If footprinting is the equivalent of casing a place for information, then scanning is equivalent to knocking on the walls to find all the doors and windows. With footprinting, we obtain a list of network and IP addresses through whois queries and zone transfer downlaods. These techniques provide valuable information for attackers, including employee names and phone numbers, IP address ranges, DNS servers, and mail servers. Now we will determine what systems are alive and reachable from the Internet using a variety of tools and techniques such as ping sweeps, port scans, and automated discovery tools.

It is important to remember that just because an IP address is listed in a zone transfer doesn't mean it is reachable via the Internet. We will need to test each target system to see if it's alive and what, if any, ports it's listening on. We've seen many misconfigured name servers that list the IP addresses of their private networks (for example, 10.10.10.0). Since these addresses are not routable via the Internet, you would have a difficult time trying to route to them. See RFC 1918 for more information on which IP address ranges are considered unroutable (http://www.ietf.org/rfc/rfc1918.txt).