3 - Scanning Networks
Module 03 - Scanning Networks
Perform Host Discovery
Netdiscover
Netdiscover is a tool used to inspect your network ARP traffic, or find network addresses using auto scan mode, which will scan for common local networks.
netdiscover -i eth0
netdiscover -i eth0 -P -r 192.168.1.0/24
-i : network interface (eth0)
-P : Show results
-r : Range (192.168.1.0/24)
Nmap
Scanning entire Network
nmap -Pn -sS -A -vv <Target_IP>/<Subnet> -oA <Filename>
-Pn: Disable ping
-sS: SYN scan
-A: Aggressive Scan
-oA: Normal_XML and Grepable format all at once
-vv: Verbose
nmap -sn -PR <Target IP>
-sn: Disable port scan
-PR: ARP ping scan
nmap -sn -PU <Target IP>
-PU: UDP ping scan
nmap -sn -PE <Target IP or IP Range>
-PE: ICMP ECHO ping scan
nmap -sn -PP <Target IP>
-PP: ICMP timestamp ping scan
nmap -sn -PM <Target IP>
-PM: ICMP address mask ping scan
nmap -sn -PS <Target IP>
-PS: TCP SYN Ping scan
nmap -sn -PA <Target IP>
-PA: TCP ACK Ping scan
nmap -sn -PO <Target IP>
-PO: IP Protocol Ping scan
Convert Nmap XML file to HTML Report
xsltproc <nmap-output.xml> -o <nmap-output.html>
Angry IP Scanner
Perform Port and Service Discovery
Ports are used to identify a single network process, to make sure the transport layer know what the destination process is.
<IP>:<Port>
pair identifies a process on a network. For example:192.168.13.2:80
1024 well-known ports are used for the most common services: 0-1023. They are assigned by IANA in this registry.
A
daemon
is a program that runs a service. Its configuration can be changed, so the service listening port can be changed in order to make recognition harder.Server-Client applications know which port to use because the TCP/UDP header contains two fields for the source/destination ports.
Common ports
21
FTP
22
SSH
23
Telnet
25
SMTP
80
HTTP
110
POP3
137, 138, 139
NetBIOS
143
IMAP
443
HTTPS (HTTP over SSL)
1433-1434
Microsoft Sql Server
3306
MySQL
3389
RDP (Terminal Server)

💻 Check listening ports and TCP connections on a host with the commands below:
netstat -tunp
netstat -tulpn
(listening ports too)
ss -tnl
Linux
netstat -ano
Windows
netstat -p tcp -p udp
lsof -n -i4TCP -i4UDP
*nix / Mac OS X
Linux


Windows

TCPView tool from Microsoft Sysinternals shows detailed listings of all TCP and UDP connections.
Nmap
nmap -sT -v <Target IP>
-sT: TCP connect/full open scan
-v: Verbose output
nmap -sS -v <Target IP>
-sS: Stealth scan/TCP hall-open scan
nmap -sX -v <Target IP>
-sX: Xmax scan
nmap -sM -v <Target IP>
-sM: TCP Maimon scan
nmap -sA -v <Target IP>
-sA: ACK flag probe scan
nmap -sU -v <Target IP>
-sU: UDP scan
nmap -sI -v <Target IP>
-sI: IDLE/IPID Header scan
nmap -sY -v <Target IP>
-sY: SCTP INIT Scan
nmap -sZ -v <Target IP>
-sZ: SCTP COOKIE ECHO Scan
nmap -sV -v <Target IP>
-sV: Detect service versions
nmap -A -v <Target IP>
-A: Aggressive scan
Other Nmap useful flags
-sN: null scan
-sC: enable script scanning
-T: enable timing options
-o: output options
-O: enable OS detection
--script: specifies a script
-f: fragment packets
-g or --source-port: source port manipulation
-mtu: Maximum Transmission Unit
-p: port(s) to scan
-D: decoy scan
-D RND: generates random & non-reserved IPs
-d: increase debugging level
Hping3
hping3 --scan 1-3000 -S 10.10.10.10
--scan parameter defines the port range to scan and –S represents SYN flag.
Pinging the target using HPing3:
hping3 -c 3 10.10.10.10
-c 3 means that we only want to send three packets to the target machine.
UDP Packet Crafting
hping3 10.10.10.10 --udp --rand-source --data 500
TCP SYN request
hping3 -S 10.10.10.10 -p 80 -c 5
-S will perform TCP SYN request on the target machine, -p will pass the traffic through which port is assigned, and -c is the count of the packets sent to the Target machine.
HPing flood
hping3 10.10.10.10 --flood
Perform OS Discovery
Identify the target system's OS with Time-to-Live and TCP Win size using Wireshark
Basically ping a machine from different operating systems and capture the packets from wireshark. we can check the ICMP packets, viewing the details of IPV4 packets and check the TTL [ time to live] values.
Open Wireshark and start capture
Ping a target machine
Stop capture
Filter protocol ICMP
Check TTL value in the Network Layer (3) details.
Windows
128
MacOS
64
Linux
64
Android/iOS
64
FreeBSD
64
OS Discovery using Nmap Script Engine (NSE)
nmap -A -v <Target IP>
-A: Aggressive scan
nmap -O -v <Target IP>
-O: OS discovery
nmap –script smb-os-discovery.nse <Target IP>
-–script: Specify the customized script
smb-os-discovery.nse: Determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (Port 445 or 139)
Perform Network Scanning using Various Scanning Tools
Metasploit
service postgresql start && msfconsole -q #start postgresql service and msfconsole
msfdb init #initialize msfdb
db_status #check if postgresql is connected to msf
db_nmap -Pn -sS -A -oX Test 10.10.10.0/24
hosts #display IP hosts
use scanner/smb/smb_version
show options #set RHOSTS, set THREADS 100
Scanning SMB Version for OS Detection using Metaspolit
use scanner/smb/smb_version
show options
set RHOSTS 10.10.10.8-16
set THREADS 100
run
hosts #Type hosts again and os_flavor will be visible
Additional Resources
Web Scanners
YT videos
https://www.youtube.com/watch?v=K78YOmbuT48 https://www.youtube.com/watch?v=SS991k5Alp0 https://www.youtube.com/watch?v=MtyhOrBfG-E https://www.youtube.com/watch?v=sQ4TtFdaiRA https://www.youtube.com/watch?v=BTGP5sZfJKY
Last updated