Network
Network
Scanning port range with netcat
Quick SYN/ACK scan on TCP ports:
nc -nvv -w 1 -z 86.42.44.78 1-65535Quick SYN/ACK scan on UDP ports:
nc -unvv -w 1 -z 86.42.44.78 1-65535Other options: -4 Use IPv4 -6 Use IPv6 -C Don't use cellular connection -D Enable the debug socket option -d Detach from stdin -l Listen mode, for inbound connects -n Suppress name/port resolutions -r Randomize remote ports -s addr Local source address -t Answer TELNET negotiation -u UDP mode -v Verbose
Check whois namespace:
whois -h whois.arin.net n microsoftList all DNS severs:
host -t ns microsoft.comQuery DNS for all entries:
dig any vmoshpit.comnmap
Quick ICMP sweep (-sL) and save output into grepable file:
Ping scan (returns if host is up + MAC address):
Full initial scan (not stealthy!):
Disable ping (-PN) to scan ALL specified targets, no matter if they show as up or not. Should be done in a serious pentest, but will take a very long time, but can be run in the background.
Using TCP SYN ping (-PS) to check if host is up. Several ports can be specified. Nmap will send a SYN, waits for a SYN/ACK, then cancels the handshake with RST:
Using TCP ACK ping (-PA) will send ACK packages to hosts that have not yet received a SYN and therefore will reply with a RST. This might work to trick firewall rules:
To prevent intrusion detection (IDS) data can be added to the packets using --data-length. 32 bytes make it look like a ping from Windows, 56 like Linux:
Broad initial scan to catch Windows and Linux hosts behind firewalls. Adding a random high port range in case firewall has sloppy configuration:
Adding --packet-trace will enable verbose output of every single packet.
Port 0 can be specified with -p0 or in combination for a range like -p0-65353. Specifying only -p0- will scan all TCP ports.
Timing policy is changed with -T option. Aggressive (fast) would be -T5. Ranges from -T0 to -T5
On macOS the port list file is stored in: /usr/local/Cellar/nmap/7.30/share/nmap/nmap-services
Decoy IP (spoof own IP): -D 192.168.1.2, 172.16.2.4, 192.168.2.3
Configuring numbers of ports scanned: Fast scan to scan only 100 most common ports: -F No option given will scan 1000 most common ports. Manually specify the number of ports: --top-ports
Scanning methods: TCP SYN Scan (-sS) | Fastest scan. Only sends SYN, but no ACK or RST if host answers with SYN,ACK TCP ACK Scan (-sA) | Maps out firewall rulesets and check if firewall is stateful UDP Scan (-sU) TCP FIN, Xmas and Null to exploit firewalls, depending on the system used. Non-stateful Firewalls and filtering Routers try to prevent incoming TCP connections, by blocking any TCP packets with the SYN bit set and ACK cleared, but allow outbound ones: Null Scan (-sN) | Does not set any bits (TCP flag header is 0) FIN Scan (-sF) | Sets just the TCP FIN bit Xmas Scan (-sX) | Sets the FIN, PSH and URG flags, lighting the packet up like a Christmas tree
Output format: Can be combined with multiple outputs at the sane time and has to be given a filename for outputs Normal: -oN Grepable: -oG XML: -oX All at once: -oA
Bypassing ??
Example Scenarios:
A specific network with 4096 possible hosts needs to be quickly scanned for port 80 being open. Limiting round-trip time for faster scanning. Ping the target and check for round-trip time before:
-n = no reverse DNS lookup %D = add the current date to filename -PN = Skip ping test, just scan every host -T4 = pretty aggressive timeout ~
Full SYN scan against all TCP and UDP Ports, with decoy and high aggression, no DNS resolution
Network Enumeration from infiltrated host
$ netstat -p TCP -nato $ arp -a