Network Scanning Tools: Discovery and Security Assessment
Network scanning tools are essential for discovering devices, identifying services, assessing security, and troubleshooting network issues. Understanding how to use these tools effectively is crucial for network administrators, security professionals, and IT support. This comprehensive guide covers popular network scanning tools, their uses, and best practices.
What is Network Scanning?
Network scanning is the process of identifying active devices, open ports, running services, and potential vulnerabilities on a network.
Types of Network Scans
Host discovery (ping sweep):
Purpose: Find active devices
Method: Send ICMP/ARP requests
Result: List of responsive hosts
Use: Network inventory
Learn more about ICMP, ARP, and ping & traceroute.
Port scanning:
Purpose: Identify open ports
Method: Test TCP/UDP ports
Result: List of accessible services
Use: Security assessment, troubleshooting
Service detection:
Purpose: Identify running services
Method: Analyze port responses
Result: Service versions
Use: Inventory, vulnerability assessment
Vulnerability scanning:
Purpose: Find security weaknesses
Method: Test for known vulnerabilities
Result: Security report
Use: Security hardening
OS detection:
Purpose: Identify operating systems
Method: TCP/IP fingerprinting
Result: OS type and version
Use: Inventory, compatibility
Popular Network Scanning Tools
Nmap (Network Mapper)
Overview:
Type: Port scanner and network discovery
Platform: Cross-platform (Linux, Windows, macOS)
License: Open source (GPL)
Use: Most versatile network scanner
Basic usage:
# Scan single host
nmap 192.168.1.1
# Scan IP range
nmap 192.168.1.1-254
# Scan subnet
nmap 192.168.1.0/24
# Scan multiple hosts
nmap 192.168.1.1 192.168.1.10 192.168.1.20
Common scan types:
Ping scan (host discovery):
# Ping scan only (no port scan)
nmap -sn 192.168.1.0/24
# Also called: -sP (older syntax)
# Discovers: Active hosts
# Fast: Quick network overview
TCP SYN scan (stealth scan):
# SYN scan (requires root)
sudo nmap -sS 192.168.1.1
# Default: Scans top 1000 ports
# Stealth: Doesn't complete TCP handshake
# Fast: Efficient scanning
TCP connect scan:
# Full TCP connection
nmap -sT 192.168.1.1
# No root: Required for non-root users
# Logged: Connections appear in logs
# Slower: Full handshake
UDP scan:
# UDP port scan
sudo nmap -sU 192.168.1.1
# Slow: UDP is connectionless
# Important: Many services use UDP
# Examples: DNS (53), SNMP (161)
Service version detection:
# Detect service versions
nmap -sV 192.168.1.1
# Identifies: Service name and version
# Example: Apache 2.4.41, OpenSSH 8.2
# Useful: Vulnerability assessment
OS detection:
# Detect operating system
sudo nmap -O 192.168.1.1
# Method: TCP/IP fingerprinting
# Accuracy: Usually reliable
# Requires: Root privileges
Aggressive scan:
# Aggressive scan (combines multiple)
sudo nmap -A 192.168.1.1
# Includes:
# - OS detection (-O)
# - Version detection (-sV)
# - Script scanning (-sC)
# - Traceroute (--traceroute)
Specific ports:
# Single port
nmap -p 80 192.168.1.1
# Multiple ports
nmap -p 80,443,8080 192.168.1.1
# Port range
nmap -p 1-1000 192.168.1.1
# All ports
nmap -p- 192.168.1.1
# Top ports
nmap --top-ports 100 192.168.1.1
Timing and performance:
# Timing templates (0-5)
nmap -T4 192.168.1.0/24
# T0: Paranoid (very slow, IDS evasion)
# T1: Sneaky (slow, IDS evasion)
# T2: Polite (slow, less bandwidth)
# T3: Normal (default)
# T4: Aggressive (fast, assumes good network)
# T5: Insane (very fast, may miss results)
Output formats:
