Week 4 - Target Discovery, OS Fingerprinting, and Port Scanning

 As always, a quick reminder that any tools, techniques, and concepts shared on this blog are strictly for educational purposes. I am not responsible for any misuse of the information or tools discussed here.

We are officially in Week 4 of Ethical Hacking and Penetration Testing. This session was led by S. Pradono Suryodiningrat, and it was incredibly network-heavy. We shifted our focus from passive footprinting to active target discovery and enumeration. This is where you actually start interacting with the target machines.

Here is a breakdown of my notes from the lecture and lab.

1. Target Discovery 

Before you can scan a target, you have to find out if it is actually alive on the network. We looked at a bunch of tools used to ping and identify machines.

  • The usual suspects: ping, arping, fping, hping, and nping.

  • We also touched on alive6 for IPv6 environments and nbtscan for dealing with NetBIOS over TCP/IP.

2. OS Fingerprinting (Active vs. Passive) 

Once you know a machine is there, the next step is figuring out what operating system it is running. This is called OS Fingerprinting, and there are two ways to do it:

  • Active Fingerprinting: This involves sending specifically crafted network packets to the target and analyzing the response. It is fast, but it is extremely noisy. If the target has an Intrusion Detection System (IDS), you will definitely be noticed. Nmap is the classic tool for this.

  • Passive Fingerprinting: This is much slower but highly stealthy. Instead of sending packets, you just sit back and sniff the network traffic (like capturing SYN or SYN+ACK packets) to deduce the OS based on how it naturally communicates. p0f is a tool used for this.

3. The Core of Port Scanning: TCP vs. UDP 

A huge chunk of the lecture was spent reviewing how TCP and UDP protocols work because port scanning relies entirely on manipulating these protocols.

  • TCP (Transmission Control Protocol): TCP is connection-oriented and reliable. We reviewed the classic "Three-Way Handshake" (SYN ➔ SYN+ACK ➔ ACK). When we run a TCP port scan, we are basically looking at how the target responds to our initial SYN packet. If we get a SYN+ACK back, the port is open. If we get an RST (Reset) packet, it is closed. If we get an ICMP Port Unreachable message or nothing at all, a firewall is likely blocking it.

  • UDP (User Datagram Protocol): UDP is connectionless. It just fires data at the destination without establishing a connection first. Scanning UDP is notoriously tricky. If a port is open, the target might respond with a UDP packet. If it sends nothing back, the port could be open, or the packet could have been blocked by a firewall. It is much harder to be certain compared to TCP.

4. Network Scanners 

We wrapped up by looking at the main tools we will be using to actually conduct these scans. Nmap is obviously the heavy hitter here, and we have to get comfortable with its various flags for TCP scans, UDP scans, and timing options. We also looked at Zenmap (the GUI for Nmap), Unicornscan, and Amap.

I've got a lot of networking theory to brush up on. Understanding exactly why a machine sends back an RST packet versus an ICMP message seems to be the key to doing this right. 

Comments

Post a Comment

Popular posts from this blog

Week 2 - Target Scoping and Information Gathering

Here is a draft for your Week 2 blog post, keeping that same grounded, realistic student perspective. Just a reminder as required by the course: any tools, techniques, and concepts shared on this blog are strictly for educational purposes. I am not responsible for any misuse of the information or tools discussed here. Week 2 of Ethical Hacking is here, and my Kali Linux VM is finally set up and running smoothly. This week, we moved past the legal definitions and jumped right into the first two steps of the Kali Linux Testing Methodology: Target Scoping and Information Gathering. To prepare, our reading assignment was chapters 3 and 4 from Kali Linux: Assuring Security By Penetration Testing (KLASPT). Here are my notes on the early phases of a penetration test. Step 1: Target Scoping Before you even think about touching a network or firing up a terminal, you have to define the scope of the test. This is arguably the most important part from a legal and professional standpoint. Scoping ...
Read more

Week 5 - Target Enumeration and Uncovering Real IPs

As always, any tools, techniques, and concepts shared on this blog are strictly for educational purposes. I am not responsible for any misuse of the information or tools discussed here. All practical exercises were conducted on authorized target domains. Week 5 of Ethical Hacking and Penetration Testing moved us from discovering targets into actively enumerating them. Led by S. Pradono Suryodiningrat, the lecture focused on extracting highly specific information from our targets—things like network shares, active usernames, passwords, and the exact operating systems running on the machines. Here are my notes from the session, followed by the results of our practical lab assignment. The Theory: Enumerating Environments   Enumeration is an intrusive process. We looked heavily into enumerating Microsoft operating systems, specifically utilizing NetBIOS over TCP/IP (NBT). We practiced installing and using nbtscan on our Kali Linux setups to scan ranges of IP addresses. We also reviewe...
Read more

Week 1 - Intro to Ethical Hacking and Building the Lab

As required by the course guidelines, any tools, techniques, and tutorials shared on this blog are strictly for educational purposes . I am not responsible for any misuse of the information or tools demonstrated here. We just had our first session for the Ethical Hacking & Pen Test course at BINUS University International . Our lecturer, Pak Kalpin Erlangga Silaen , laid out the syllabus, the ground rules, and what we will be covering this semester. The main objective of the course is straightforward: get hands-on experience with hacking tools and penetration testing techniques . We will be walking through the complete ethical hacking cycle, which includes information gathering, enumeration, system hacking, privilege escalation, and covering tracks . Our main textbook for the semester is Mastering Kali Linux by Noah Hardy . Course Policies and Ethics One thing made very clear today is that professional ethics are non-negotiable in this field. We are actually expected to sign an a...
Read more