1 192.168.1.10 192.168.1.20 ```
Common scan types:
Ping scan (host discovery): ```bash
Ping scan only (no port scan)
nmap -sn 192.168.1.0/24
Also called: -sP (older syntax)
Discovers: Active hosts
Fast: Quick network overview
```
TCP SYN scan (stealth scan): ```bash
SYN scan (requires root)
sudo nmap -sS 192.168.1.1
Default: Scans top 1000 ports
Stealth: Doesn't complete TCP handshake
Fast: Efficient scanning
```
TCP connect scan: ```bash
Full TCP connection
nmap -sT 192.168.1.1
No root: Required for non-root users
Logged: Connections appear in logs
Slower: Full handshake
```
UDP scan: ```bash
UDP port scan
sudo nmap -sU 192.168.1.1
Slow: UDP is connectionless
Important: Many services use UDP
Examples: DNS (53), SNMP (161)
```
Service version detection: ```bash
Detect service versions
nmap -sV 192.168.1.1
Identifies: Service name and version
Example: Apache 2.4.41, OpenSSH 8.2
Useful: Vulnerability assessment
```
OS detection: ```bash
Detect operating system
sudo nmap -O 192.168.1.1
Method: TCP/IP fingerprinting
Accuracy: Usually reliable
Requires: Root privileges
```
Aggressive scan: ```bash
Aggressive scan (combines multiple)
sudo nmap -A 192.168.1.1
Includes:
- OS detection (-O)
- Version detection (-sV)
- Script scanning (-sC)
- Traceroute (--traceroute)
```
Specific ports: ```bash
Single port
nmap -p 80 192.168.1.1
Multiple ports
nmap -p 80,443,8080 192.168.1.1
Port range
nmap -p 1-1000 192.168.1.1
All ports
nmap -p- 192.168.1.1
Top ports
nmap --top-ports 100 192.168.1.1 ```
Timing and performance: ```bash
Timing templates (0-5)
nmap -T4 192.168.1.0/24
T0: Paranoid (very slow, IDS evasion)
T1: Sneaky (slow, IDS evasion)
T2: Polite (slow, less bandwidth)
T3: Normal (default)
T4: Aggressive (fast, assumes good network)
T5: Insane (very fast, may miss results)
```
Output formats: ```bash
Normal output
nmap -oN scan.txt 192.168.1.1
XML output
nmap -oX scan.xml 192.168.1.1
Grepable output
nmap -oG scan.grep 192.168.1.1
All formats
nmap -oA scan 192.168.1.1 ```
Nmap scripts (NSE): ```bash
Default scripts
nmap -sC 192.168.1.1
Specific script
nmap --script=http-title 192.168.1.1
Script category
nmap --script=vuln 192.168.1.1
Multiple scripts
nmap --script=http-,ssl- 192.168.1.1
Script help
nmap --script-help http-title ```
Example comprehensive scan: ```bash
Full scan with all features
sudo nmap -sS -sV -O -A -T4 -p- --script=default,vuln -oA full_scan 192.168.1.1
Breakdown:
-sS: SYN scan
-sV: Version detection
-O: OS detection
-A: Aggressive (includes scripts, traceroute)
-T4: Fast timing
-p-: All ports
--script: Default and vulnerability scripts
-oA: Output all formats
```
Angry IP Scanner
Overview:
Type: Fast IP and port scanner
Platform: Cross-platform (Java-based)
License: Open source (GPL)
Use: Quick network discovery
GUI: User-friendly interface
Features:
Fast ping scanning
Port scanning
NetBIOS information
MAC address detection
Hostname resolution
Export results (CSV, XML, TXT)
Usage:
1. Enter IP range (e.g., 192.168.1.1-254)
2. Click "Start"
3. View results in real-time
4. Export for documentation
Advantages:
Easy to use
Fast scanning
Cross-platform
No installation (portable)
Good for quick surveys
Masscan
Overview:
Type: Ultra-fast port scanner
Platform: Linux, Windows, macOS
License: Open source (AGPL)
Use: Large-scale scanning
Speed: Can scan entire internet
Basic usage: ```bash
Scan subnet
sudo masscan 192.168.1.0/24 -p80,443
Scan all ports
sudo masscan 192.168.1.0/24 -p0-65535
Rate limiting
sudo masscan 192.168.1.0/24 -p80 --rate 1000
Output
sudo masscan 192.168.1.0/24 -p80 -oL scan.txt ```
Features:
Extremely fast (millions of packets/second)
Asynchronous transmission
Custom packet crafting
Banner grabbing
Use cases:
Large network scanning
Internet-wide surveys
Quick port checks
Security research
Caution:
Very aggressive
Can overwhelm networks
Use rate limiting
Get permission first
Zenmap
Overview:
Type: Nmap GUI
Platform: Cross-platform
License: Open source
Use: Visual nmap interface
Features:
Profile-based scanning
Topology mapping
Scan comparison
Results visualization
Command builder
Advantages:
Easier than command line
Visual network map
Save scan profiles
Compare scan results
Good for learning nmap