# Normal output
nmap -oN scan.txt 192.168.1.1
# XML output
nmap -oX scan.xml 192.168.1.1
# Grepable output
nmap -oG scan.grep 192.168.1.1
# All formats
nmap -oA scan 192.168.1.1
Nmap scripts (NSE):
# Default scripts
nmap -sC 192.168.1.1
# Specific script
nmap --script=http-title 192.168.1.1
# Script category
nmap --script=vuln 192.168.1.1
# Multiple scripts
nmap --script=http-*,ssl-* 192.168.1.1
# Script help
nmap --script-help http-title
Example comprehensive scan:
# Full scan with all features
sudo nmap -sS -sV -O -A -T4 -p- --script=default,vuln -oA full_scan 192.168.1.1
# Breakdown:
# -sS: SYN scan
# -sV: Version detection
# -O: OS detection
# -A: Aggressive (includes scripts, traceroute)
# -T4: Fast timing
# -p-: All ports
# --script: Default and vulnerability scripts
# -oA: Output all formats
Angry IP Scanner
Overview:
Type: Fast IP and port scanner
Platform: Cross-platform (Java-based)
License: Open source (GPL)
Use: Quick network discovery
GUI: User-friendly interface
Features:
Fast ping scanning
Port scanning
NetBIOS information
MAC address detection
Hostname resolution
Export results (CSV, XML, TXT)
Usage:
1. Enter IP range (e.g., 192.168.1.1-254)
2. Click "Start"
3. View results in real-time
4. Export for documentation
Advantages:
Easy to use
Fast scanning
Cross-platform
No installation (portable)
Good for quick surveys
Masscan
Overview:
Type: Ultra-fast port scanner
Platform: Linux, Windows, macOS
License: Open source (AGPL)
Use: Large-scale scanning
Speed: Can scan entire internet
Basic usage:
# Scan subnet
sudo masscan 192.168.1.0/24 -p80,443
# Scan all ports
sudo masscan 192.168.1.0/24 -p0-65535
# Rate limiting
sudo masscan 192.168.1.0/24 -p80 --rate 1000
# Output
sudo masscan 192.168.1.0/24 -p80 -oL scan.txt
Features:
Extremely fast (millions of packets/second)
Asynchronous transmission
Custom packet crafting
Banner grabbing
Use cases:
Large network scanning
Internet-wide surveys
Quick port checks
Security research
Caution:
Very aggressive
Can overwhelm networks
Use rate limiting
Get permission first
Zenmap
Overview:
Type: Nmap GUI
Platform: Cross-platform
License: Open source
Use: Visual nmap interface
Features:
Profile-based scanning
Topology mapping
Scan comparison
Results visualization
Command builder
Advantages:
Easier than command line
Visual network map
Save scan profiles
Compare scan results
Good for learning nmap
Advanced IP Scanner (Windows)
Overview:
Type: Network scanner for Windows
Platform: Windows only
License: Freeware
Use: Quick LAN scanning
Features:
Fast scanning
Remote control (RDP, Radmin)
Wake-on-LAN
Shutdown remote PCs
Shared folder access
Usage:
1. Launch application
2. Click "Scan"
3. View discovered devices
4. Right-click for actions
Netcat (nc)
Overview:
Type: Network utility
Platform: Cross-platform
License: Open source
Use: Port scanning, data transfer
Nickname: "TCP/IP Swiss Army knife"
Port scanning:
# Scan single port
nc -zv 192.168.1.1 80
# Scan port range
nc -zv 192.168.1.1 1-1000
# UDP scan
nc -zuv 192.168.1.1 53
# Options:
# -z: Zero I/O mode (scanning)
# -v: Verbose
# -u: UDP
Banner grabbing:
# Connect and grab banner
nc 192.168.1.1 80
GET / HTTP/1.0
# Or
echo "" | nc 192.168.1.1 80
Other uses:
# Listen on port
nc -l 1234
# Transfer file
# Receiver:
nc -l 1234 > file.txt
# Sender:
nc 192.168.1.1 1234 < file.txt
# Chat
# Host 1:
nc -l 1234
# Host 2:
nc 192.168.1.1 1234
hping3
Overview:
Type: Packet crafting tool
Platform: Linux, macOS
License: Open source
Use: Custom packet generation
Usage:
# TCP SYN scan
sudo hping3 -S 192.168.1.1 -p 80
