In this section, we will go over the basics of vulnerability scanning and verify what is happening when the host scan is performed with the help of Wireshark.
Host discovery, port scanning, and OS detection are part of vulnerability scanning. During this process, vulnerabilities are identified and addressed with a proper mitigation plan by the security auditor. For example:
Open the host_scan.pcap
file in Wireshark; the sample capture shows how the external client is scanning the ports:
During this process, a SYN
packet is sent to the all the ports for common services on each host, such as DNS
, LDAP
, HTTP
and many more. If we get the ACK from the host, the host is considered ACTIVE
on that port.
The security auditor or hacker can use network scanner tools to get the port, host, and OS information. For example, the nmap
network utility command can be used to scan the active/open ports:
The online nmap tool can be found at https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap.
SSL scans are done by different users (for example, security auditors and hackers) to achieve their own objectives:
An example using the nmap
command to find available ciphers and the supported protocol version in a given server port 636
LDAP is as shown:
[root@ ~]# nmap --script ssl-cert,ssl-enum-ciphers -p 636 10.10.1.3To find available ciphers and the supported protocol version in a given server port 443 HTTPS [root@ ~]# nmap --script ssl-cert,ssl-enum-ciphers -p 443 10.10.1.3
3.16.135.36