Scanning Networks

Host Discovery

Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet thru to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response.

Netdiscover

Netdiscover is a discovery tool and is built into Kali Linux 2018.2. Currently in the 03-pre-beta7 version and written by Jaime Penalba, Netdiscover can reform reconnaissance and discovery on both wireless and switched networks using ARP requests.

To launch Netdiscover, type netdiscover –h to view the usage options. Should you only type the netdiscover command by itself, Netdiscover will launch a default scan.)

netdiscover -i (network interface name) (example: eth0 or tun0)
netdiscover -i eth0
netdiscover -r 10.10.10.0/24

• This will help to get all available machines on the network.

• Always make a habit of saving the IP of the machines since we use themin a lot.

Nmap

We can also use nmap to discover hosts in a given IP subnet.

Note: In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section.

nmap -sn 10.10.1.1-254 -vv -oA nmapHostsOutput
    • -sn -> Disable Port scanning
    • -vv -> verbose mode
    • -0A -> output the results in 3 types of format(nmap, gnmap, xml)

Nmap

Introduction to Nmap

Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

Basic command

nmap -p- -sC -sV -O -A -T4 -oA nmapOutputfile 10.10.X.X

    • -p- -> Scans all the ports from 0 to 65535 available on the IP
    • -sC -> Runs default scripts
    • -sV -> version enumeration or service version
    • -O  -> OS enumeration
    • -A  -> Enumerate all the stuff as much as it can
    • -T4 -> fast as time 4 (default is 3)
    • -oA -> store the output on 3 types of format(nmap, gnmap, xml)

Cheatsheet for nmap

Switches in nmap which you might need to know

Port specific NSE scripts

Using NSE we can perform specific enumeration or exploitation on a host.

ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

Bypassing Firewall

Zenmap

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

Angry IP Scanner

• It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.

• It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.

MegaPing

• MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals.

• Mega Ping is also a port and service scanning tool which is for Windows.

Hping3

• hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.

• It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language.

• Hping3 is a python based tool used to scan and flood(DOS) the particular IP.

hping3 10.10.10.x --udp --random-source --data 500
hping3 -S 10.10.10.x -p 80 -c 5 (5 TCP packets sent)
hping3 10.10.10.x --flood (PING OF DEATH! Flooding the IP with TCP Packets)

Operating System Discovery

• The Operating System(OS) discovery has two types they are:

  • Active Banner Grabbing

  • Passive Banner Grabbing

• By Banner Grabbing the TTL and TCP Window Size of respective IP, we can identify the Operating System that server runs on. Here are the list of Operating System.

Nmap Script

nmap --script smb-os-discovery.nse 10.10.10.x

Metasploit

We can also scan our target using metasploit

Init the Metasploit Framework and check the status of database

msfdb init
service postgresql start
msfconsole
db status

Scanning using Nmap inside Metasploit

nmap -Pn -sS -A -oX Test 10.10.10/24
db import Test
hosts (Here you will now listed with the Details of the subnets)
services or db_services