# ICMP ping
sudo hping3 -1 192.168.1.1
# UDP scan
sudo hping3 -2 192.168.1.1 -p 53
# Traceroute
sudo hping3 -T 192.168.1.1
# Flood (testing)
sudo hping3 --flood 192.168.1.1
Features:
Custom packet crafting
Firewall testing
Network testing
IDS testing
Specialized Scanning Tools
Vulnerability Scanners
Nessus:
Type: Vulnerability scanner
Platform: Cross-platform
License: Commercial (free for home)
Use: Comprehensive vulnerability assessment
OpenVAS:
Type: Vulnerability scanner
Platform: Linux
License: Open source
Use: Free Nessus alternative
Nikto:
Type: Web server scanner
Platform: Cross-platform (Perl)
License: Open source
Use: Web vulnerability scanning
Usage:
nikto -h http://192.168.1.1
Wireless Scanning
Aircrack-ng:
Type: Wireless security suite
Platform: Linux, Windows
License: Open source
Use: WiFi security testing
Tools:
- airodump-ng: Capture packets
- aircrack-ng: Crack WEP/WPA
- aireplay-ng: Inject packets
Kismet:
Type: Wireless detector
Platform: Linux, macOS
License: Open source
Use: Wireless network discovery
WiFi Analyzer (Android):
Type: WiFi scanner
Platform: Android
License: Freeware
Use: WiFi signal analysis
Web Application Scanners
OWASP ZAP:
Type: Web app security scanner
Platform: Cross-platform
License: Open source
Use: Web vulnerability testing
Burp Suite:
Type: Web security testing
Platform: Cross-platform
License: Commercial (free community)
Use: Professional web testing
Scanning Techniques
Host Discovery
ARP scan (local network):
# Nmap ARP scan
sudo nmap -sn -PR 192.168.1.0/24
# arp-scan
sudo arp-scan 192.168.1.0/24
# Advantages:
# - Very fast
# - Reliable on local network
# - Can't be blocked
ICMP scan:
# ICMP echo (ping)
nmap -sn -PE 192.168.1.0/24
# ICMP timestamp
nmap -sn -PP 192.168.1.0/24
# ICMP netmask
nmap -sn -PM 192.168.1.0/24
TCP scan:
# TCP SYN to port 80
nmap -sn -PS80 192.168.1.0/24
# TCP ACK to port 80
nmap -sn -PA80 192.168.1.0/24
Stealth Scanning
SYN scan (half-open):
# Doesn't complete handshake
sudo nmap -sS 192.168.1.1
# Advantages:
# - Faster than full connect
# - Less likely to be logged
# - Stealthier
FIN scan:
# Send FIN packet
sudo nmap -sF 192.168.1.1
# Bypasses: Some firewalls
# Detection: Harder to detect
NULL scan:
# No flags set
sudo nmap -sN 192.168.1.1
# Stealthy: Very unusual packet
Xmas scan:
# FIN, PSH, URG flags set
sudo nmap -sX 192.168.1.1
# Name: Packet "lit up like Christmas tree"
Firewall Evasion
Fragment packets:
# Fragment packets
nmap -f 192.168.1.1
# Bypasses: Some packet filters
Decoy scanning:
# Use decoy IPs
nmap -D RND:10 192.168.1.1
# Hides: Real source IP
# Confuses: IDS/IPS
Spoof source:
# Spoof source IP
nmap -S 192.168.1.100 192.168.1.1
# Note: Won't receive responses
# Use: For testing only
Randomize hosts:
# Random host order
nmap --randomize-hosts 192.168.1.0/24
# Avoids: Sequential patterns
Practical Scanning Scenarios
Network Inventory
Discover all devices:
# Quick discovery
sudo nmap -sn 192.168.1.0/24 -oG - | grep "Up" | cut -d' ' -f2
# Detailed inventory
sudo nmap -sS -sV -O -T4 192.168.1.0/24 -oX inventory.xml
# Parse results
# Use: Nmap XML parser or custom script
Security Audit
Find open ports:
# Scan all TCP ports
sudo nmap -sS -p- 192.168.1.0/24
# Find specific services
sudo nmap -p 21,22,23,3389 192.168.1.0/24
# Check for vulnerabilities
sudo nmap --script=vuln 192.168.1.0/24
Troubleshooting
Check if port is open:
# Test specific port
nc -zv 192.168.1.1 80
# Or with nmap
nmap -p 80 192.168.1.1
Trace network path:
# Nmap traceroute
nmap --traceroute 192.168.1.1
# Or traditional
traceroute 192.168.1.1
