Introduction
Scanning and enumeration is the second phase of a penetration test, following reconnaissance. While reconnaissance focuses on gathering publicly available information passively, scanning involves actively probing the target's network to discover live hosts, open ports, running services, operating system versions, and potential vulnerabilities. This phase transforms the broad intelligence gathered during reconnaissance into actionable technical details.
Scanning is inherently an active process -- it requires sending packets to target systems and analyzing the responses. This means it is detectable by intrusion detection systems, firewalls, and security monitoring tools. For this reason, scanning must always be performed within the explicit scope and timeline defined in the engagement's Rules of Engagement.
The three sub-phases of scanning are typically:
- Host discovery -- determining which IP addresses in a range have live, responsive systems
- Port scanning -- identifying which network ports are open on discovered hosts
- Service enumeration -- determining the specific software and versions running on open ports
"Scanning is the phase where a penetration test transitions from research to interaction. It is the first time you are actively touching the target, and every packet you send tells a story to anyone watching." -- Georgia Weidman, Penetration Testing: A Hands-On Introduction to Hacking
Network Scanning Fundamentals
Network scanning leverages the TCP/IP protocol suite's design to extract information about remote systems. Understanding how TCP handshakes, ICMP messages, and UDP communication work is fundamental to understanding scanning techniques.
Host Discovery
Before scanning ports, a tester must first determine which IP addresses in the target range are associated with live, responsive hosts. Host discovery techniques include:
- ICMP Echo Request (Ping) -- the simplest technique, sending ICMP Type 8 packets and listening for Type 0 replies. Many organizations block ICMP at their firewalls, making this unreliable
- TCP SYN Ping -- sending a TCP SYN packet to a common port (e.g., 80 or 443). A SYN/ACK or RST response indicates a live host regardless of ICMP filtering
- TCP ACK Ping -- sending an unsolicited ACK packet. Live hosts respond with RST, while non-existent hosts produce no response
- UDP Ping -- sending a UDP packet to a likely closed port. An ICMP Port Unreachable response indicates a live host
- ARP Scanning -- on local networks, ARP requests are the most reliable method since they cannot be blocked at the IP layer
Scan Types and Techniques
Port scanning techniques exploit different aspects of the TCP/IP specification to determine port state. The three possible port states are open (a service is listening), closed (no service, but the host is reachable), and filtered (a firewall or packet filter is preventing the scanner from determining the state).
| Scan Type | TCP Flags Sent | Open Port Response | Closed Port Response | Stealth Level |
|---|---|---|---|---|
| TCP Connect | Full 3-way handshake | SYN/ACK, then connection established | RST | Low -- logged by application |
| SYN (Half-open) | SYN only | SYN/ACK (scanner sends RST) | RST | Moderate -- not logged by most apps |
| FIN | FIN | No response | RST | Higher -- bypasses some simple firewalls |
| XMAS | FIN, PSH, URG | No response | RST | Higher -- unusual flag combination |
| NULL | No flags | No response | RST | Higher -- no flags set |
| ACK | ACK | RST (maps firewall rules) | RST | Used for firewall mapping only |
| UDP | UDP datagram | Application response or silence | ICMP Port Unreachable | Slow but discovers UDP services |
Nmap: The Network Mapper
Nmap (Network Mapper) is the most widely used network scanning tool in the security industry. Created by Gordon "Fyodor" Lyon in 1997, Nmap has grown from a simple port scanner into a comprehensive network discovery and security auditing platform. It is open source, actively maintained, and included in virtually every penetration testing distribution.
Scan Techniques
Nmap supports all standard scan types through command-line flags. The most commonly used scans in authorized testing include:
# SYN scan (default with root/admin privileges) -- fast and relatively stealthynmap -sS 192.168.1.0/24# TCP Connect scan (default without root) -- completes the full handshakenmap -sT 192.168.1.0/24# Service version detection -- probes open ports to determine software and versionnmap -sV 192.168.1.100# OS detection -- uses TCP/IP stack fingerprinting to identify the operating systemnmap -O 192.168.1.100# Aggressive scan -- combines OS detection, version detection, script scanning, traceroutenmap -A 192.168.1.100# Scan specific portsnmap -p 22,80,443,3306,8080 192.168.1.100# Scan all 65535 portsnmap -p- 192.168.1.100# UDP scan (slower, requires root)nmap -sU 192.168.1.100# Combine SYN and UDP scans with version detectionnmap -sS -sU -sV -p T:1-1000,U:53,67,68,123,161,500 192.168.1.100Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) extends Nmap's capabilities far beyond port scanning. NSE scripts, written in Lua, can perform vulnerability detection, brute-force testing, service enumeration, and information gathering. Nmap ships with over 600 scripts organized into categories.
