2 Scanning

Tools to scan networks

nmap

An attacker always use a VPN, via the VPN a comromised machine, obfuscate the origin of your requests with -D.

Common nmap Commands

smbmap

nbtscan

hping3

Common Hping Commands

  • ICMP Ping: hping3 -1 10.0.0.25

  • ACK scan on port 80: hping3 -A 10.0.0.25 -p 80

  • UDP scan on port 80: hping3 -2 10.0.0.25 -p 80

  • Collecting Initial Sequence Number: hping3 192.168.1.103 -Q -p 139 -s

  • Firewalls and Time Stamps: hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

  • SYN scan on port 50-60: hping3 -8 50-60 -S 10.0.0.25 -V

  • FIN, PUSH and URG scan on port 80: hping3 -F -P -U 10.0.0.25 -p 80

  • Scan entire subnet for live host: hping3 -1 10.0.1.x --rand-dest -I eth0

  • Intercept all traffic containing HTTP signature: hping3 -9 HTTP -I eth0

  • SYN flooding a victim: hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

ICMP echo reply

ICMP Ping for IP 10.0.0.23 with hping3

$ hping3 -1 10.0.0.23

Type 0 : echo reply; Type 8: Echo; Type 11: Time exceeded for a datagram; Type 0: Destination unreachable:

  • 0 network unreachable

  • 1 host unreachable

  • 2 protocol unreachable

  • 3 port unreachable

  • 9 network comm admin prohibited

  • 10 host comm admin prohibited

  • 13 comm admin prohibited

Last updated