Network Scanning

Page contains usage for nmap and masscan, glossary for types of scans, and refers to other scanning scripts/tools.

Nmap

Nmap scans often used

Fast noisy initial scans for labs

-T5: Insane timing ; -sC: enable the most common scripts; -sV: version detection ; -oN: output to file;

nmap -T5 -sC -sV -oN initial-nmap $IP -max-retries

Sample Nmap scans

Note worthy Nmap switches:

Scan network for live hosts

nmap -sP 10.0.0.0/24

Scan network for specific ports open/closed

-sT: TCP Connect (Full open scan)

sudo nmap -sT -p 80,443 10.0.0.0/24

Stealth scan network for specific ports open/closed

-sS: SYN Scan (Half-open scan)

sudo nmap -sS -p 80,443 10.0.0.0/24

Scan host with OS detection

sudo nmap -O $IP

Scan host with all detections

-A: Enables OS detection, version detection, script scanning, and traceroute

sudo nmap -A $IP

Stealth scan and add a decoy traffic

-D: Cloak a scan with decoys. Makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.

sudo nmap -sS -D 10.0.0.50 $IP

Scan to identify HTTP WAF

sudo nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.test.com

Nmap Scripting Engine

List of all NSE scripts: https://nmap.org/nsedoc/

Scan host with all vuln NSE scripts

sudo nmap --script vuln $IP

Nmap Scanning resources

Null byte using nmap to scan for DoS attacks: https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/

Masscan

Python

Scan network for IP and mac address

python3 network_scanner.py -t 10.0.2.1/24
Ref: https://levelup.gitconnected.com/writing-a-network-scanner-using-python-a41273baf1e2

import scapy.all as scapy
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', dest='target', help='Target IP Address/Adresses')
    options = parser.parse_args()

    #Check for errors i.e if the user does not specify the target IP Address
    #Quit the program if the argument is missing
    #While quitting also display an error message
    if not options.target:
        #Code to handle if interface is not specified
        parser.error("[-] Please specify an IP Address or Addresses, use --help for more info.")
    return options
  
def scan(ip):
    arp_req_frame = scapy.ARP(pdst = ip)

    broadcast_ether_frame = scapy.Ether(dst = "ff:ff:ff:ff:ff:ff")
    
    broadcast_ether_arp_req_frame = broadcast_ether_frame / arp_req_frame

    answered_list = scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)[0]
    result = []
    for i in range(0,len(answered_list)):
        client_dict = {"ip" : answered_list[i][1].psrc, "mac" : answered_list[i][1].hwsrc}
        result.append(client_dict)

    return result
  
def display_result(result):
    print("-----------------------------------\nIP Address\tMAC Address\n-----------------------------------")
    for i in result:
        print("{}\t{}".format(i["ip"], i["mac"]))
  

options = get_args()
scanned_output = scan(options.target)
display_result(scanned_output)

Glossary

TCP Connect (Full open scan)

SYN Scan (Half open Scan)

Other scanning tools

Multi-threaded Python Port Scanner: https://github.com/dievus/threader3000

PreviousRecon NextReverse Shell Payloads

Last updated 4 years ago