Legal and Ethical Considerations
Legal Issues
Unauthorized scanning:
Crime: Computer Fraud and Abuse Act (US)
Penalty: Fines, imprisonment
Applies: Scanning without permission
Get permission:
Written authorization
Scope of testing
Time windows
Contact information
Your own network:
Legal: Scan your own systems
Best practice: Still document
Corporate: Get IT approval
Ethical Guidelines
1. Authorization:
Always get permission
Document authorization
Stay within scope
Report findings responsibly
2. Minimize impact:
Use appropriate timing
Avoid aggressive scans
Don't disrupt services
Respect bandwidth
3. Responsible disclosure:
Report vulnerabilities
Give time to fix
Don't publish exploits
Follow disclosure policy
Best Practices
Scanning Strategy
1. Start broad, narrow down:
1. Host discovery (find active hosts)
2. Port scan (find open ports)
3. Service detection (identify services)
4. Vulnerability scan (find weaknesses)
2. Use appropriate timing:
Off-hours: Less impact
Rate limiting: Avoid overwhelming
Incremental: Start slow, increase if safe
3. Document everything:
Scan parameters
Results
Findings
Recommendations
Security
1. Secure scan data:
Encrypt results
Restrict access
Secure storage
Delete when done
2. Avoid detection (if authorized):
Randomize timing
Use decoys
Fragment packets
Slow scans
3. Monitor your scans:
Watch for errors
Check for impact
Verify results
Adjust as needed
Analysis
1. Baseline scans:
Regular scans
Compare results
Track changes
Identify anomalies
2. Prioritize findings:
Critical: Immediate action
High: Address soon
Medium: Plan to fix
Low: Monitor
3. Verify results:
Manual verification
Multiple tools
Reduce false positives
Confirm vulnerabilities
Conclusion
Network scanning tools are powerful instruments for network discovery, security assessment, and troubleshooting. Understanding how to use tools like Nmap effectively, following legal and ethical guidelines, and implementing best practices ensures productive and responsible network scanning. Always obtain proper authorization before scanning networks you don't own.
Related Articles
Network Tools
- Ping and Traceroute - Basic connectivity testing
- IP Lookup - IP information lookup
- WHOIS Lookup - Domain ownership
- Network Troubleshooting - Diagnostic techniques
Security
- Firewall Basics - Firewall detection
- IP Spoofing - Attack techniques
- DDoS Attacks - Attack reconnaissance
- IP Blacklisting - Scanning consequences
Network Protocols
- ICMP - ICMP scanning
- ARP - ARP scanning
- TCP/IP Model - Protocol stack
- Routing - Network topology
Explore More
- Tools & Utilities - Diagnostic tools hub
- Security & Privacy - Security resources
Key takeaways: - Nmap: Most versatile network scanner - Host discovery: Find active devices - Port scanning: Identify open ports - Service detection: Determine running services - Get permission: Always authorize scanning - Start broad: Then narrow down - Document: Scan parameters and results - Legal: Unauthorized scanning is illegal - Ethical: Minimize impact, responsible disclosure - Best practice: Regular baseline scans
Use network scanning tools like Nmap for legitimate purposes such as network inventory, security audits, and troubleshooting. Always obtain written authorization before scanning networks, use appropriate timing to minimize impact, and document all findings. Start with host discovery, then port scanning, service detection, and vulnerability assessment. Follow legal and ethical guidelines, and use scanning results to improve network security and performance.
