# Scanning

### Identify Live Hosts

```
ping $IP
//Ping Sweep (ICMP ECHO requests) :
fping -a -g $IP   //-a :show sys that are alive// -g:generate addr/mask
fping $IP -r 0 -e //-r:retry 0 times//-e: show elapsed time (can chk 4 IDS)
fping -q -a -g $IP/24 -r 0 -e //Finds all alive sys in subnet, -q: quiet 
nmap -sn $IP
nping $IP
ping6 $IPv6
```

### Test Firewall rules using Hping3

```
// < --raw-ip, --icmp, --udp, --scan, -- listen>
// < -S, -A, -R, -F, -P, -U, -X> as <syn,ack,rst,fin,psh,urg,xmas>
// flags=RA means port is closed. flags=SA means port is open.

hping3 $IP
hping3 -c 1 $IP -p <port> -s      
hping3 -1 192.168.1.x --rand-dest -I eth0 // -1=tcp packet, -I = interface
nmap -f -f -sS $IP -p <port> -Pn -n --disable-arp-ping //16 bit fragmt
hping3 -S -f -p <port> $IP -c 2  //-S: TCP SYN scan, -f: fragment
nmap -D RND:10 $IP -p <port> -Pn -n --disable-arp-ping
nmap --source-port 53 $IP -sS //Default DNS port 53 often ignored by nw admin
nmap -sS --data-length 10 -p <port> $IP //Adding 10 extra to evade IDS
nmap --spoof-mac <vendor_name> $IP -p <port> -Pn --disable-arp-ping
```

### Nmap

```
nmap -iL <hostfile.txt> // To input hosts file containing number of hosts.
// -sn : ping scan, disable port scan
//--disable-arp-ping when using -sn 
//default is to use arp scan cuz arp scan is faster if attacker is in same N/W
// -sP: ping scan, skip host discovery & show hosts that respond
// -sL: list targets to scan
// -Pn: skip host discovery
// -PS/PA/PU/PY [port list]: TCP SYN/ACK,UDP,SCTP discovery
// -PE/PP/PM: ICMP echo,timestamp,netmast request discovery
// -PO [protocol list]: IP Protocol Ping
// -n/-R : Never do DNS resolution/Always resolve
// --dns-servers <serv1,serv2,...>: specify custom DNS servers
// --traceroute: Trace hop path to each host
// --exclude-ports <port range> : Exclude specified ports.
// -b : FTP Bounce Scan is Stealthy.If vuln, allows us to launch port
/scans against machines we dont have direct access to on internal n/w
//Scanning Techniques:
// -sS/sT/sA/sW/sM: TCP SYN/ Connect() (Also used in case of IPv6) /ACK /Window /Maimon
// -sS :TCP SYN/Connect,Non-obtrusive,doens't open full connection
// -sU: UDP scan for DNS,SNMP,DHCP,...
//-sN/sF/sX : TCP Null, FIN , Xmas scans
// --scanflags <flags> : Customize TCP scan for flags
// -D : <decoy1,decoy2,...[ME],...> for IP spoofing.
// -D RND=10 : 10 random IP against target for IP spoofing.
// -sI <zombie host:<port> > : Idle scan

// Good zombie has sequential IP ID generation. To find good zombie:

hping3 -S -r -p <port> //-r: displays ID increments.
//If ID increments by 1,target is not sending packets through network n is good zoombie
nmap -O -v -n $IP         // -O for OS detection and -n to list target IP's

// After finding zombie, spoof it's IP & analyse the packets for IP ID.
// If port is open, IP ID increments by 2, if closed, increments by 1.
// To scan the target without sending a single packet from original IP:

hping3 -a $zoombieIP -S -p <port> $IP
nmap -Pn -sI $zoombieIP:<port> $targetIP -v

//Firewall Evasion Techniques
nmap -f $IP             //Fragment packets
nmap -mtu <MTU> $IP     //Specify MTU
nmap --source-port <port> $IP   //Manually specify a port, Ex: 53,20,etc.
nmap -g <port> -sS -p <port> $IP
nmap --randomize-hosts -iL hosts.txt //Randomize scan order

//NSE : cd /usr/share/nmap/scripts
nmap --scripts-updatedb     //Update scripts.
//To search for scripts related to service, say smb:
nmap --script-help "smb*" and discovery
//To use a script:
nmap --scripts <script-name> target/$IP -sn

```

### MASSCAN

```
(Has most of nmap options & similar use)
masscan $IP/16 -p <port>
masscan $IP/16 -p0-65535 ––rate 1000000
masscan $IP --top-ports
masscan $IP --top-ports 100 --rate 100000 //Scanning top 100 ports quickly
masscan $IP --echo > results.txt 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/network-pentesting/scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.