Scanning Networks
Welcome to the Scanning Networks module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.
Host Discovery
Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet thru to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response.
Netdiscover
Netdiscover is a discovery tool and is built into Kali Linux 2018.2. Currently in the 03-pre-beta7 version and written by Jaime Penalba, Netdiscover can reform reconnaissance and discovery on both wireless and switched networks using ARP requests.
To launch Netdiscover, type netdiscover –h to view the usage options. Should you only type the netdiscover command by itself, Netdiscover will launch a default scan.)
eth0 may differ if you are on a VPN network. Mostly it would be tun0
This will help to get all available machines on the network.
Always make a habit of saving the IP of the machines since we use themin a lot.
Nmap
We can also use nmap to discover hosts in a given IP subnet.
Note: In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section.
Nmap
Introduction to Nmap
Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
Basic command
Cheatsheet for nmap
This cheat sheet was prepared by https://www.stationx.net/nmap-cheat-sheet/. You can also check out the cheatsheet. I've attached the file below👇🏻
Switches in nmap which you might need to know
Switch | Description |
---|---|
-sA | ACK scan |
-sF | FIN scan |
-sI | IDLE scan |
-sL | DNS scan (list scan) |
-sN | NULL scan |
-sO | Protocol scan (tests which IP protocols respond) |
-sP | Ping scan |
-sR | RPC scan |
-sS | SYN scan |
-sT | TCP connect scan |
-sW | Window scan |
-sX | XMAS scan |
-A | OS detection, version detection, script scanning and traceroute |
-PI | ICMP ping |
-Po | No ping |
-PS | SYN ping |
-PT | TCP ping |
-oA | output the results in 3 types of format(nmap, gnmap, xml) |
-oN | Normal output |
-oX | XML output |
-T0 through -T2 | Serial scans. T0 is slowest |
-T3 through -T5 | Parallel scans. T3 is slowest |
Port specific NSE scripts
Using NSE we can perform specific enumeration or exploitation on a host.
Bypassing Firewall
Switch | Example | Description |
---|---|---|
-f | nmap -f 10.10.10.10 | |
-g | nmap -g 80 10.10.10.10 | Port Manipulation |
-mtu | nmap -mtu 8 10.10.10.10 | Crunching down Packets to 8 Byte |
-D RND | nmap -D RND:10 10.10.10.10 | Perform Decoy Scan and Generates Random non-reserved IP |
—data 0xdeadbeef | nmap 10.10.10.10 --data 0xdeadbeef | |
Send the binary data 0's and 1's | ||
--data-string "Ph34r my l33t skills" | nmap 10.10.10.10 --data-string "Ph34r my l33t skills" | |
Send strings as payload | ||
--data-length 5 | ||
nmap --data-length 5 10.10.10.10 | ||
--randomize-hosts | nmap --randomize-hosts 10.10.10.10 | |
send request to a IP from Random non-reserved IP | ||
--badsum | nmap --badsum 10.10.10.10 | Sends Bad or Bongus TCP/USP Checksum |
Zenmap
Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.
I strongly recomend you to go with Zenmap for the exam point of view.
When you started your exam, the first objective you have to do is that start Zenmap (GUI Version of Nmap) scan on your windows machine.
The reason is that in Parrot OS you may find it hard to parse all the IPs because the green colour with the terminal might overwhelm you. Instead, the Zenmap GUI would be useful to find out the services, OS running on that IP with a cute User Interface.
Trust me!💪🏻 this would be the great life-changer of your exam.
I know as a penetration tester working on the terminal is cool 😎 but in the heat of the moment, the browser-based VM would make you tense.
Angry IP Scanner
Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.
It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.
It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.
MegaPing
MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals.
Mega Ping is also a port and service scanning tool which is for Windows.
Hping3
hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.
It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language.
Hping3 is a python based tool used to scan and flood(DOS) the particular IP.
Later in the upcoming modules you may read have chance to use Hping3. But for time being as per my suggestion, use ZenMap GUI to scan the IP range to get the information or if you are comfortable with CLI go for nmap.
Operating System Discovery
The Operating System(OS) discovery has two types they are:
Active Banner Grabbing
Passive Banner Grabbing
By Banner Grabbing the TTL and TCP Window Size of respective IP, we can identify the Operating System that server runs on. Here are the list of Operating System.
Operating System (OS) | Time To Live | TCP Window Size |
---|---|---|
Linux (Kernel 2.4 and 2.6) | 64 | 5840 |
Google Linux | 64 | 5720 |
FreeBSD | 64 | 65535 |
OpenBSD | 64 | 16384 |
Windows 95 | 32 | 8192 |
Windows 2000 | 128 | 16384 |
Windows XP | 128 | 65535 |
Windows 98, Vista and 7 (Server 2008) | 128 | 8192 |
iOS 12.4 (Cisco Routers) | 255 | 4128 |
Solaris 7 | 255 | 8760 |
AIX 4.3 | 64 | 16384 |
Nmap Script
Metasploit
We can also scan our target using metasploit
Init the Metasploit Framework and check the status of database
Scanning using Nmap inside Metasploit
As per my whish i avoided the Nmap scan using Metasploit because it might looks process tedious as for me where using ZenMap GUI or even through Nmap CLI are even much easier you can get the available machine's IP from the IP subnet through hostdiscover command.
Last updated