Network Scanning

Page contains usage for nmap and masscan, glossary for types of scans, and refers to other scanning scripts/tools.

Nmap

Nmap scans often used

Fast noisy initial scans for labs

-T5: Insane timing ; -sC: enable the most common scripts; -sV: version detection ; -oN: output to file;

nmap -T5 -sC -sV -oN initial-nmap $IP -max-retries

Sample Nmap scans

Note worthy Nmap switches:

Scan network for live hosts

nmap -sP 10.0.0.0/24

Scan network for specific ports open/closed

-sT: TCP Connect (Full open scan)

sudo nmap -sT -p 80,443 10.0.0.0/24

Stealth scan network for specific ports open/closed

-sS: SYN Scan (Half-open scan)

sudo nmap -sS -p 80,443 10.0.0.0/24

Scan host with OS detection

sudo nmap -O $IP

Scan host with all detections

-A: Enables OS detection, version detection, script scanning, and traceroute

sudo nmap -A $IP

Stealth scan and add a decoy traffic

-D: Cloak a scan with decoys. Makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.

sudo nmap -sS -D 10.0.0.50 $IP

Scan to identify HTTP WAF

sudo nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.test.com

Nmap Scripting Engine

List of all NSE scripts: https://nmap.org/nsedoc/

Scan host with all vuln NSE scripts

sudo nmap --script vuln $IP

Nmap Scanning resources

Null byte using nmap to scan for DoS attacks: https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/

Masscan

Python

Scan network for IP and mac address

python3 network_scanner.py -t 10.0.2.1/24
Ref: https://levelup.gitconnected.com/writing-a-network-scanner-using-python-a41273baf1e2

import scapy.all as scapy
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', dest='target', help='Target IP Address/Adresses')
    options = parser.parse_args()

    #Check for errors i.e if the user does not specify the target IP Address
    #Quit the program if the argument is missing
    #While quitting also display an error message
    if not options.target:
        #Code to handle if interface is not specified
        parser.error("[-] Please specify an IP Address or Addresses, use --help for more info.")
    return options
  
def scan(ip):
    arp_req_frame = scapy.ARP(pdst = ip)

    broadcast_ether_frame = scapy.Ether(dst = "ff:ff:ff:ff:ff:ff")
    
    broadcast_ether_arp_req_frame = broadcast_ether_frame / arp_req_frame

    answered_list = scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)[0]
    result = []
    for i in range(0,len(answered_list)):
        client_dict = {"ip" : answered_list[i][1].psrc, "mac" : answered_list[i][1].hwsrc}
        result.append(client_dict)

    return result
  
def display_result(result):
    print("-----------------------------------\nIP Address\tMAC Address\n-----------------------------------")
    for i in result:
        print("{}\t{}".format(i["ip"], i["mac"]))
  

options = get_args()
scanned_output = scan(options.target)
display_result(scanned_output)

Glossary

TCP Connect (Full open scan)

SYN Scan (Half open Scan)

Other scanning tools

Multi-threaded Python Port Scanner: https://github.com/dievus/threader3000

PreviousRecon NextReverse Shell Payloads

Last updated 5 years ago

hashtagNmap

hashtagNmap scans often used

hashtagFast noisy initial scans for labs

hashtagSample Nmap scans

hashtagScan network for live hosts

hashtagScan network for specific ports open/closed

hashtagStealth scan network for specific ports open/closed

hashtagScan host with OS detection

hashtagScan host with all detections

hashtagStealth scan and add a decoy traffic

hashtagScan to identify HTTP WAF

hashtagNmap Scripting Engine

hashtagScan host with all vuln NSE scripts

hashtagNmap Scanning resources

hashtagMasscan

hashtagPython

hashtagScan network for IP and mac address

hashtagGlossary

hashtagOther scanning tools