A pentester performs several types of network scans during a test. These are usually sequential in nature, that is, we proceed with each scan, collect information and the move on to the next scan. With each scan, we gather specific information about our target environment.
1. Network Sweeps: Objective is to identify any live IP addresses in the target range - think, ping <IP> or nmap -sn <IP>.
2. Network Tracing: Here we try to determine the target network topology & create a network map - think, traceroute or nmap --trace <IP>.
3. Port Scanning: As the name suggests, we attempt to identify any open, listening TCP and UDP ports on target hosts. At this step, a pentester gets a fair idea on what kind of applications & services are running in the environment. If any of the services is/are known to be vulnerable, a tester has a potential avenue of compromising the vulnerable host.
4. OS fingerprinting: Now that we have identified the running services, we must identify the platform it is running on. Is the target a Solaris server, or is it RHEL or a Microsoft Windows 2008 server? Our exploits, other attacks and more importantly, the overall attack process for a host running a vulnerable service, for example, will vary based on what is the host OS. Once a target OS is known, a tester can research for known OS vulnerabilities, exploits & potential security controls in place. The actual attack surface on the host, hence, becomes clear with the knowledge of target OS.
Simply use nmap to fingerprint the OS (Active OS fingerprinting): nmap -O <IP> / or use p0f3 (Passive OS fingerprinting).
5. Version Scans: This scan attempts to confirm what versions of services are running on the end hosts. Knowing the service versions can also, in some cases, immediately tell a tester if a vulnerable service is implemented in the target environment. An example is SSH v1, which has known vulnerabilities. With nmap, service scan is: nmap -sV <IP>.
6. Vulnerability Scanning: At this point, we know the live IPs, listening ports, what services are running on the ports, what is the operating system and platform of the targets, and what are the versions of services running on them. This scanning phase confirms if any of the identified hosts & services have known vulnerabilities. Most vulnerability scanners today also tell if there are any known, publicly-available exploits present for an identified vulnerability, whether certain services are using no authentication or weak auth (think, default or no MSSQL 'sa' account), CVE-ID, etc.