Advanced IP Scanner (Windows)
Overview:
Type: Network scanner for Windows
Platform: Windows only
License: Freeware
Use: Quick LAN scanning
Features:
Fast scanning
Remote control (RDP, Radmin)
Wake-on-LAN
Shutdown remote PCs
Shared folder access
Usage:
1. Launch application
2. Click "Scan"
3. View discovered devices
4. Right-click for actions
Netcat (nc)
Overview:
Type: Network utility
Platform: Cross-platform
License: Open source
Use: Port scanning, data transfer
Nickname: "TCP/IP Swiss Army knife"
Port scanning: ```bash
Scan single port
nc -zv 192.168.1.1 80
Scan port range
nc -zv 192.168.1.1 1-1000
UDP scan
nc -zuv 192.168.1.1 53
Options:
-z: Zero I/O mode (scanning)
-v: Verbose
-u: UDP
```
Banner grabbing: ```bash
Connect and grab banner
nc 192.168.1.1 80 GET / HTTP/1.0
Or
echo "" | nc 192.168.1.1 80 ```
Other uses: ```bash
Listen on port
nc -l 1234
Transfer file
Receiver:
nc -l 1234 > file.txt
Sender:
nc 192.168.1.1 1234 < file.txt
Chat
Host 1:
nc -l 1234
Host 2:
nc 192.168.1.1 1234 ```
hping3
Overview:
Type: Packet crafting tool
Platform: Linux, macOS
License: Open source
Use: Custom packet generation
Usage: ```bash
TCP SYN scan
sudo hping3 -S 192.168.1.1 -p 80
ICMP ping
sudo hping3 -1 192.168.1.1
UDP scan
sudo hping3 -2 192.168.1.1 -p 53
Traceroute
sudo hping3 -T 192.168.1.1
Flood (testing)
sudo hping3 --flood 192.168.1.1 ```
Features:
Custom packet crafting
Firewall testing
Network testing
IDS testing
Specialized Scanning Tools
Vulnerability Scanners
Nessus:
Type: Vulnerability scanner
Platform: Cross-platform
License: Commercial (free for home)
Use: Comprehensive vulnerability assessment
OpenVAS:
Type: Vulnerability scanner
Platform: Linux
License: Open source
Use: Free Nessus alternative
Nikto: ``` Type: Web server scanner Platform: Cross-platform (Perl) License: Open source Use: Web vulnerability scanning
Usage: nikto -h http://192.168.1.1 ```
Wireless Scanning
Aircrack-ng: ``` Type: Wireless security suite Platform: Linux, Windows License: Open source Use: WiFi security testing
Tools: - airodump-ng: Capture packets - aircrack-ng: Crack WEP/WPA - aireplay-ng: Inject packets ```
Kismet:
Type: Wireless detector
Platform: Linux, macOS
License: Open source
Use: Wireless network discovery
WiFi Analyzer (Android):
Type: WiFi scanner
Platform: Android
License: Freeware
Use: WiFi signal analysis
Web Application Scanners
OWASP ZAP:
Type: Web app security scanner
Platform: Cross-platform
License: Open source
Use: Web vulnerability testing
Burp Suite:
Type: Web security testing
Platform: Cross-platform
License: Commercial (free community)
Use: Professional web testing
Scanning Techniques
Host Discovery
ARP scan (local network): ```bash
Nmap ARP scan
sudo nmap -sn -PR 192.168.1.0/24
arp-scan
sudo arp-scan 192.168.1.0/24
Advantages:
- Very fast
- Reliable on local network
- Can't be blocked
```
ICMP scan: ```bash
ICMP echo (ping)
nmap -sn -PE 192.168.1.0/24
ICMP timestamp
nmap -sn -PP 192.168.1.0/24
ICMP netmask
nmap -sn -PM 192.168.1.0/24 ```
TCP scan: ```bash
TCP SYN to port 80
nmap -sn -PS80 192.168.1.0/24
TCP ACK to port 80
nmap -sn -PA80 192.168.1.0/24 ```
Stealth Scanning
SYN scan (half-open): ```bash
Doesn't complete handshake
sudo nmap -sS 192.168.1.1
Advantages:
- Faster than full connect
- Less likely to be logged
- Stealthier
```
FIN scan: ```bash
Send FIN packet
sudo nmap -sF 192.168.1.1
Bypasses: Some firewalls
Detection: Harder to detect
```
NULL scan: ```bash
No flags set
sudo nmap -sN 192.168.1.1
Stealthy: Very unusual packet
```
Xmas scan: ```bash
FIN, PSH, URG flags set
sudo nmap -sX 192.168.1.1
Name: Packet "lit up like Christmas tree"
```
Firewall Evasion
Fragment packets: ```bash
Fragment packets
nmap -f 192.168.1.1
Bypasses: Some packet filters
```
Decoy scanning: ```bash
Use decoy IPs
nmap -D RND:10 192.168.1.1
Hides: Real source IP
Confuses: IDS/IPS
```
Spoof source: ```bash
Spoof source IP
nmap -S 192.168.1.100 192.168.1.1
Note: Won't receive responses
Use: For testing only
```
Randomize hosts: ```bash
Random host order
nmap --randomize-hosts 192.168.1.0/24
Avoids: Sequential patterns
```
Practical Scanning Scenarios
Network Inventory
Discover all devices: ```bash
Quick discovery
