Introduction to Network Scanning By: Ace Xor
Summary Scanning Methodologies Tools for Scanning Arpscan / netdiscover Nbtscan Netcat Etherape nmap Zmap Masking your scans Tor/Proxychains Firewall detection/evasion Advanced nmap scripts
Scanning Methodologies Understand the target network Local scans / Internet scans Protocol scanning / Application scanning Consider Scope Noisy / Quiet scanning Breaking up scans for efficiency Passive recon DNS / Whois / ASN info Passive listen with tcpdump or etherape Active recon Http / telnet | ssh / rdp / WiFi Arpscans / netbios scans
Tools: arpscan / netdiscover Scan Category: ARP arpscan usage- Arp-scan --interface=eth0 --localnet This will find mac to IP address of each host in the same subnet as the interface Netdiscover usage- https://acexor.com/tools/netdiscover-usage/ Netdiscover will show MAC address to IP and Hostname information
Tool: nbtscan Scan Category: NetBios Nbtscan usage- https://acexor.com/tools/nbtscan-usage/ Nbtscan will resolve IP to hostname You can limit bandwidth so you aren't as chatty on the network Also support CIDR and IP ranges or list scanning
Tool: Netcat Scan Category: TCP/UDP Netcat usage: https://acexor.com/tools/netcat/ Netcat is considered the TCP/IP swiss army knife for a reason It can connect to a port and read write in that protocol It can operate in scan mode to do a port scan sweep It can act as a backdoor and send a shell over a TCP connection It can act as a chat client even =) It can also send files over the network
Tool: Etherape Scan Category: Passive Listener Etherape usage- Etherape has an interactive GUI which is where the options for the tool are set; such as capture protocol and interface Etherape is best used from a good ‘vantage’ point as it passively listens to traffic going across the network (broadcast) If etherape is run on a network tap/ router machine it will see all traffic to the network.. Also see arp poison attacks for better results
Tool: Nmap Scan Category: Full Network Stack Nmap usage - https://acexor.com/tools/nmap-usage/ Nmap is a very powerful tool for scanning all the things Fits most scanning methodologies from quicker surface scans all the way to deep slow scans taking weeks Has Service and Operating system fingerprints for most machines and services that exist Also has a powerful scripting engine which can do vulnerability scanning and much more
Tool: Zmap Scan Category: Internet Wide Scan/ Fast Scanner Zmap usage- zmap -B 10M -p 80 -n 10000 -o results.csv Based on which type of scan being performed zmap can scan the internet in under a day It has options for blacklisting for the inevitable abuse complaints you will receive It has options for sending specific probes to detect certain vulnerabilities or versions of services check out the --list-probe-modules option or you can craft your own
Masking Scans Proxies SOCKS 4/5 and HTTP proxies TOR The onion router – routes through a decentralized distributed network of nodes and comes out of an exit node Proxychains Allows programs that are not proxy aware to use one or multiple proxies Always remember the saying: VPN before TOR feds at your door :-)
Firewall Detection / Evasion Nmap has options for dealing with firewalls and troubleshooting scans and connections Nmap will allow you to spoof IP’s left in logs Use different protocols when dealing with firewalls such as ICMP/UDP/TCP By sending the wrong state of a TCP packet you might see the firewall act differently Using the -Pn or -P0 option will disable the ICMP probe and assume the host is up
NSE – nmap scripting engine Nmap has an advanced feature which allows LUA scripts to be launched once a service/ port is scanned These scripts have the .nse file extension These scripts range from deeper web scans and vulnerability detections to using max-mind for geo-IP location information Scripts also have categories which can be run in bulk for an more comprehensive scan
The End