Port scanning

Nmap is a network port scanner, it's my favorite tools when it comes to port scanning.

Nmap can also be used to detect and exploit vulnerabilities thanks to the huge number of build-in scripts. In this section we will focus on the post popular switches for port scanning.

Scan all TCP ports of specific host with the nmap default scripts. the -p- lets you scan All 65,535 TCP ports while -p scans lets you scan a specific port. If you don't specify -p-, nmap will only scan the most common ports but will not scan all TPC ports. The -d switch shows the debug information's.

nmap –sC 192.168.1.120 -d -p-

Scan a specific UDP port.

nmap -p U:53 192.168.1.120

Scan all TCP and UDP ports.

nmap -p- -sA -sU -sV 192.168.1.120

Perform an Agressive scan on all ports, this options makes a lot of noises on the network and is not my favorite one. The -A switch enables additional advanced and aggressive options. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute). The -oA scan --webxml allows you to export the scan results to all formats including the webxml.

nmap -p- -A 192.168.1.120 -oA <outputFileName> --webxml

Nmap does not offer the possibility to output the results directly to an HTML page, but it's possible to use XSLT to convert an Nmap XML file to an HTML file.

xsltproc -o <OutputFileName.html> /usr/share/nmap/nmap.xsl <nmapScan.xml>

Scan ports locally using Living Of The lands tools (Powershell) in Windows

# Check if TCP ports 1 to 1024 are open on srvfs01
foreach ($port in 1..1024) {
    If (($a=Test-NetConnection srvfs01 -Port $port -WarningAction SilentlyContinue).tcpTestSucceeded -eq $true) {
        "TCP port $port is open!"
    }
}

# Get local TCP connections on port 5000 along with the process name
Get-NetTCPConnection | where Localport -eq 5000 | Select-Object Localport,@{'Name' = 'ProcessName';'Expression'={(Get-Process -Id $_.OwningProcess).Name}}

ICMP and Network Scanning

# Send an ICMP request with type 8
l send {ip(daddr=192.168.0.7)+icmp(type=8,code=0)}

# Start capturing all traffic from the eth0 NIC using tcpdump
sudo tcpdump -i eth0

# Send ICMP packets with TTL values incremented from 5 to 10 using hping
foreach i [list 5 6 7 8 9 10] {
    hping send "ip(daddr=192.168.0.7,ttl=$i)+icmp(type=8,code=0)"
}

# Capture and display ICMP packets with verbose output using tcpdump
tcpdump -i eth0 -x -vv | grep ICMP

# Send content of attack.sig file from port 500 to 139 using hping3
sudo hping3 -2 -p 500 192.168.0.7 -d 139 -E attack.sig

# Display tcpdump output of the previous hping3 command with -nX option
sudo tcpdump --i eth0 --nX

# Scan the target for open services and ports using hping3
sudo hping3 --scan known 192.168.0.7 -S

# Scan a range of ports (0-3000) on the target IP address
sudo hping3 --scan '0-3000' 192.168.0.7 -S

ICMP File Transfer

# Listen for incoming ICMP packets on localhost
sudo hping3 127.0.0.1 --listen signature --safe --icmp

# Send the contents of /etc/passwd to localhost using ICMP
sudo hping3 127.0.0.1 --icmp -d 100 --sign signature --file /etc/passwd

OS/Banner Version Fingerprinting

# Use P0f to passively detect the OS of the target
P0f -i any -p -o /tmp/sniff.log

# Nmap command to perform active OS fingerprinting on a target
nmap -sV --script=banner 192.28.52. 

# Dmitry command to show banner grab of a server and scan for open ports
dmitry -pb 192.168.0.22

Python Script for Banner Grabbing

#/usr/bin/python
import socket
import sys
import os

def grab_banner(ip_address, port):
    try:
        s = socket.socket()
        s.connect((ip_address, port))
        banner = s.recv(1024)
        print(ip_address + ':' + banner.decode('utf-8'))
    except:
        return

def checkVulns(banner):
    if len(sys.argv) >= 2:
        filename = sys.argv[1]
        for line in filename.readlines():
            line = line.strip('\n')
            if banner in line:
                print("%s is vulnerable" % banner)
            else:
                print("%s is not vulnerable" % banner)

def main():
    portList = [21, 22, 25, 80, 110]
    for x in range(0, 255):
        for port in portList:
            ip_address = '192.168.0.' + str(x)  # change the IP address to the one you want here
            grab_banner(ip_address, port)

if __name__ == '__main__':
    main()

PreviousHost discovery NextNetwork Services

Last updated 3 months ago

# Check if TCP ports 1 to 1024 are open on srvfs01 foreach ($port in 1..1024) { If (($a=Test-NetConnection srvfs01 -Port $port -WarningAction SilentlyContinue).tcpTestSucceeded -eq $true) { "TCP port $port is open!" } } # Get local TCP connections on port 5000 along with the process name Get-NetTCPConnection | where Localport -eq 5000 | Select-Object Localport,@{'Name' = 'ProcessName';'Expression'={(Get-Process -Id $_.OwningProcess).Name}}

# Send an ICMP request with type 8 l send {ip(daddr=192.168.0.7)+icmp(type=8,code=0)} # Start capturing all traffic from the eth0 NIC using tcpdump sudo tcpdump -i eth0 # Send ICMP packets with TTL values incremented from 5 to 10 using hping foreach i [list 5 6 7 8 9 10] { hping send "ip(daddr=192.168.0.7,ttl=$i)+icmp(type=8,code=0)" } # Capture and display ICMP packets with verbose output using tcpdump tcpdump -i eth0 -x -vv | grep ICMP # Send content of attack.sig file from port 500 to 139 using hping3 sudo hping3 -2 -p 500 192.168.0.7 -d 139 -E attack.sig # Display tcpdump output of the previous hping3 command with -nX option sudo tcpdump --i eth0 --nX # Scan the target for open services and ports using hping3 sudo hping3 --scan known 192.168.0.7 -S # Scan a range of ports (0-3000) on the target IP address sudo hping3 --scan '0-3000' 192.168.0.7 -S

# Listen for incoming ICMP packets on localhost sudo hping3 127.0.0.1 --listen signature --safe --icmp # Send the contents of /etc/passwd to localhost using ICMP sudo hping3 127.0.0.1 --icmp -d 100 --sign signature --file /etc/passwd

# Use P0f to passively detect the OS of the target P0f -i any -p -o /tmp/sniff.log # Nmap command to perform active OS fingerprinting on a target nmap -sV --script=banner 192.28.52. # Dmitry command to show banner grab of a server and scan for open ports dmitry -pb 192.168.0.22

#/usr/bin/python import socket import sys import os def grab_banner(ip_address, port): try: s = socket.socket() s.connect((ip_address, port)) banner = s.recv(1024) print(ip_address + ':' + banner.decode('utf-8')) except: return def checkVulns(banner): if len(sys.argv) >= 2: filename = sys.argv[1] for line in filename.readlines(): line = line.strip('\n') if banner in line: print("%s is vulnerable" % banner) else: print("%s is not vulnerable" % banner) def main(): portList = [21, 22, 25, 80, 110] for x in range(0, 255): for port in portList: ip_address = '192.168.0.' + str(x) # change the IP address to the one you want here grab_banner(ip_address, port) if __name__ == '__main__': main()