Menttor
Library
LibraryHost Discovery and Port Scanning

Host Discovery and Port Scanning

Learn about Host Discovery and Port Scanning as part of OSCP Certification - Offensive Security Certified Professional

Table of Contents

Foundations of Penetration Testing: Host Discovery & Port Scanning

Welcome to the foundational module on Host Discovery and Port Scanning, crucial techniques for any penetration tester, especially when preparing for certifications like the OSCP. Understanding how to identify active hosts on a network and what services they are running is the first step in uncovering potential vulnerabilities.

What is Host Discovery?

Host discovery, also known as network scanning or host enumeration, is the process of identifying live hosts (computers, servers, network devices) on a network. This is essential because you can only attack systems that you know exist. It helps map out the attack surface.

Common Host Discovery Techniques

TechniqueProtocolProsCons
ICMP Echo Request (Ping)ICMPSimple, widely understood, good for basic reachability.Often blocked by firewalls, can be noisy.
ARP ScanARPEffective on local networks, doesn't require IP routing.Limited to the local subnet.
TCP SYN ScanTCPCan traverse firewalls, stealthier than full TCP connect.Requires root/administrator privileges for raw sockets.
UDP ScanUDPCan find UDP services, less common than TCP.Slower, less reliable responses, often blocked.

What is Port Scanning?

Once active hosts are identified, port scanning is the next logical step. It involves probing each active host to discover which network ports are open, closed, or filtered. Open ports indicate running services that could potentially be exploited.

Types of Port Scans

Port scanning involves sending various types of packets to specific ports on a target host to determine their status. The most common types include: TCP SYN Scan (Stealth Scan): Sends a SYN packet and waits for a SYN/ACK (open) or RST (closed). If no response, it's filtered. This is efficient and less likely to be logged by applications. TCP Connect Scan: Attempts a full TCP connection. If successful, the port is open. This is reliable but easily logged. UDP Scan: Sends a UDP packet. An ICMP 'port unreachable' message indicates closed; no response or an application-specific response suggests open or filtered. FIN, NULL, XMAS Scans: These leverage TCP flags to infer port status, often used to bypass stateless firewalls.

📚

Text-based content

Library pages focus on text content

What is the primary difference between host discovery and port scanning?

Host discovery identifies which systems are active on a network, while port scanning identifies what services are running on those active systems.

Tools for Host Discovery and Port Scanning

Several powerful tools are available for performing host discovery and port scanning. Mastering these tools is fundamental for OSCP preparation and practical penetration testing.

Nmap (Network Mapper) is the Swiss Army knife for network exploration. It can perform host discovery, port scanning, OS detection, version detection, and more. Its versatility makes it indispensable.

Other notable tools include:

Loading diagram...

Key Takeaways for OSCP Preparation

For the OSCP exam, proficiency in these areas is non-negotiable. You'll need to quickly and accurately map out target networks. Practice using Nmap extensively, understanding its various scan types, timing options, and output formats. Be prepared to use other tools as well, depending on the scenario.

Why is understanding port scanning crucial for penetration testing?

It reveals potential entry points (services) on a target system that could be vulnerable to exploitation.

Learning Resources

Nmap Official Documentation(documentation)

The official and most comprehensive documentation for Nmap, covering all its features, commands, and scripting capabilities.

Offensive Security - Nmap Cheat Sheet(documentation)

A concise PDF cheat sheet from Offensive Security, perfect for quick reference during practice and exams.

Cybrary - Penetration Testing Fundamentals(video)

A foundational course that covers the basics of penetration testing, including reconnaissance and scanning techniques.

Hack The Box - Academy: Network Enumeration Module(tutorial)

Learn essential network enumeration techniques, including host discovery and port scanning, through interactive labs.

PortSwigger - Network Scanning(blog)

An article explaining the principles and common techniques of network scanning, with a focus on web application security context.

Wikipedia - Port Scanning(wikipedia)

A general overview of port scanning, its history, types, and common uses.

SANS Institute - Network Reconnaissance(paper)

A whitepaper detailing various network reconnaissance techniques, including host discovery and port scanning, from a security perspective.

Learn Linux TV - Nmap Tutorial(video)

A practical video tutorial demonstrating how to use Nmap for various scanning tasks, including host discovery and port scanning.

Kali Linux Documentation - Nmap(documentation)

Information on Nmap as it's integrated into Kali Linux, including common commands and use cases.

Network Security Toolkit - Host Discovery(documentation)

Details on host discovery methods and tools available within the Network Security Toolkit.