- [ Certified Ethical Hacker v10 ] :: [ TOC ]
- [ Certified Ethical Hacker v10 ] :: [ Syllabus ]
- [ Certified Ethical Hacker v10 ] :: [ Chapters 1 & 2 ] :: Footprinting and Reconnaissance
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 4 ] :: Sniffing, Evasion and Packet Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 ] :: System Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 cont’d] :: Hash Cracking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: SQL Injection
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: Burp Suite
- [ Certified Ethical Hacker v10 ] :: [ Chapter 7 ] :: WiFi Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 ] :: Hacking Mobile Devices
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 cont’d ] :: Hacking the Internet of Things
- [ Certified Ethical Hacker v10 ] :: [ Chapter 9 ] :: Hacking in the Cloud
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 ] :: Trojans, Backdoors, Viruses and Worms
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Denial of Service
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Buffer Overflow
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Session Hijacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 11 ] :: Cryptography
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Social Engineering
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Physical Security
- [ Certified Ethical Hacker v10 ] :: [ Chapter 13 ] :: Pen Testing Methodology
- [ CEH Training ] :: [ Day 7 ]
- Using the GNU Debugger: John Hammond
- [ Review ] :: EC-Council’s iLabs Platform
- [ Certified Ethical Hacker v10 ] :: Using ngrok to Set a Trap From Inside NAT
- [ Certified Ethical Hacker v10 ] :: [ Practical ] :: Become a CEH Master
Chapter 3: Scanning
Stage 2 of a Hack: Scanning, Enumeration and Vulnerability Analysis
- Pings and ping sweeps
- Port scanning
- traceroute
Port scans
Network scans
Vulnerability scans
TCP and UDP scans
nmap
nmap –
https://nmap.org/,
http://scanme.nmap.org/
nmap vs. scapy –
https://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
Videos on Nmap
“Nmap Tutorial for Beginners – 1”
https://www.youtube.com/watch?v=5MTZdN9TEO4
Note the switches: -A, -v
–> Perform the lookup exercise starting at 6:30 in the video.
“Nmap Tutorial For Beginners – 2”
https://www.youtube.com/watch?v=VFJLMOk6daQ
“Nmap Tutorial For Beginners – 3”
https://www.youtube.com/watch?v=OUQkCAHdX_g
–> Practice with the following:
-F
-sV
–open
Grep-able output:
nmap -oG - 192.168.1.0-255 -vv > results.txt
hping3
Offensive Security offers a page on hping3:
https://tools.kali.org/information-gathering/hping3
But there isĀ a much more thorough tutorial at the excellent Null-Byte
https://null-byte.wonderhowto.com/how-to/hack-like-pro-conduct-active-reconnaissance-your-target-with-hping3-0148092/
A silent but thorough lesson:
https://www.youtube.com/watch?v=SlxWvSlWWis
hping3 in Kali:
https://www.youtube.com/watch?v=dIYfTh_5sTs
scapy
https://scapy.net/,
https://github.com/secdev/scapy,
https://en.wikipedia.org/wiki/Scapy,
https://www.youtube.com/watch?v=LvaII2PEwcQ
Angry IP
https://angryip.org/
https://www.youtube.com/watch?v=2v8ph7INceI
https://sourceforge.net/projects/ipscan/
Nessus
https://www.tenable.com/products/nessus
https://www.openvas.org/
https://www.kali.org/news/kali-linux-20171-release/
https://www.youtube.com/watch?v=FcW2s7VpBio (install)
https://www.youtube.com/watch?v=xgSJ4ZcbxMY (basic network scan)
Nexpose
https://www.rapid7.com/products/nexpose/
https://www.youtube.com/watch?v=iev3HwO3uDI (demo)
Banner grabbing
https://www.youtube.com/watch?v=F6XQLcbNqog
telnet <ip or domain> <port number>
Exercises
- Perform nmap TCP, SYN, XMAS, FIN, NULL and ACK scans against the designated target, http://scanme.nmap.org
- Perform UDP scans against the target’s ports.
- Scan several hosts to perform OS fingerprinting on them.
- Perform banner grabbing on the target using first telnet, then netcat.
UDP Scanning
UDP scanning can be an interesting way to find open TCP ports. The old Unicornscan project created an app that could do unusually fast multi-threaded UDP scans, avoiding the probe-and-wait cycle of tools like nmap. There seems to be a “new” version of it in Kali 2020, but it still refers to the old 2007 project documentation. Regardless, it works.
https://nmap.org/book/scan-methods-udp-scan.html
NOTE that UDP scanning of open TCP ports returns a unique host unreachable error.