You need to understand the fundamentals of TCP/IP before
you can make sense of any of this!
The best single reference is Doug Comer's
Internetworking with TCP/IP, Volume 1.
It's well written and clearly tells the
story of how the TCP/IP protocol suite works.
Yes, it's a textbook and new copies of the latest edition
can be pretty expensive.
But investigate used copies, and remember that if you're
just trying to learn the fundamentals of the main host
protocols (Ethernet, ARP, IP, UDP, TCP, ICMP, and DNS),
they haven't changed much in ages and
an older edition
may serve your needs.
TCP/IP Illustrated, Volume 1: The Protocols
is another great reference, but it's more of an encyclopedia
and it isn't easy reading.
Be careful when ordering either of Comer's or Stevens'
Both wrote a three-volume series, in which the first volume
(what you probably want) is about the protocols themselves,
while the second and third volumes are about how to implement
those protocols in an operating system (using BSD Unix as a
case study) and how to write applications using those protocols.
Once you understand TCP/IP, you can start working with
Network Security Assessment,
by Chris McNab,
has an in-depth look at network scanning methods and
application vulnerability detection and exploit.
Vulnerability scanners can also provide warnings
about apparent risks due to buggy network server software.
Note that some just make assumptions based on banner
details, while others may attempt an exploit to see
if it works.
Also, some of the commercial Windows-specific ones
may give false-negative errors if run without remote
is a very good tool.
It used to be free but now it's expensive, and so...
Open Vulnerability Assessment System
is a free fork of the Nessus project.
Sectools.org has nice lists of
web vulnerability scanners.
Retina Network Security Scanner
originally from eEye Digital Security,
has been the U.S. DOD standard vulnerability scanner.
The Penetrator Pen Testing Appliance
from SecPoint uses a large set of remote signatures,
was originally from nCircle, now it's
is a cloud-based scanner from
So port 80 is open, and the banner says it's
Apache 2.0.45, but now you must answer further
What binary program has that port open,
what shared libraries is it using,
and what other files, sockets, and pipes
does that process have open?
And should I have complete confidence
in all of this?
lsof answers your questions on
UNIX-like systems (commercial UNIX, BSD, Linux,
Mac OS X).
Either find lsof already included in your
If you're stuck with Windows, try
originally from NTSysInternals.
Other network scanners are found at:
is an interesting search engine for computer operating
systems and server software versions.
Rather than search web page content,
indexes servers, routers, and more, by their OS and version.
It aggregates banners from well-known services.
You can search for things like
the list of all known FTP servers running
the vulnerable version 2.6.0 of the Wu-Ftpd server,
with a remote format string stack overwrite vulnerability.
Commercial vulnerability scanners were reviewed
in the June 20, 2011
They aren't cheap:
McAfee Vulnerability Manager (MVM) 7
$16,820 including 1U appliance first year,
$9,020 second year
QualysGuard Vulnerability Management
$19,000 first year, $4,750 second year
Retine CS 2.0
$28,000 first year, $7,000 second year
$18,500 for first year for 1,000 IP addresses
Lumension Scan 6.4
The top 100 network security tools —
short descriptions and links to get them:
to detect scans and other network attacks.
lets you send craft and send customized ICMP packets.
is a distributed ICMP-based host enumerator and
Gibson Research Corporation
has an interesting site — it will scan your host
for you and report the results.
More tool FTP sites are at