sudo nmap -sn 192.168.1.0/24 -oG - | grep "Up" | cut -d' ' -f2
Detailed inventory
sudo nmap -sS -sV -O -T4 192.168.1.0/24 -oX inventory.xml
Parse results
Use: Nmap XML parser or custom script
```
Security Audit
Find open ports: ```bash
Scan all TCP ports
sudo nmap -sS -p- 192.168.1.0/24
Find specific services
sudo nmap -p 21,22,23,3389 192.168.1.0/24
Check for vulnerabilities
sudo nmap --script=vuln 192.168.1.0/24 ```
Troubleshooting
Check if port is open: ```bash
Test specific port
nc -zv 192.168.1.1 80
Or with nmap
nmap -p 80 192.168.1.1 ```
Trace network path: ```bash
Nmap traceroute
nmap --traceroute 192.168.1.1
Or traditional
traceroute 192.168.1.1 ```
Legal and Ethical Considerations
Legal Issues
Unauthorized scanning:
Crime: Computer Fraud and Abuse Act (US)
Penalty: Fines, imprisonment
Applies: Scanning without permission
Get permission:
Written authorization
Scope of testing
Time windows
Contact information
Your own network:
Legal: Scan your own systems
Best practice: Still document
Corporate: Get IT approval
Ethical Guidelines
1. Authorization:
Always get permission
Document authorization
Stay within scope
Report findings responsibly
2. Minimize impact:
Use appropriate timing
Avoid aggressive scans
Don't disrupt services
Respect bandwidth
3. Responsible disclosure:
Report vulnerabilities
Give time to fix
Don't publish exploits
Follow disclosure policy
Best Practices
Scanning Strategy
1. Start broad, narrow down:
1. Host discovery (find active hosts)
2. Port scan (find open ports)
3. Service detection (identify services)
4. Vulnerability scan (find weaknesses)
2. Use appropriate timing:
Off-hours: Less impact
Rate limiting: Avoid overwhelming
Incremental: Start slow, increase if safe
3. Document everything:
Scan parameters
Results
Findings
Recommendations
Security
1. Secure scan data:
Encrypt results
Restrict access
Secure storage
Delete when done
2. Avoid detection (if authorized):
Randomize timing
Use decoys
Fragment packets
Slow scans
3. Monitor your scans:
Watch for errors
Check for impact
Verify results
Adjust as needed
Analysis
1. Baseline scans:
Regular scans
Compare results
Track changes
Identify anomalies
2. Prioritize findings:
Critical: Immediate action
High: Address soon
Medium: Plan to fix
Low: Monitor
3. Verify results:
Manual verification
Multiple tools
Reduce false positives
Confirm vulnerabilities
Conclusion
Network scanning tools are powerful instruments for network discovery, security assessment, and troubleshooting. Understanding how to use tools like Nmap effectively, following legal and ethical guidelines, and implementing best practices ensures productive and responsible network scanning. Always obtain proper authorization before scanning networks you don't own.
Related Articles
Network Tools
- Ping and Traceroute - Basic connectivity testing
- IP Lookup - IP information lookup
- WHOIS Lookup - Domain ownership
- Network Troubleshooting - Diagnostic techniques
Security
- Firewall Basics - Firewall detection
- IP Spoofing - Attack techniques
- DDoS Attacks - Attack reconnaissance
- IP Blacklisting - Scanning consequences
Network Protocols
- ICMP - ICMP scanning
- ARP - ARP scanning
- TCP/IP Model - Protocol stack
- Routing - Network topology
Explore More
- Tools & Utilities - Diagnostic tools hub
- Security & Privacy - Security resources
Key takeaways: - Nmap: Most versatile network scanner - Host discovery: Find active devices - Port scanning: Identify open ports - Service detection: Determine running services - Get permission: Always authorize scanning - Start broad: Then narrow down - Document: Scan parameters and results - Legal: Unauthorized scanning is illegal - Ethical: Minimize impact, responsible disclosure - Best practice: Regular baseline scans
Bottom line: Use network scanning tools like Nmap for legitimate purposes such as network inventory, security audits, and troubleshooting. Always obtain written authorization before scanning networks, use appropriate timing to minimize impact, and document all findings. Start with host discovery, then port scanning, service detection, and vulnerability assessment. Follow legal and ethical guidelines, and use scanning results to improve network security and performance.
