Scanning

Identify Live Hosts

ping $IP
//Ping Sweep (ICMP ECHO requests) :
fping -a -g $IP   //-a :show sys that are alive// -g:generate addr/mask
fping $IP -r 0 -e //-r:retry 0 times//-e: show elapsed time (can chk 4 IDS)
fping -q -a -g $IP/24 -r 0 -e //Finds all alive sys in subnet, -q: quiet 
nmap -sn $IP
nping $IP
ping6 $IPv6

Test Firewall rules using Hping3

// < --raw-ip, --icmp, --udp, --scan, -- listen>
// < -S, -A, -R, -F, -P, -U, -X> as <syn,ack,rst,fin,psh,urg,xmas>
// flags=RA means port is closed. flags=SA means port is open.

hping3 $IP
hping3 -c 1 $IP -p <port> -s      
hping3 -1 192.168.1.x --rand-dest -I eth0 // -1=tcp packet, -I = interface
nmap -f -f -sS $IP -p <port> -Pn -n --disable-arp-ping //16 bit fragmt
hping3 -S -f -p <port> $IP -c 2  //-S: TCP SYN scan, -f: fragment
nmap -D RND:10 $IP -p <port> -Pn -n --disable-arp-ping
nmap --source-port 53 $IP -sS //Default DNS port 53 often ignored by nw admin
nmap -sS --data-length 10 -p <port> $IP //Adding 10 extra to evade IDS
nmap --spoof-mac <vendor_name> $IP -p <port> -Pn --disable-arp-ping

Nmap

nmap -iL <hostfile.txt> // To input hosts file containing number of hosts.
// -sn : ping scan, disable port scan
//--disable-arp-ping when using -sn 
//default is to use arp scan cuz arp scan is faster if attacker is in same N/W
// -sP: ping scan, skip host discovery & show hosts that respond
// -sL: list targets to scan
// -Pn: skip host discovery
// -PS/PA/PU/PY [port list]: TCP SYN/ACK,UDP,SCTP discovery
// -PE/PP/PM: ICMP echo,timestamp,netmast request discovery
// -PO [protocol list]: IP Protocol Ping
// -n/-R : Never do DNS resolution/Always resolve
// --dns-servers <serv1,serv2,...>: specify custom DNS servers
// --traceroute: Trace hop path to each host
// --exclude-ports <port range> : Exclude specified ports.
// -b : FTP Bounce Scan is Stealthy.If vuln, allows us to launch port
/scans against machines we dont have direct access to on internal n/w
//Scanning Techniques:
// -sS/sT/sA/sW/sM: TCP SYN/ Connect() (Also used in case of IPv6) /ACK /Window /Maimon
// -sS :TCP SYN/Connect,Non-obtrusive,doens't open full connection
// -sU: UDP scan for DNS,SNMP,DHCP,...
//-sN/sF/sX : TCP Null, FIN , Xmas scans
// --scanflags <flags> : Customize TCP scan for flags
// -D : <decoy1,decoy2,...[ME],...> for IP spoofing.
// -D RND=10 : 10 random IP against target for IP spoofing.
// -sI <zombie host:<port> > : Idle scan

// Good zombie has sequential IP ID generation. To find good zombie:

hping3 -S -r -p <port> //-r: displays ID increments.
//If ID increments by 1,target is not sending packets through network n is good zoombie
nmap -O -v -n $IP         // -O for OS detection and -n to list target IP's

// After finding zombie, spoof it's IP & analyse the packets for IP ID.
// If port is open, IP ID increments by 2, if closed, increments by 1.
// To scan the target without sending a single packet from original IP:

hping3 -a $zoombieIP -S -p <port> $IP
nmap -Pn -sI $zoombieIP:<port> $targetIP -v

//Firewall Evasion Techniques
nmap -f $IP             //Fragment packets
nmap -mtu <MTU> $IP     //Specify MTU
nmap --source-port <port> $IP   //Manually specify a port, Ex: 53,20,etc.
nmap -g <port> -sS -p <port> $IP
nmap --randomize-hosts -iL hosts.txt //Randomize scan order

//NSE : cd /usr/share/nmap/scripts
nmap --scripts-updatedb     //Update scripts.
//To search for scripts related to service, say smb:
nmap --script-help "smb*" and discovery
//To use a script:
nmap --scripts <script-name> target/$IP -sn

MASSCAN

(Has most of nmap options & similar use)
masscan $IP/16 -p <port>
masscan $IP/16 -p0-65535 ––rate 1000000
masscan $IP --top-ports
masscan $IP --top-ports 100 --rate 100000 //Scanning top 100 ports quickly
masscan $IP --echo > results.txt