| Category | Description | Example Script |
|---|---|---|
auth | Authentication and credential testing | ssh-brute |
default | Safe scripts that run with -sC | http-title |
discovery | Active discovery of network services | dns-brute |
exploit | Attempt to exploit known vulnerabilities | smb-vuln-ms17-010 |
safe | Scripts unlikely to crash services | ssl-enum-ciphers |
vuln | Check for specific known vulnerabilities | http-vuln-cve2017-5638 |
version | Enhanced version detection | http-server-header |
# Run default scripts against a targetnmap -sC -sV 192.168.1.100# Run all vulnerability detection scriptsnmap --script vuln 192.168.1.100# Run a specific scriptnmap --script ssl-enum-ciphers -p 443 192.168.1.100# Run multiple script categoriesnmap --script "default and safe" 192.168.1.100# SMB enumeration scriptsnmap --script smb-os-discovery,smb-enum-shares,smb-enum-users -p 445 192.168.1.100Service Enumeration
Service enumeration goes beyond port scanning to extract detailed information from the services running on open ports. While port scanning tells you that port 80 is open, service enumeration tells you that it is running Apache 2.4.51 on Ubuntu, with specific modules enabled and particular configuration characteristics.
Common enumeration targets and techniques:
- SMB Enumeration (Port 445) -- extract shares, users, groups, password policies, and OS information. Tools:
enum4linux,smbclient,smbmap,crackmapexec - SNMP Enumeration (Port 161) -- if community strings are known or default, SNMP can reveal extensive system information including running processes, installed software, network interfaces, and routing tables. Tools:
snmpwalk,onesixtyone - LDAP Enumeration (Port 389/636) -- query directory services for users, groups, organizational units, and computer objects. Tools:
ldapsearch,windapsearch - NFS Enumeration (Port 2049) -- list exported shares and mount permissions. Tools:
showmount,nfs-ls - SMTP Enumeration (Port 25) -- verify email addresses using VRFY and EXPN commands. Tools:
smtp-user-enum - Web Server Enumeration (Port 80/443) -- discover directories, files, virtual hosts, and application frameworks. Tools:
gobuster,dirb,nikto,whatweb
# SMB enumerationenum4linux -a 192.168.1.100smbmap -H 192.168.1.100 -u guest# SNMP walk with default community stringsnmpwalk -v2c -c public 192.168.1.100# LDAP anonymous bind enumerationldapsearch -x -H ldap://192.168.1.100 -b "dc=example,dc=com"# Web directory brute-forcinggobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt# Web server fingerprintingwhatweb http://192.168.1.100nikto -h http://192.168.1.100"Enumeration is where patience pays dividends. The difference between a good penetration tester and a great one is often the depth and thoroughness of their enumeration." -- Heath Adams, The Cyber Mentor
Vulnerability Scanning
Vulnerability scanning is the automated process of probing systems for known security weaknesses. Unlike manual enumeration, vulnerability scanners maintain databases of thousands of known vulnerabilities (identified by CVE numbers) and systematically test whether target systems are affected. These tools are essential for both penetration testers and defensive security teams.
Nessus
Nessus, developed by Tenable, is one of the most widely deployed vulnerability scanners in the industry. Originally open source, Nessus became a commercial product in 2005. It uses a plugin-based architecture with over 180,000 plugins covering vulnerabilities across operating systems, network devices, web applications, databases, and cloud infrastructure.
Key Nessus features:
- Credentialed scanning -- log in to target systems to perform deeper checks (installed patches, local configurations, file permissions)
- Compliance auditing -- check systems against CIS Benchmarks, DISA STIGs, PCI DSS, and other compliance frameworks
- Plugin families -- organized categories including Windows, Linux, Web Servers, Databases, Firewalls, and SCADA
- CVSS scoring -- vulnerabilities are rated using the Common Vulnerability Scoring System for prioritization
OpenVAS
OpenVAS (Open Vulnerability Assessment Scanner) is the open-source fork of the original Nessus codebase, now maintained as part of the Greenbone Vulnerability Management (GVM) framework. It provides a free alternative to commercial scanners with a feed of over 100,000 network vulnerability tests (NVTs).
| Feature | Nessus Professional | OpenVAS/GVM |
|---|---|---|
| License | Commercial (subscription) | Open Source (GPL) |
| Plugin/NVT Count | 180,000+ | 100,000+ |
| Credentialed Scanning | Yes | Yes |
| Compliance Auditing | Extensive (CIS, DISA, PCI) | Limited |
| Web Interface | Yes (polished) | Yes (Greenbone Security Assistant) |
| API Access | Yes | Yes (GMP protocol) |
| Reporting | Professional templates, executive summaries | Basic, customizable via XML |
| Update Frequency | Daily plugin updates | Regular community feed updates |
Other notable vulnerability scanners include Qualys (cloud-based), Rapid7 Nexpose/InsightVM, and Nuclei (open-source, template-based).
