What is a Network Scanner? - Definition & Use

Instructor: Daniel Arnold

Daniel has a bachelor's in Computer Science, is a CISSP and CEA. He is a cyber competition coach and speaks on Info Security at conferences.

The network scanner is an important element in the arsenal of the network administrator as well as the penetration tester. It allows the user to map the network and its topology as well as to find devices that would be hard to find manually. It allows a security analyst or penetration tester to find devices on the network that could be likely opportunities to use to begin a breach into the network. Let's explore this essential tool in some detail.

Definition

A network scanner is a software tool used for diagnostic and investigative purposes to find and categorize what devices are running on a network. Typically the user inputs a range of IP addresses into the tool to be scanned and the scanner moves through the list sequentially determining if there is an active device present on each given IP address. One such tool that is commonly used by cyber security professionals is Nmap - the Network Mapper

Configuration Options

Configuration options can be set in Nmap or most scanning tools based on the user's needs. Setting timer values will allow the professional to decide whether speed is more important (don't continue attempting to contact a device on a given IP address before moving to the next) or accuracy (allow more time to hear from a slow or busy device before moving to the next IP address in the list). With Nmap, those options run from T0 (slowest and least intrusive) to T5 (fastest yet intrusive to the point of overwhelming the target device). Also available is how in-depth the scan should run. In addition to determining whether a device is present, scanning tools can typically attempt to determine more details about the device that could be of interest to the user. In Nmap, we can set options to attempt to detect what operating system is running and to determine what services are running on the target device (e.g., is it a web server, mail server, FTP server, etc).  

Applications

Scanners can have a couple of different applications depending on need. Network administrators use them to verify documentation on what IP addresses are in use from the available range or whether unexpected or rogue devices are present on the network. They also can use them when a network is more complex to map out the network topology. Scanning can be of further help to map and document shared resources, such as shared folders or printers. A penetration tester or hacker, however, will use a scanner in the early phases of a hack or penetration exercise to find what kinds of devices are present on the target network. Using the scanner for purposes of security assessment can also play into the configuration of the tool. The network administrator can use more aggressive settings since it's their network that is being scanned. The cyber professional, though, is expected to simulate a lurking hacker and typically has to operate the scanner less intrusively. Setting the scanner for the more thorough settings can give you more insightful results, will also lead to a greater likelihood of being detected and raising alarms from in-house security tools, like an Intrustion Detection System (IDS) or Intrusion Prevention System (IPS).

An Example

Let's look at an example. A small company pays a security firm to come and do an assessment of their network's security. The security firm's engineer is given the company's IP address range and selects Nmap as the scanner to probe against the list of IP numbers. She configures Nmap to also try to determine any device on the network that is running as a web server, since web servers are a favorite target of hackers.

The command would look like this:

nmap -T2 -p80,443 192.168.1.1-254

To further break this down, first is the command itself, then the -T2 indicates a quieter but slower mode and -p is specifying which ports are desired. In this instance we see 80 and 443 as they are the port numbers that represent http and https web services. Then the 192.168.1.1-254 indicates nmap will scan the IP address ranges 192.168.1.1 through 192.168.1.254, that here represent the range of IP addresses on this company's network. In her results, our pen tester notices the following:

Nmap scan report for 192.168.1.19

Host is up (0.0020s latency).

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create An Account
Support