Network scanning and enumeration are integral phases of the penetration testing methodology. Gathering comprehensive data about the target infrastructure is crucial before attempting any exploits or attacks.
The reconnaissance stage involves identifying live hosts, open ports, services, operating systems, and other vulnerabilities. This information aids in mapping the network and pinpointing weak areas.
Several open source tools are available to automate the scanning and enumeration process. We discuss the 4 best options based on features, usability and recognition among ethical hackers.
1. Nmap
Nmap is arguably the most popular network scanner used by cybersecurity professionals. The tool lives up to its tagline - "Network Mapper" by efficiently probing networks of any size and complexity.
Nmap relies on crafted packets and analyzes the responses to build a profile of the target network. It provides valuable intel during the enumeration stage including:
Live hosts on the network
Open ports and services
Operating system fingerprinting
Hardware address (MAC)
Firewall rulesets and configurations
The tool offers advanced discovery, port scanning, OS detection and version detection features. Notable capabilities:
Port scanning - Supports TCP connect, SYN, ACK, Window, RPC scans to enumerate open ports.
OS fingerprinting - Detects operating system and versions by analyzing implementation quirks.
Service detection - Enumerates versions of services running on each port.
Host discovery - ICMP, ARP, DNS queries to uncover live hosts.
Network tracing - Traceroute functionality to map network topology.
Nmap provides output in normal, XML, grepable and script kiddie formats. The results can be integrated into other tools and pen testing frameworks.
2. Nessus
Nessus by Tenable is one of the most widely used vulnerability scanners. It is designed to detect vulnerabilities, configuration issues and malware across networks, servers, devices and applications.
Nessus scans are non-intrusive and safe since no exploits are launched against flaws. Rather, it relies on credentialed scanning and deep analysis.
Some key features for network enumerations:
Policy templates for compliance audits like PCI-DSS
Network infrastructure scanning without agents
Assessments for web app vulnerabilities like XSS, SQLi
SCAP and CIS benchmarking to check hardening
Malware detection in executables and packages
Nessus integrates seamlessly with other Tenable products like Nexpose and SecurityCenter. There are pre-built compliance and assessment reports to simplify reporting.
The free Nessus Essentials package allows vulnerability scanning of up to 16 IPs. Paid versions enable broader network coverage and additional features.
3. ANGry IP Scanner
ANGry IP Scanner is a fast port and network scanner designed for internal network assessments. It employs multithreading to achieve very high scanning speeds.
ANGry can automatically detect all active hosts on a network by ARP scanning. Other enumeration capabilities include:
Detect open TCP and UDP ports
Resolve MAC addresses to hostnames
Identify remote operating systems
Export results to various formats
The tool offers a intuitive GUI with real-time display of network hosts. Users can easily filter, search and bookmark objects.
ANGry IP Scanner works on Windows, Mac and Linux platforms. The source code is available freely for review and community contributions.
4. Netdiscover
Netdiscover is a powerful reconnaissance tool for LAN environments. It employs both active and passive techniques to map nearby networks and detect live hosts.
Some salient features include:
ARP probing to find IP addresses
Analyzes ARP packets passively
Resolves MAC addresses to hostnames
Detects operating system fingerprint
Supports broadcast and unicast probes
Custom packet sizes and rates
Operates stealthily without sending packets
Netdiscover works on Linux and outputs results to screen or file. It can be easily scripted to automate network discovery. The tool is useful for network admins and pen testers to monitor LAN traffic and assets.
Scanning Methodology for Optimal Results
It is important to utilize scanning tools effectively during network enumeration. Following a methodical strategy improves coverage and minimizes detection:
Perform passive scanning first to gather publicly available information from WHOIS, DNS, etc.
Discover live hosts with ping sweeps and ARP probing before port scans.
Scan slowly to avoid overwhelming hosts and triggering IPS alerts.
Identify versions of services on each open port for focused vulnerability checks later.
Use multiple tools since each scanner has unique capabilities.
Leverage TOR and proxies to mask the origin of scanning activities.
Compare results from authenticated vs unauthenticated scans.
Prioritize critical infrastructure like DMZs, mail servers, Active Directory, etc.
A slow and stealthy approach provides maximum insight into the target for tactical penetration testing.
Closing Thoughts
The network scanning and enumeration phase lays the foundation for the remainder of the penetration test. Detailed recon data allows testers to pinpoint vulnerabilities accurately instead of guessing.
Nmap is a versatile scanner that builds a comprehensive profile of the infrastructure and weaknesses. Nessus provides automated vulnerability checking based on industry benchmarks.
ANGry IP Scanner and Netdiscover excel at uncovering hosts and open ports on internal networks. Each tool has specific use cases to fit into the testing methodology.
So utilize this stack of open-source scanners to conduct safe yet effective enumerations. The insights will prove invaluable for exploiting flaws precisely during later stages of the penetration test.