This is where the problem starts.
There are port scanner, network scanner, network mapper and many other terms.
Depending on the certification, company or mindset, it's all the same.
This article is about port scanners, i.e. the programs that are able to scan IP networks, the active host(s) or end devices, open or “accessible” ports and the protocols and services “spoken” there to identify.
With the networks, it doesn't matter which medium is used, i.e. whether via Ethernet RJ45 cable, WLAN or glass fibre/fiber optic cable - it is important that IP is the ISO-OSI Layer 3 protocol.
There are many free programs that fall into this category. Starting with the most well-known and graphically unattractive, since it can only be used on the console, Nmap. The port scanner Nmap is also used by many IT pentesters because it offers numerous options for testing networks thanks to the scripting engine.
Nmap is available for all common operating systems and with Zenmap there is also a GUI (graphical interface). Of course, there are also simpler port scanners, such as the Angry IP Scanner or commercial products such as the IP address manager from Solarwinds or NetScanTools Pro Edition, but they usually have a broader focus than "just" scanning networks and ports.
The pentester and also Hollywood's favorite when it comes to port scanners is Nmap – whether at Matrix Reloaded, Snowden, Dredd or in HackTheBox tutorials - it is used again and again. You can also write simple port scanners yourself in common programming languages.
...then creates a reference line of user behavior. All information that a UEBA then recognizes as "normal" user behavior can be found within the framework of these reference lines. If an event should cross these boundary lines, then an alarm is triggered.
In particular, insider threats, such as employees who are dissatisfied with the company and want to damage it, can be thwarted. Attackers who have compromised a system can also be identified in this way, since it is not difficult for them to circumvent the rules of a SIEM, but they do imitate the “normal” behavior of a system or user.
A port scanner sends a data packet to the destination to identify whether the device is even "online". The classic ping is usually used for this. If the test is successful, further data packets are sent to the individual ports of the destination and the responses are evaluated.
The port can have several states that the port scanner recognizes. If the port is open, more information can be collected. The special port scanner Nmap is used to identify the first targets in IT penetration tests and even to uncover the first security gaps or configuration weaknesses with the Nmap scripting engine. The results can then even be imported into exploit frameworks like Metasploit for further testing.
The Nmap Scripting Engine is an extension for the "normal" network scanner. It can be based on versions of the Services and, depending on the version, also on exploitable ones vulnerability testing. In addition, the NSE can also recognize the operating system with different mechanisms.
There is a port scanner for almost every special need of a network analysis, which is tailored to the problem in form, function and perhaps in color or has even more features. You just have to know what you want to achieve and find out with the port scanner. In relation to pen tests of course also how conspicuously one behaves in the network. Many requests to different ports of individual hosts are always suspicious and should be detected or, even better, blocked by protective mechanisms if these activities come from an unknown or unauthorized source. A port scanner can help you with this.
I end this post with a quote from Rumi, which probably all pentesters know:
“The quieter you become, the more you are able to hear”