PreviousInformation Gathering NextPort/Service Enumeration

Last updated 10 months ago

ping $IP //Ping Sweep (ICMP ECHO requests) : fping -a -g $IP //-a :show sys that are alive// -g:generate addr/mask fping $IP -r 0 -e //-r:retry 0 times//-e: show elapsed time (can chk 4 IDS) fping -q -a -g $IP/24 -r 0 -e //Finds all alive sys in subnet, -q: quiet nmap -sn $IP nping $IP ping6 $IPv6

// < --raw-ip, --icmp, --udp, --scan, -- listen> // < -S, -A, -R, -F, -P, -U, -X> as <syn,ack,rst,fin,psh,urg,xmas> // flags=RA means port is closed. flags=SA means port is open. hping3 $IP hping3 -c 1 $IP -p <port> -s hping3 -1 192.168.1.x --rand-dest -I eth0 // -1=tcp packet, -I = interface nmap -f -f -sS $IP -p <port> -Pn -n --disable-arp-ping //16 bit fragmt hping3 -S -f -p <port> $IP -c 2 //-S: TCP SYN scan, -f: fragment nmap -D RND:10 $IP -p <port> -Pn -n --disable-arp-ping nmap --source-port 53 $IP -sS //Default DNS port 53 often ignored by nw admin nmap -sS --data-length 10 -p <port> $IP //Adding 10 extra to evade IDS nmap --spoof-mac <vendor_name> $IP -p <port> -Pn --disable-arp-ping

nmap -iL <hostfile.txt> // To input hosts file containing number of hosts. // -sn : ping scan, disable port scan //--disable-arp-ping when using -sn //default is to use arp scan cuz arp scan is faster if attacker is in same N/W // -sP: ping scan, skip host discovery & show hosts that respond // -sL: list targets to scan // -Pn: skip host discovery // -PS/PA/PU/PY [port list]: TCP SYN/ACK,UDP,SCTP discovery // -PE/PP/PM: ICMP echo,timestamp,netmast request discovery // -PO [protocol list]: IP Protocol Ping // -n/-R : Never do DNS resolution/Always resolve // --dns-servers <serv1,serv2,...>: specify custom DNS servers // --traceroute: Trace hop path to each host // --exclude-ports <port range> : Exclude specified ports. // -b : FTP Bounce Scan is Stealthy.If vuln, allows us to launch port /scans against machines we dont have direct access to on internal n/w //Scanning Techniques: // -sS/sT/sA/sW/sM: TCP SYN/ Connect() (Also used in case of IPv6) /ACK /Window /Maimon // -sS :TCP SYN/Connect,Non-obtrusive,doens't open full connection // -sU: UDP scan for DNS,SNMP,DHCP,... //-sN/sF/sX : TCP Null, FIN , Xmas scans // --scanflags <flags> : Customize TCP scan for flags // -D : <decoy1,decoy2,...[ME],...> for IP spoofing. // -D RND=10 : 10 random IP against target for IP spoofing. // -sI <zombie host:<port> > : Idle scan // Good zombie has sequential IP ID generation. To find good zombie: hping3 -S -r -p <port> //-r: displays ID increments. //If ID increments by 1,target is not sending packets through network n is good zoombie nmap -O -v -n $IP // -O for OS detection and -n to list target IP's // After finding zombie, spoof it's IP & analyse the packets for IP ID. // If port is open, IP ID increments by 2, if closed, increments by 1. // To scan the target without sending a single packet from original IP: hping3 -a $zoombieIP -S -p <port> $IP nmap -Pn -sI $zoombieIP:<port> $targetIP -v //Firewall Evasion Techniques nmap -f $IP //Fragment packets nmap -mtu <MTU> $IP //Specify MTU nmap --source-port <port> $IP //Manually specify a port, Ex: 53,20,etc. nmap -g <port> -sS -p <port> $IP nmap --randomize-hosts -iL hosts.txt //Randomize scan order //NSE : cd /usr/share/nmap/scripts nmap --scripts-updatedb //Update scripts. //To search for scripts related to service, say smb: nmap --script-help "smb*" and discovery //To use a script: nmap --scripts <script-name> target/$IP -sn

(Has most of nmap options & similar use) masscan $IP/16 -p <port> masscan $IP/16 -p0-65535 ––rate 1000000 masscan $IP --top-ports masscan $IP --top-ports 100 --rate 100000 //Scanning top 100 ports quickly masscan $IP --echo > results.txt