Network scanning starts as a simple task…

nmap -oA target

Unfortunately, it quickly turns into a complicated endeavor requiring a combination of automation, manual tuning, intuition, and discipline. Here are a few gotchas we regularly run into and try to solve.

  • Network device – firewall – reports all IPs as active and/or all ports as open/filtered
  • Solaris devices consume a ton of scanning time
  • Scan names mixed and matched by different scan team members leads to repeat scanning and/or “lost” results
  • Target(s) include the scanning box leading to “self scanning” and improper reporting
  • IDS/IPS blocks/slows scanning traffic

This is just a short list of some of the problems but it shows how a simple task becomes an all-day or multi-day event requiring considerable skill and understanding of the tools (i.e., nmap, hping2, nikto, etc.).

We often respond to new challenges by looking to automate or at least standardize certain elements, such as our naming convention for scan results or how we tackle doing zone-to-zone testing on a multizone network.

We will follow up with some of the tips and tricks we teach new scan team members to help avoid common pitfalls.