Passive Scanning

Passive scanning is a type of network scanning technique that is used to gather information about a target system or network without actively interacting with the target. Unlike active scanning, which sends requests or packets to the target and analyzes the responses, passive scanning only gathers information that is readily available, such as information transmitted over the network or stored in system logs.

It is used to gather information about a target system or network for a variety of purposes, including network mapping, vulnerability assessment, and compliance testing. By analyzing network traffic and system logs, passive scanning can provide valuable information about a target’s infrastructure, servers, and devices, as well as the types of services and applications that are running.

One of the benefits of passive scanning is that it is less intrusive and less likely to trigger security measures, such as firewalls or intrusion detection systems (IDS), than active scanning. As a result, passive scanning can provide organizations with valuable information about their systems and networks without putting them at risk.

However, passive scanning is also limited in its ability to gather information compared to active scanning. Passive scanning can only gather information that is readily available and cannot actively probe a target system or network for vulnerabilities or weaknesses.

Key Points:

There are three conditions that allow an attacker to utilize the scanning techniques:

• Physical access to the target system: Using a port scanner or ping sweep, you can locate open ports.
• Vulnerable target software: An application may have vulnerabilities that allow you to use a TCP connect scan or an SYN flood attack.
• Administrator privileges on the target system (Windows); In order for an attacker to perform an SYN flood attack, he must have administrator privileges on the target system.

Types of Port Scanners:

There are several port scanning or checking methods, Some of them are given below:

• Ping scans: A ping is used to check if a network packet can reach an IP address without any problems. Ping scanning involves the automatic transmission of multiple ICMP requests to different servers.
• Half-open or SYNC scans: Attackers can check the status of a port without creating a full connection by using semi-open scanning, commonly known as  SYN scanning. This type of analysis simply transmits an SYN message and does not establish a connection with the receiver.
• XMAS scans: XMAS scan sends some packets to a port to check if it is open or not. If the port is closed, the scanner will receive a response. If there is no response,  the port is open and can be used to access the network.

Countermeasures:

The best option to prevent getting scanned is to block the scanning packets.

• For TCP connect scan, blocking ACK packets from entering your network.
• For an SYN flood attack, you can use an SYN cookie or SYN proxy, which will be discussed in the next session.

Scanning can be considered a logical extension (and overlap) of active reconnaissance that helps attackers identify specific vulnerabilities. It’s often that attackers use automated tools such as network scanners and war dialers to locate systems and attempt to discover vulnerabilities.

Scanning in ethical hacking is a network exploration technique used to identify the systems connected to an organization’s network. It provides information about the accessible systems, services, and resources on a target system. Some may refer to this type of scan as an active scan because it can potentially disrupt services on those hosts that are susceptible. Scanning is often used during vulnerability assessment when probing weaknesses in existing defenses.

There are two ways of scanning: 

• Active Scanning
• Passive Scanning

Scanning is more than just port scanning, but it is a very important part of this process. Scanning allows you to identify open ports on the target system and can be used for port mapping, performing an interactive session with the operating system via those ports, or even redirecting traffic from these open ports. There are many tasks that can be performed with a scanning tool.

Scanning can be as simple as creating a list of IP addresses and netmasks to scan all the active addresses on the network. This is called a ping sweep. Another method is performing a syn port scan, which is an active scan that sends TCP SYN packets to ports on the target system waiting for a reply. A syn port scan sends TCP SYN packets to ports that are open and waiting for replies, and an RST packet when it grants an RST/ACK (meaning that the port is closed). An example of open ports could be telnet and FTP, which are used by default.

Types of Scanning Techniques:

1. TCP connect scan: This is a scan that sends TCP SYN packets to each port on the target system, waiting for an RST/ACK. This is a steal their type of scan because it does not show the open ports on the target system. The last port that responds is its open port, and you can use this to your advantage to determine which ports are open.
2. TCP syn port scan: This is a similar type of scan, but the packets are TCP SYN packets and not TCP ACK. This type of scan sends packets to ports that are open and waiting for a reply.
3. Network Scanning: Network scanning is used to identify the devices and services that are running on a target network, determine their operating systems and software versions, and identify any potential security risks or vulnerabilities. Network scanning can be performed manually or automated using software tools, and can target specific systems or an entire network.
4. Vulnerability Scanning: Vulnerability scanning is a process of identifying, locating, and assessing the security vulnerabilities of a computer system, network, or application. This process is performed using automated software tools that scan for known vulnerabilities, as well as weaknesses in the configuration or implementation of the system being tested.