Let's proceed to the stage of looking around: detecting victims and scanning. Imagine this situation as the one over a shooting range: you grab your weapon (zANTI2, in our case), aim and shoot. You have to aim for your target, obviously—otherwise, you would not hit it. The same thing applies to our case—we need to trace and find the target before we shoot. And that's what the scan does.

Now, when you're familiar with the interface of the lovely app, it should not be a problem to perform a successful scan on a target. If you're still confused about how to trigger a proper scan, let's go trough the process once more.

To avoid any confusion, there are two scan types. Both are used for scanning, but one for a general network discovery (called network mapping) and the other one for a slightly more detailed scan performed on a single target. Let's talk about the first one first, the network discovery.

Network discovery is essential, no doubts about that. Without this function, you...

I've mentioned open ports. I guess I'll explain this a bit more because this is something you should probably know before getting into the game.

Although Nmap is now one of the best scanning software out here, it started as a port scanner. It's a simple but efficient port scanner. The simple command nmap on target scans 1000 TCP ports on it. You've probably heard of open or closed ports, but in fact Nmap divides ports into six states:

First, let's explain open and closed ports. If a host is accepting Transmission Control Protocol (TCP) connections, User Datagram Protocol (UDP) datagrams, or Stream Control Transmission Protocol (SCTP) associations, we call this port opened.

Finding open ports is often the main goal of port scanning, considering that each open port is vulnerable to attacks. Hackers are attacking these, while system administrators are trying to protect them from unwanted connections using known security tools...

In some cases, you are looking to determine whether the host is up, and in some cases, you want to really dig deep and find out as much information as possible from the target. Sometimes, you want to detect if the OS target is running, so you can determine whether there are any possible exploits on it. Nmap offers a fine amount of scan types, which let you investigate and find the exact information just the way you want. Let's have a look at the ones available through zANTI2:

In zANTI2, the advanced scanning can be triggered for individual targets only. After you're done with network mapping, choose one of the targets and select Scan to perform advanced scanning on target, as the app says.

You'll find yourself in a new activity window with these three options. The first option, Scan type, lets you choose the type of scan triggered on the target. There are many scan types including regular, intense, or ping that you will get to know more about in a jiffy. The Execute script option...

Run script, as the title suggests, executes one of the available scripts. This option triggers the Nmap Scripting Engine and fires one of the scripts available from the huge index of scripts available in the Nmap archive. We'll get to this in a jiff because there's more to talk about.

Intense scan is a very detailed, comprehensive scan. Logically, this means the intense scan may take up much more time scanning than the others will probably take, though it may come in useful when you want accurate results. This scan does the following scans and detections to reach the most accurate result as possible:

Let's cover these first. OS detection does a detailed detection of operating system running on a host. Nmap does this scan by stack fingerprinting, which works by sending series of TCP/UDP packets and then monitoring the response from the target. This scan is one of the best-known scans of Nmap. More about OS detection is given on the following pages.

The version detection is, described by Nmap, a high speed, parallel the operation via nonblocking sockets and a probe definition grammar designed for efficient yet powerful implementation. Version detection determines the application name and version number where...

All fingerprints that are examined by Nmap carry a general type of device (target)—this might be router, firewall, printer, or general purpose device—here, we can see the target listed as general purpose/phone. If Nmap is unsure about multiple results, it will show both of them, separating these with the pipe symbol (router|firewall).

This line shows the OS family and if available; it also shows the OS generation (Linux 2.4.x, for instance). When Nmap cannot narrow down the generations, multiple OSes can be listed, divided by a pipe symbol. If Nmap finds too many OS families, it will omit this line. When there are no perfect matches for the OS family, Nmap adds an accuracy percentage (where 100 percent is a perfect match) after each possible candidate. If Nmap finds no close matches to fingerprints, the line is omitted.

OS CPE shows common platform enumeration (CPE) of the OS. CPE is a standardized way to name software apps, OSes, and hardware platforms. CPE typically contains seven fields:

cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>

Some fields, however, can be left blank or even left off. If you take a look at the preceding screenshot, you can see there are five fields listed, one of which is left blank.

You may be wondering what does the o stands for in the cpe:/o: field in the beginning.