Network Mapping and Topology
Network mapping creates a visual or logical representation of the target's network infrastructure. This includes identifying routers, switches, firewalls, subnets, VLANs, and the paths between network segments. Understanding network topology helps penetration testers identify choke points, trust boundaries, and lateral movement opportunities.
Network mapping techniques include:
- Traceroute -- maps the network path to a target, revealing intermediate routers and network boundaries
- SNMP topology discovery -- if SNMP access is available, network device configurations can reveal complete topology information
- ARP table analysis -- on compromised or authorized internal hosts, ARP tables reveal directly connected devices
- Nmap topology mapping -- Nmap's
--tracerouteoption combined with host discovery builds a network map
# Traceroute to map network pathtraceroute 192.168.1.100# On Windows: tracert 192.168.1.100# Nmap with traceroute for topology mappingnmap -sn --traceroute 192.168.1.0/24# Discover routers and gatewaysnmap -sn -PE -PP 192.168.1.0/24# Map a network visually with Zenmap (Nmap GUI)# Use the Topology tab after scanning a rangeIDS/IPS Evasion Considerations
In some penetration testing engagements, the tester is specifically tasked with testing whether the organization's intrusion detection and prevention systems can detect scanning activity. Understanding evasion techniques is important for both testers (who may need to simulate a stealthy attacker) and defenders (who need to tune their detection rules).
Common evasion techniques include:
- Timing control -- slowing scan speed with Nmap's
-T0through-T5timing templates to avoid rate-based detection thresholds - Packet fragmentation -- splitting scan packets into smaller fragments with
-fto bypass simple packet inspection - Decoy scanning -- using
-Dto mix the real scan source with decoy IP addresses, making it harder to identify the actual scanner - Source port manipulation -- using
--source-port 53or--source-port 80to make scan traffic appear as DNS or HTTP responses, which some firewalls allow - Idle scanning -- using
-sIto scan through a "zombie" host, hiding the scanner's IP address entirely
From a defensive standpoint, modern IDS/IPS solutions detect these evasion techniques by examining packet reassembly, analyzing traffic patterns over time, and correlating events across multiple sensors.
Scanner Comparison
The following table summarizes the primary scanning and enumeration tools used in authorized penetration testing:
| Tool | Primary Purpose | Strengths | Limitations |
|---|---|---|---|
| Nmap | Port scanning, host discovery | Extremely flexible, NSE scripting, OS detection | Not a full vulnerability scanner |
| Masscan | High-speed port scanning | Scans entire internet in minutes | Less accurate, no service detection |
| Nessus | Vulnerability scanning | Extensive plugin library, compliance checks | Commercial, can be resource-intensive |
| OpenVAS | Vulnerability scanning | Free, open source, good coverage | Slower, less polished UI |
| Nikto | Web server scanning | Fast web-specific checks, outdated config detection | Noisy, web servers only |
| enum4linux | SMB/Windows enumeration | Comprehensive SMB information extraction | SMB-specific only |
Defensive Perspective
Understanding scanning techniques enables defenders to build more effective detection and prevention strategies:
- Network segmentation -- limit the blast radius of scanning by segmenting networks with firewalls and VLANs
- Port filtering -- close unnecessary ports and implement strict ingress/egress filtering
- IDS/IPS deployment -- use signature-based and anomaly-based detection to identify scanning activity
- Log monitoring -- monitor firewall logs, connection logs, and authentication logs for scanning indicators such as rapid sequential port connections
- Honeypots -- deploy decoy services on unused ports to detect scanning activity and waste attacker time
- Rate limiting -- implement connection rate limits to slow down automated scanning tools
- Regular vulnerability scanning -- conduct your own vulnerability scans proactively to find and remediate issues before attackers do
For the next phase of the penetration testing process, see Exploitation. For background on the previous phase, see Reconnaissance.
References
- Lyon, G. F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project.
- Weidman, G. (2014). Penetration Testing: A Hands-On Introduction to Hacking. No Starch Press.
- McNab, C. (2017). Network Security Assessment, 3rd Edition. O'Reilly Media.
- NIST SP 800-115. (2008). Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology.
- PTES Technical Guidelines. (2014). "Vulnerability Analysis." Penetration Testing Execution Standard.
- Tenable. (2024). Nessus Documentation. Tenable, Inc.
- Greenbone Networks. (2024). Greenbone Vulnerability Management Documentation.
- MITRE ATT&CK. (2024). "Active Scanning." Technique T1595. The MITRE Corporation.
- Postel, J. (1981). RFC 793: Transmission Control Protocol. IETF.