Cyber Attacks often begin with a reconnaissance phase, where attackers gather information about their target. The two most fundamental reconnaissance techniques are:

1. Cyber Security Mapping (Network Mapping): Discovering the structure of a target’s network—what devices exist and how they are connected.
2. Port Scanning: Probing those discovered devices to find open ports and identify what services are running on them.

This phase is crucial because you cannot attack what you cannot see. These techniques allow an attacker to build a “blueprint” of the target’s digital environment to plan their attack effectively.

Key Learning Points Overview

1. Cyber Security Mapping (Network Discovery)

This is the process of creating a map of a target’s network.

• Goal: To answer the question, “What is out there?”
• How it’s done:
  • Ping Sweeps: Using tools like ping or fping to send ICMP echo requests to a range of IP addresses. Devices that respond are considered “alive” and are added to the map.
  • Traceroute: Using commands like tracert (Windows) or traceroute (Linux) to discover the network path (the routers) to a target. This reveals the network’s topology.
• Cybersecurity Connection:
  • For Attackers: This is the first step in narrowing down the attack surface from a vast IP range to a list of active, interesting hosts.
  • For Defenders: Understanding this helps in monitoring for unauthorized scanning activities. Security teams can use the same tools to map their own networks and identify unauthorized devices.

2. Port Scanning

Once a list of active hosts is known, the next step is to probe them.

• Goal: To answer the question, “What are these devices doing?” Specifically, what ports are open and what services are listening on them.
• How it’s done (Common Scan Types):
  • TCP Connect Scan: Attempts to complete a full TCP three-way handshake with a target port. If successful, the port is open. This is reliable but easily detected.
  • SYN Scan (Half-Open Scan): Sends a SYN packet and waits for a SYN-ACK response. If it gets one, it considers the port open but sends a RST packet to tear down the connection before it’s completed. This is faster and stealthier.
  • UDP Scan: Sends a UDP packet to a port. If the port is closed, the target often sends back an ICMP “port unreachable” message. A lack of response may indicate an open UDP port. This is less reliable than TCP scanning.
  • Service Version Detection: After finding an open port, tools like Nmap can probe the service to determine its name and version (e.g., Apache httpd 2.4.49).
• Cybersecurity Connection:
  • For Attackers: Open ports are like open doors and windows to a house. Finding an open port running a service with a known vulnerability (e.g., an outdated web server on port 80) provides a direct avenue for attack.
  • For Defenders: Port scanning your own network is essential for vulnerability management. It helps you find and close unnecessary ports and patch or update vulnerable services, thereby reducing your attack surface.

3. The Big Picture: The Attack Chain

Mapping and scanning are part of a larger process, often formalized in frameworks like the Cyber Kill Chain®:

1. Reconnaissance (Mapping/Scanning): Research, identification, and selection of targets.
2. Weaponization: Pairing a remote access Trojan with an exploit into a deliverable payload.
3. Delivery: Transmitting the weapon to the target (e.g., via email, USB drive).
4. Exploitation: The weapon’s code is triggered, exploiting a vulnerability.
5. Installation: Installing malware on the target’s system.
6. Command & Control (C2): Establishing a channel for remote manipulation of the target.
7. Actions on Objectives: Achieving the attacker’s goal (data theft, destruction, etc.).

Mapping and Port Scanning are the foundational activities of Stage 1.

Study Material & Learning Plan

Phase 1: Understand the Concepts (Theory)

1. Goal: Grasp the purpose and difference between mapping and scanning.
2. Action: Review the concepts of IP addresses (Network Layer) and Ports (Transport Layer). Understand that mapping finds IPs, and scanning finds ports on those IPs.
3. Self-Check Questions:
   • What is the primary goal of network mapping?
   • What is the primary goal of port scanning?
   • Why is an open port on a server a potential security risk?

Phase 2: Learn the Tools (Practical Introduction)

1. Goal: Get familiar with the most important tool for this purpose: Nmap (“Network Mapper”).
2. Action: Read the Nmap documentation or tutorials. It is the industry-standard tool.
3. Key Commands to Understand:
   • nmap -sn 192.168.1.0/24 : Performs a ping sweep to discover live hosts (Network Mapping).
   • nmap -sS 192.168.1.10 : Performs a stealth SYN scan on a specific host.
   • nmap -sV 192.168.1.10 : Scans and attempts to determine service versions.
   • nmap -A 192.168.1.10 : An “aggressive” scan that combines several techniques.

Phase 3: Hands-On Practice in a Legal, Safe Lab

⚠️ Critical Warning: Port scanning networks without explicit permission is illegal and unethical. You must only practice on your own lab.

1. Set up a Lab:
   • Use virtual machines (e.g., with VirtualBox or VMware) to create a simple network.
   • Set up a “target” machine (e.g., a Linux VM) and your “attacker” machine (e.g., Kali Linux, which comes with Nmap pre-installed).
2. Practice:
   • On your attacker machine, run the Nmap commands listed above against the IP address of your target VM.
   • Observe the results. See how different scan types (-sS vs. -sT) work.
   • On your target machine, use netstat -tuln to see what ports are listening. Compare this list to what Nmap discovered.

Phase 4: Defensive Thinking

1. Goal: Understand how to defend against these reconnaissance techniques.
2. Actions:
   • Firewalls: Configure firewalls to block ICMP (ping) requests and unsolicited incoming traffic to disused ports. This makes mapping and scanning more difficult.
   • Port Security: Regularly scan your own network with Nmap to ensure only necessary ports are open.
   • Intrusion Detection Systems (IDS): Tools like Snort can be configured to detect the signature of Nmap scans and alert administrators.