To clarify O stands for operating systems, A for applications, and H for hardware platforms. If you take a look at the picture, it lists four possible OSes. It's clear that the target is running Windows 7 Professional operating system, which turns out to be correct. Moving on!

This line gives the details about each (matched) fingerprint. If there are multiple matches, all of these are listed and separated by comma (have a look at the image). If there are not any perfect fingerprint matches, the field is renamed to Aggressive OS guesses and fingerprints with a percentage of accuracy of matches are shown.

Network distance lists how many routers are between you and your target—the distance for localhost is 0, 1 for a device on the same network segment. Each additional router on the path adds one hop to the count. Again, the line is omitted if Nmap cannot compute it (due to no reply to the relevant probe).

Not visible on the preceding screenshot, but still a part of OS detection, Nmap tries to determine the approximate uptime of the remote system. Nmap receives several SYN/ACK TCP packets in a row and checks the headers for a timestamp option. Many operating systems use a simple counter starting with zero at boot time and counting during the uptime. By checking the responses, Nmap can determine these values and print these in the scan log.

The uptime guess is marked as a guess because there are several things that can make it very inaccurate. For instance, some operating systems do not start the counter at zero but initialize it with a random value instead.

It is possible to make a full connection to a system with a poor TCP initial sequence number and perform a blind TCP spoofing attack on them. This kind of attack was the most popular one in the '90s when people used rlogin, which is a remote shell client (like SSH) that allows users to log in on another host via network, communicating using TCP port number 513. In December 1994, Kevin Mitnick had supposedly used this attack to break into Tsutomu Shimomura's (computer security expert, currently CEO of Neofocal Systems) computers. Luckily, almost nobody uses rlogin anymore. However, blind TCP spoofing may still be effective for HTTP requests.

Now, you might be surprised with the log. What does the good luck comment mean? Well, there is an estimated difficulty of how hard the system makes blind IP spoofing (where 0 is the easiest).

These comments are based on this index, starting from trivial joke to easy, medium, formidable, worthy challenge, and finally ending with good...

This field describes the ID generation algorithm recognized by Nmap, showing a possible vulnerability (to TCP Idle scan, for instance) in the system. However, many systems use a different IP ID for each host they communicate with. In this case, they may appear vulnerable while in fact being secure against the attacks.

Have a look at the scan results of the Intense scan. If you look carefully, the Nmap log shows many more then expected. Notice the port scan, showing four open ports, two of which have been diagnosed with version numbers.

Also, notice the warning line saying the OS scan results may not be reliable because Nmap was not capable of finding at least one open and one closed port.

If a message like this shows up, keep in mind that the OS scan loses its accuracy.

The uptime shows up to be somewhere around two days, which in this case, seems to be quite correct.

Let's move on to the other scan types. Whereas the Intense scan is the most comprehensive and accurate...

Ping scan is a quick type of scan that only finds out whether the target is up—it does not scan for ports.

This scan is potentially useful in situations when you're unsure whether the target is up or not to perform more time-consuming actions on it and not waste the time waiting for the results.

In this case, the host seems to be up with 0.014 s latency. In case you don't know, latency is the delay from input into a system, to the desired outcome. We generally recognize three types of latency: Internet, WAN, and Audio latency.

Quick scan is slightly faster than the Intense scan by limiting the number of TCP ports scanned to only the top 100 most common TCP ports and by using a more aggressive timing template. This scan, also known as quick scan plus also performs OS detection along with the version detection (that was explained a few pages ago). The best example of usage would be mainly for the OS detection itself, as it's the fastest way to retrieve OS and version info in the shortest amount of time, considering the other scans (Intense and Comprehensive scan) take more time.

Quick traceroute traces the paths to target; it does not perform a scan on them. Traceroute is included in the Intense scan and is mostly used for network analysis.

As mentioned, the RTT marks the length of time it takes for a signal to be sent plus the length of time it takes for an acknowledgment of the same signal to be received. In Microsoft Windows, the traceroute is included by way of the tracert command, which basically does the same on websites, tracking the response time redirections. Traceroute is often used by hackers, who use this tool to map the network nodes and get general information about the whole net architecture, making it easy to find and investigate a weak link on the network area. This is one of the reasons some webs block traceroute through utilities such as Firewall to prevent this easy network mapping on the whole net.