In our journey to be security practitioners, we must understand basic network-based techniques from both attackers and defender perspectives. Continuing on that track, let’s talk more about network scanning and its tools and techniques today.

If you are looking for a similar topic, check out How to Perform Network Scanning and Forensics with Nmap.

Network Scanning Basics

Scanning Tools

There are many powerful networking tools in the Linux command line. Some use raw IP packets, others use DHCP, and many simply use the IP addressing and routing topologies to glean a lot of helpful information about our immediate network neighborhood or even networks across the globe on the Internet.

The ability to fish for information like when a host is on and how many ports are open on a given machine is essential even for non-malicious use. Once this data is available in the hands of attackers, they can launch attacks against certain network services or harm their competitors.

Some of the standard tools in this family include but are not limited to:

  • hping3
  • fping
  • Nmap
  • ettercap
  • nettle
  • p0f

For this article, we shall dwell on the most popular ones. There are also plenty of commercial tools running on Windows, with GUI interfaces, and so on. But since it is the open-source developers and technical geeks that love network scanning, and Linux based systems provide more power than Windows or Mac, Linux command-line tools are going to be more than the GUI tools that perform scanning for you.

Before we go deeper into this topic, let us get familiar with some terms and tricks of the trade. Since networking is the most important topic under discussion, we must know that the remote OS fingerprinting or TCP/IP stack fingerprinting is a method of identifying the remote machine’s operating system, the release, and other details of the TCP/IP stack.

One of the primary uses and purposes of network scanning is to glean this information, which can then be used to our advantage or even for malicious purposes or to launch exploits on vulnerable hosts. But knowledge is power, and never has this adage been more relevant than with network scanning.

Based on the characteristics of the TCP layer, around 67 bits in the header are implementation-specific, such as the initial TCP flow control window size, the setting of bits for certain handshake operations, and so on. Suffice it to say that the protocol sniffers like <em>Wireshark</em> or tcpdump command-line tools can often help guess these things for us, and so can nmap and p0f.

Active OS fingerprinting raises alarms easily, so passive fingerprinting with p0f  is often used since it appears as a regular HTTP transaction but can glean information about the remote host.

But that said, the OS fingerprinting field is still prone to error, and this is more of an art than an exact science.

Moving from OS fingerprinting to network scanning

Even a simple ping program can now be improved with the traceroute algorithm that uses the ICMP time exceeded message to trace a packet’s journey. It also scans the nearby networks or even a remote network several hops away or geographically at the other side of the planet.

Of course, there are computers in space as well 🙂 Jokes aside, now for using the ICMP ping as a measure of a host being up and running is not something that many networking geeks relish. We have many tools like Nmap with its numerous options to check the liveness, the fping program, and hping3.

The job of network scanning is not just for reconnaissance alone. We can also identify weaknesses in our network and gain a lot of knowledge using these tools. However, we can tighten our security perimeter to serve better our goal of keeping our network assets away from prying eyes.
Some command examples

Some command examples

# nmap -sS -p1-1000 Starting Nmap 7.60 ( ) at 2020-10-06 08:31 IST Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 99.99% done; ETC: 08:31 (0:00:00 remaining) Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 99.99% done; ETC: 08:31 (0:00:00 remaining) Nmap scan report for _gateway ( Host is up (1.1s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp filtered ftp 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https MAC Address: 4C:AE:1C:0B:F9:E3 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

# hping3 --scan 1-30,70-90 -S Scanning (, port 1-30,70-90 51 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 23 telnet : .S..A... 64 0 5840 44 80 http : .S..A... 64 0 5840 44 All replies received. Done. Not responding ports: (21 ftp) # traceroute traceroute to (, 30 hops max, 60 byte packets 1 _gateway ( 0.986 ms 0.998 ms 1.144 ms 2 ( 1.140 ms 1.157 ms 1.168 ms 3 ( 4.984 ms 4.935 ms ( 4.955 ms 4 ( 23.882 ms 23.819 ms 23.852 ms 5 ( 24.101 ms * 24.032 ms 6 ( 24.661 ms ( 21.636 ms ( 24.956 ms 7 ( 22.548 ms ( 23.659 ms ( 22.682 ms 8 ( 23.676 ms 19.219 ms ( 23.750 ms


This article is just an eye-opener to the rich possibilities of network scanning and the free tools at our disposal. Only time, knowledge, and experience are needed to use them to serve our purposes. In addition to what this article talks about, there is still firewalk, netsniff-ng family of tools, the netflow tools that can further help glean useful information. When it comes to the routing protocols that power the Internet like BGP, OSPF, etc., we look at several tools, including DNS based tools. These days we have SSL based scanning as well, which we have referenced in a previous blog. Today’s internet is becoming more and more crypto-centric, with nearly each HTTP transaction encrypted.

Did you enjoy this content? Follow our linkedin page!