Scanning
Identify Live Hosts
ping $IP
//Ping Sweep (ICMP ECHO requests) :
fping -a -g $IP //-a :show sys that are alive// -g:generate addr/mask
fping $IP -r 0 -e //-r:retry 0 times//-e: show elapsed time (can chk 4 IDS)
fping -q -a -g $IP/24 -r 0 -e //Finds all alive sys in subnet, -q: quiet
nmap -sn $IP
nping $IP
ping6 $IPv6
Test Firewall rules using Hping3
// < --raw-ip, --icmp, --udp, --scan, -- listen>
// < -S, -A, -R, -F, -P, -U, -X> as <syn,ack,rst,fin,psh,urg,xmas>
// flags=RA means port is closed. flags=SA means port is open.
hping3 $IP
hping3 -c 1 $IP -p <port> -s
hping3 -1 192.168.1.x --rand-dest -I eth0 // -1=tcp packet, -I = interface
nmap -f -f -sS $IP -p <port> -Pn -n --disable-arp-ping //16 bit fragmt
hping3 -S -f -p <port> $IP -c 2 //-S: TCP SYN scan, -f: fragment
nmap -D RND:10 $IP -p <port> -Pn -n --disable-arp-ping
nmap --source-port 53 $IP -sS //Default DNS port 53 often ignored by nw admin
nmap -sS --data-length 10 -p <port> $IP //Adding 10 extra to evade IDS
nmap --spoof-mac <vendor_name> $IP -p <port> -Pn --disable-arp-ping
Nmap
nmap -iL <hostfile.txt> // To input hosts file containing number of hosts.
// -sn : ping scan, disable port scan
//--disable-arp-ping when using -sn
//default is to use arp scan cuz arp scan is faster if attacker is in same N/W
// -sP: ping scan, skip host discovery & show hosts that respond
// -sL: list targets to scan
// -Pn: skip host discovery
// -PS/PA/PU/PY [port list]: TCP SYN/ACK,UDP,SCTP discovery
// -PE/PP/PM: ICMP echo,timestamp,netmast request discovery
// -PO [protocol list]: IP Protocol Ping
// -n/-R : Never do DNS resolution/Always resolve
// --dns-servers <serv1,serv2,...>: specify custom DNS servers
// --traceroute: Trace hop path to each host
// --exclude-ports <port range> : Exclude specified ports.
// -b : FTP Bounce Scan is Stealthy.If vuln, allows us to launch port
/scans against machines we dont have direct access to on internal n/w
//Scanning Techniques:
// -sS/sT/sA/sW/sM: TCP SYN/ Connect() (Also used in case of IPv6) /ACK /Window /Maimon
// -sS :TCP SYN/Connect,Non-obtrusive,doens't open full connection
// -sU: UDP scan for DNS,SNMP,DHCP,...
//-sN/sF/sX : TCP Null, FIN , Xmas scans
// --scanflags <flags> : Customize TCP scan for flags
// -D : <decoy1,decoy2,...[ME],...> for IP spoofing.
// -D RND=10 : 10 random IP against target for IP spoofing.
// -sI <zombie host:<port> > : Idle scan
// Good zombie has sequential IP ID generation. To find good zombie:
hping3 -S -r -p <port> //-r: displays ID increments.
//If ID increments by 1,target is not sending packets through network n is good zoombie
nmap -O -v -n $IP // -O for OS detection and -n to list target IP's
// After finding zombie, spoof it's IP & analyse the packets for IP ID.
// If port is open, IP ID increments by 2, if closed, increments by 1.
// To scan the target without sending a single packet from original IP:
hping3 -a $zoombieIP -S -p <port> $IP
nmap -Pn -sI $zoombieIP:<port> $targetIP -v
//Firewall Evasion Techniques
nmap -f $IP //Fragment packets
nmap -mtu <MTU> $IP //Specify MTU
nmap --source-port <port> $IP //Manually specify a port, Ex: 53,20,etc.
nmap -g <port> -sS -p <port> $IP
nmap --randomize-hosts -iL hosts.txt //Randomize scan order
//NSE : cd /usr/share/nmap/scripts
nmap --scripts-updatedb //Update scripts.
//To search for scripts related to service, say smb:
nmap --script-help "smb*" and discovery
//To use a script:
nmap --scripts <script-name> target/$IP -sn
MASSCAN
(Has most of nmap options & similar use)
masscan $IP/16 -p <port>
masscan $IP/16 -p0-65535 ––rate 1000000
masscan $IP --top-ports
masscan $IP --top-ports 100 --rate 100000 //Scanning top 100 ports quickly
masscan $IP --echo > results.txt
Last updated