PHASE II: Scanning

Learn Cybersecurity for FREE

Host scanning

FAST-LIGHT SCAN

nmap --top-ports 10 --open $IP

Heavy scan (slow)

nmap $IP -p- -sV --reason --dns-server ns

Unicornscan. Very fast especially UDP

us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3

Other methods:

nmap -sS -T4 -iL hosts_up.txt
nmap -sS -sV -T4 target
hping3 --scan known $IP/24
nc -nvz $IP 1-1024

nmap tuning options

--max-retries
--max-scan-delay
--defeat-rst-ratelimit

banner grabbing

nc -nv $IP 22
nmap -sV $IP

Vulnerability scanners

  • openvas
  • nessus
  • nexpose
  • qualys

Import to msfconsole

db_import ./nmap_target_network.xml

Traceroute

traceroute $IP
hping3 --traceroute $IP

FIREWALKING

tracepath -n -p 53 $IP
traceroute -n -M default -p 53 $IP

Draw network diagram

zenmap

https://app.diagrams.net/

Advanced scanning

Firewall bypass

nmap -f --mtu=512 $IP

IPv6 scanning

nmap -6 $IP

Idle scanning: Scans through a zombie host

nmap -sI

Decoy scanning: Sends several decoy IPs

nmap -D

FTP bounce scan:

nmap -b

Massive scanning in class A or IPv4:

masscan -p80,8000-8100 10.0.0.0/8

Banner checking: masscan https://github.com/robertdavidgraham/masscan

masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200