Pentest-Tools.com LogoPentest-Tools.com Tools Documentation
  1. Network Scanner

Network Scanner

About this tool

Since the scanner allows you to detect a wide range of vulnerabilities in network services, operating systems, and also in web servers, its use cases are very diverse

What is a Network Vulnerability Scanner?

The network perimeter of a company is the 'wall' which isolates the internal network from the outside world. However, because the outside world needs to access various resources of the company (ex. the website), the network perimeter exposes some network services (ex. FTP, VPN, DNS, HTTP, and others).

A Network Vulnerability Scanner is designed to map all the services exposed on the network perimeter and detect if they are affected by vulnerabilities.

Parameters

  • Target: This specifies the target that will be scanned. It can be a single IP address or a hostname (ex. www.example.com)

  • Scan type - Light: Uses a custom-built vulnerability scanning engine on top 100 most common ports. This mode is very fast since it uses the service versions to detect vulnerabilities.

  • Scan type - Deep: Scans on top 5000 most common TCP ports or top 1000 most common UDP ports. This mode is designed to perform a complete check by combining the version-based, Sniper and Nuclei vulnerability scanning engines.

  • Scan type - Custom: Permits scanning engine and port customization. It requires at least one selected engine and runs on the top 1000 most common ports if no ports are selected.

  • Ports to scan - Common: (Custom scan type scans only) Tells our engine to scan between various preconfigured port lists: OpenVAS default ports, full port range or the top 10, 100, 1000, or 5000 most common ports. Defaults to top 1000 most common ports.

  • Ports to scan - Range: (Custom scan type scans only) You can specify a range of ports to be scanned. Valid ports are between 1 and 65535.

  • Ports to scan - List: (Custom scan type scans only) You can specify a comma-separated list of ports to be scanned.

  • Protocol type - TCP: This option tells our engine to scan only TCP ports

  • Protocol type - UDP: This option tells our engine to scan only UDP ports

  • Check alive: Enable host discovery to check if the target is alive before scanning it

  • Extensive Modules: Includes modules that run for an extended period of time due to fuzzing on multiple endpoints and query parameters (CVE-2022-42889, CVE-2022-34265).

How it works

The scanner first attempts to detect if the host is alive or not before doing the port scan. If the host is not alive (ex. does not respond to ICMP requests) it will show zero open ports found.

If the scanner does not find any open ports even though you know there are, we recommend you re-running the scan with the option "Check if host is alive" disabled. This will skip host discovery and just start the port scan.

Light mode

The Light version runs the version-based engine and performs a very fast security assessment with minimum interaction with the target system. It starts by first running Nmap on top 100 most common ports to detect the open ports and services. Then, based on the results returned by Nmap, our network scanner interrogates a database with known vulnerabilities to see if the specific versions of the services are affected by any issues.

This detection method, while being very fast, it is prone to returning false positives because it relies only on the version reported by the services (which may be inaccurate).

Deep mode

The Deep version runs a Nmap scan on top 5000 most common ports for TCP protocol or top 1000 for UDP protocol. Then, it runs the following scanning engines:

  • version-based - interrogates a database with known vulnerabilities to see if any issues affect the specific versions of the services.

  • Sniper - custom vulnerability checks developed by our research team. You can click here to browse the complete vulnerability and exploit database.

  • Nuclei - core of the Nuclei scanner which powers this scanning engine. Only network-related and CVEs templates are included.

Custom mode

The Custom version of the Network Vulnerability Scanner permits the user to select the ports and scanning engines that should be run for a scan. Similar to the other scan modes, it runs a Nmap scan on the selected ports (if no ports are explicitly selected, it will run on top 1000 most common ports). Then, it loads all the selected scanning engines (version-based, Sniper, Nuclei or OpenVAS) and performs the scan.

For further information, you can view our related support article here.