This chapter focuses on the technical execution of IP network scanning. After undertaking initial reconnaissance to identify IP address spaces of interest, network scanning builds a clearer picture of accessible hosts and their network services. Network scanning and reconnaissance is the real data gathering exercise of an Internet-based security assessment. The rationale behind IP network scanning is to gain insight into the following elements of a given network:
ICMP message types that generate responses from target hosts
Accessible TCP and UDP network services running on the target hosts
Operating platforms of target hosts and their configuration
Areas of vulnerability within target host IP stack implementations (including sequence number predictability for TCP spoofing and session hijacking)
Configuration of filtering and security systems (including firewalls, border routers, switches, and IDS sensors)
Performing both network scanning and reconnaissance tasks paints a clear picture of the network topology and its security mechanisms. Before penetrating the target network, further assessment steps involve gathering specific information about the TCP and UDP network services that are running, including their versions and enabled options.