Book of Eopi
  • 😍About the Author
  • πŸ€–ChatGPT for Cybersecurity
  • πŸ“˜CERTIFICATIONS
    • Certified Ethical Hacker (C|EH)(Practical)
      • Reconnaissance (Footprinting)
      • Scanning Networks
      • Vulnerability Analysis
      • System Hacking
      • Sniffing
      • SQL Injection
      • Remote code execution
      • Hacking Web Applications & Servers
        • Local and remote file inclusion
        • File upload bypass
        • Cross-site scripting
        • Cross-site request forgery
        • Server-side request forgery
      • Exploitation
        • Working with exploits
        • Password cracking
        • Metasploit
        • Buffer overflow
      • Cloud Computing
      • Cryptography
      • Mobile Pentesting Resources
      • Learning resources
  • 🏁My Hacking Materials
    • My Most Frequently Used Hacking Commands
    • RickdiculouslyEasy: 1 VulnHub WriteUp
    • Corrosion: 2 VulnHub WriteUp
    • Hackable: 3 VulnHub WriteUp
    • Empire: LupinOne Vulnhub WriteUp
  • 🐧101 Labs for Linux
    • πŸ’»Hardware and System Configuration
      • LAB 1 - Boot Sequence
  • πŸ”§Mod Nintendo Switch Game
    • πŸ”ΉPokΓ©mon Brilliant Diamond and Shining Pearl
      • πŸŸ₯Install mods on Nintendo Switch
      • 🟦Install mods on Yuzu/Ryujinx Emulator
      • πŸ” Custom font for PokΓ©mon BDSP
  • πŸ“–SHARE TΓ€I LIỆU NVSP
    • 1️⃣HỌC PHαΊ¦N 1
    • 2️⃣HỌC PHαΊ¦N 2
    • 3️⃣HỌC PHαΊ¦N 3
    • 4️⃣HỌC PHαΊ¦N 4
    • 5️⃣HỌC PHαΊ¦N 5 (chΖ°a hoΓ n thiện)
    • 6️⃣HỌC PHαΊ¦N 6
  • βš”οΈTα»•ng Hợp VΓ΅ LΓ’m 2
    • πŸ’°Server JX2 2014 - BαΊ£n Kinh Doanh
    • πŸ‘‘Server JX2 2014 - PhiΓͺn bαΊ£n Offline
    • πŸ‘‘Server JX2 2017 - PhiΓͺn BαΊ£n Offline
    • πŸ‘‘Server JX2 2021 - PhiΓͺn BαΊ£n Offline
Powered by GitBook
On this page
  • Host Discovery
  • Netdiscover
  • Nmap
  • Nmap
  • Introduction to Nmap
  • Basic command
  • Cheatsheet for nmap
  • Port specific NSE scripts
  • Bypassing Firewall
  • Zenmap
  • Angry IP Scanner
  • MegaPing
  • Hping3
  • Operating System Discovery
  • Nmap Script
  • Metasploit
  1. CERTIFICATIONS
  2. Certified Ethical Hacker (C|EH)(Practical)

Scanning Networks

Welcome to the Scanning Networks module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.

Host Discovery

Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet thru to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response.

Netdiscover

Netdiscover is a discovery tool and is built into Kali Linux 2018.2. Currently in the 03-pre-beta7 version and written by Jaime Penalba, Netdiscover can reform reconnaissance and discovery on both wireless and switched networks using ARP requests.

To launch Netdiscover, type netdiscover –h to view the usage options. Should you only type the netdiscover command by itself, Netdiscover will launch a default scan.)

netdiscover -i (network interface name) (example: eth0 or tun0)
netdiscover -i eth0
netdiscover -r 10.10.10.0/24

eth0 may differ if you are on a VPN network. Mostly it would be tun0

  • This will help to get all available machines on the network.

  • Always make a habit of saving the IP of the machines since we use themin a lot.

Nmap

We can also use nmap to discover hosts in a given IP subnet.

Note: In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section.

nmap -sn 10.10.1.1-254 -vv -oA nmapHostsOutput
    β€’ -sn -> Disable Port scanning
    β€’ -vv -> verbose mode
    β€’ -0A -> output the results in 3 types of format(nmap, gnmap, xml)

Nmap

Introduction to Nmap

Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

Basic command

nmap -p- -sC -sV -O -A -T4 -oA nmapOutputfile 10.10.X.X

    β€’ -p- -> Scans all the ports from 0 to 65535 available on the IP
    β€’ -sC -> Runs default scripts
    β€’ -sV -> version enumeration or service version
    β€’ -O  -> OS enumeration
    β€’ -A  -> Enumerate all the stuff as much as it can
    β€’ -T4 -> fast as time 4 (default is 3)
    β€’ -oA -> store the output on 3 types of format(nmap, gnmap, xml)

Cheatsheet for nmap

Switches in nmap which you might need to know

Switch
Description

-sA

ACK scan

-sF

FIN scan

-sI

IDLE scan

-sL

DNS scan (list scan)

-sN

NULL scan

-sO

Protocol scan (tests which IP protocols respond)

-sP

Ping scan

-sR

RPC scan

-sS

SYN scan

-sT

TCP connect scan

-sW

Window scan

-sX

XMAS scan

-A

OS detection, version detection, script scanning and traceroute

-PI

ICMP ping

-Po

No ping

-PS

SYN ping

-PT

TCP ping

-oA

output the results in 3 types of format(nmap, gnmap, xml)

-oN

Normal output

-oX

XML output

-T0 through -T2

Serial scans. T0 is slowest

-T3 through -T5

Parallel scans. T3 is slowest

Port specific NSE scripts

Using NSE we can perform specific enumeration or exploitation on a host.

ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

Bypassing Firewall

Switch
Example
Description

-f

nmap -f 10.10.10.10

-g

nmap -g 80 10.10.10.10

Port Manipulation

-mtu

nmap -mtu 8 10.10.10.10

Crunching down Packets to 8 Byte

-D RND

nmap -D RND:10 10.10.10.10

Perform Decoy Scan and Generates Random non-reserved IP

β€”data 0xdeadbeef

nmap 10.10.10.10 --data 0xdeadbeef

Send the binary data 0's and 1's

--data-string "Ph34r my l33t skills"

nmap 10.10.10.10 --data-string "Ph34r my l33t skills"

Send strings as payload

--data-length 5

nmap --data-length 5 10.10.10.10

--randomize-hosts

nmap --randomize-hosts 10.10.10.10

send request to a IP from Random non-reserved IP

--badsum

nmap --badsum 10.10.10.10

Sends Bad or Bongus TCP/USP Checksum

Zenmap

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

  • When you started your exam, the first objective you have to do is that start Zenmap (GUI Version of Nmap) scan on your windows machine.

  • Trust me!πŸ’ͺ🏻 this would be the great life-changer of your exam.

  • I know as a penetration tester working on the terminal is cool 😎 but in the heat of the moment, the browser-based VM would make you tense.

Angry IP Scanner

  • It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.

  • It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.

MegaPing

  • MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals.

  • Mega Ping is also a port and service scanning tool which is for Windows.

Hping3

  • hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.

  • It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language.

  • Hping3 is a python based tool used to scan and flood(DOS) the particular IP.

hping3 10.10.10.x --udp --random-source --data 500
hping3 -S 10.10.10.x -p 80 -c 5 (5 TCP packets sent)
hping3 10.10.10.x --flood (PING OF DEATH! Flooding the IP with TCP Packets)

Operating System Discovery

  • The Operating System(OS) discovery has two types they are:

    • Active Banner Grabbing

    • Passive Banner Grabbing

  • By Banner Grabbing the TTL and TCP Window Size of respective IP, we can identify the Operating System that server runs on. Here are the list of Operating System.

Operating System (OS)
Time To Live
TCP Window Size

Linux (Kernel 2.4 and 2.6)

64

5840

Google Linux

64

5720

FreeBSD

64

65535

OpenBSD

64

16384

Windows 95

32

8192

Windows 2000

128

16384

Windows XP

128

65535

Windows 98, Vista and 7 (Server 2008)

128

8192

iOS 12.4 (Cisco Routers)

255

4128

Solaris 7

255

8760

AIX 4.3

64

16384

Nmap Script

nmap --script smb-os-discovery.nse 10.10.10.x

Metasploit

We can also scan our target using metasploit

Init the Metasploit Framework and check the status of database

msfdb init
service postgresql start
msfconsole
db status

Scanning using Nmap inside Metasploit

nmap -Pn -sS -A -oX Test 10.10.10/24
db import Test
hosts (Here you will now listed with the Details of the subnets)
services or db_services
PreviousReconnaissance (Footprinting)NextVulnerability Analysis

Last updated 2 years ago

This cheat sheet was prepared by . You can also check out the cheatsheet. I've attached the file belowπŸ‘‡πŸ»

I strongly recomend you to go with for the exam point of view.

The reason is that in Parrot OS you may find it hard to parse all the IPs because the green colour with the terminal might overwhelm you. Instead, the would be useful to find out the services, OS running on that IP with a cute User Interface.

Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has .

Later in the upcoming modules you may read have chance to use . But for time being as per my suggestion, use to scan the IP range to get the information or if you are comfortable with CLI go for

TTL of this IP is 128 so it might be Windows 98, Vista and 7 (Server 2008)

As per my whish i avoided the Nmap scan using Metasploit because it might looks process tedious as for me where using or even through are even much easier you can get the available machine's IP from the IP subnet through command.

πŸ“˜
https://www.stationx.net/nmap-cheat-sheet/
many other features
Zenmap
Zenmap GUI
Hping3
ZenMap GUI
nmap.
ZenMap GUI
Nmap CLI
hostdiscover
https://www.softpedia.com/get/Network-Tools/Network-Monitoring/MegaPing.shtml
Zenmap - Official cross-platform Nmap Security Scanner GUI
Official Zenmap link
Angry IP Scanner - the original IP scanner for Windows, Mac and Linux
Logo
Logo
6MB
Nmap_cookbook-the-fat-free-guide-to-network-scanning.pdf
pdf
The fat-free guide to network scanning
563KB
nmap_cheet_sheet_v7.pdf
pdf
https://www.stationx.net/nmap-cheat-sheet/