[ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning

This entry is part 4 of 29 in the series [ Certified Ethical Hacker Training ]

Chapter 3: Scanning

Stage 2 of a Hack: Scanning, Enumeration and Vulnerability Analysis

  • Pings and ping sweeps
  • Port scanning
  • traceroute

Port scans

Network scans

Vulnerability scans

TCP and UDP scans

nmap

nmap –
https://nmap.org/,
http://scanme.nmap.org/

nmap vs. scapy
https://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html

Videos on Nmap

“Nmap Tutorial for Beginners – 1”
https://www.youtube.com/watch?v=5MTZdN9TEO4

Note the switches: -A, -v

–> Perform the lookup exercise starting at 6:30 in the video.

“Nmap Tutorial For Beginners – 2”
https://www.youtube.com/watch?v=VFJLMOk6daQ

“Nmap Tutorial For Beginners – 3”
https://www.youtube.com/watch?v=OUQkCAHdX_g

–> Practice with the following:

-F

-sV

–open

Grep-able output:

nmap -oG - 192.168.1.0-255 -vv > results.txt

hping3

Offensive Security offers a page on hping3:
https://tools.kali.org/information-gathering/hping3

But there isĀ  a much more thorough tutorial at the excellent Null-Byte
https://null-byte.wonderhowto.com/how-to/hack-like-pro-conduct-active-reconnaissance-your-target-with-hping3-0148092/

A silent but thorough lesson:
https://www.youtube.com/watch?v=SlxWvSlWWis

hping3 in Kali:
https://www.youtube.com/watch?v=dIYfTh_5sTs

scapy
https://scapy.net/,
https://github.com/secdev/scapy,
https://en.wikipedia.org/wiki/Scapy,
https://www.youtube.com/watch?v=LvaII2PEwcQ

Angry IP
https://angryip.org/
https://www.youtube.com/watch?v=2v8ph7INceI
https://sourceforge.net/projects/ipscan/

Nessus
https://www.tenable.com/products/nessus
https://www.openvas.org/
https://www.kali.org/news/kali-linux-20171-release/
https://www.youtube.com/watch?v=FcW2s7VpBio (install)
https://www.youtube.com/watch?v=xgSJ4ZcbxMY (basic network scan)

Nexpose
https://www.rapid7.com/products/nexpose/
https://www.youtube.com/watch?v=iev3HwO3uDI (demo)

Banner grabbing
https://www.youtube.com/watch?v=F6XQLcbNqog

telnet <ip or domain> <port number>

Exercises

  1. Perform nmap TCP, SYN, XMAS, FIN, NULL and ACK scans against the designated target, http://scanme.nmap.org
  2. Perform UDP scans against the target’s ports.
  3. Scan several hosts to perform OS fingerprinting on them.
  4. Perform banner grabbing on the target using first telnet, then netcat.

UDP Scanning

UDP scanning can be an interesting way to find open TCP ports. The old Unicornscan project created an app that could do unusually fast multi-threaded UDP scans, avoiding the probe-and-wait cycle of tools like nmap. There seems to be a “new” version of it in Kali 2020, but it still refers to the old 2007 project documentation. Regardless, it works.

Unicornscan – Network Scanning Tool to Find the Open Ports

https://nmap.org/book/scan-methods-udp-scan.html

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_DefAppCfg_guide_ICMP_intro.html

NOTE that UDP scanning of open TCP ports returns a unique host unreachable error.

Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Chapters 1 & 2 ] :: Footprinting and Reconnaissance[ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration >>