Date archives "January 2016"

infosec kali linux pentesting

Basic Scanning with Fping and Nmap

Comments Off on Basic Scanning with Fping and Nmap read

Here are some of the basic footprinting and scanning techniques I use.  These are specific to fping and Nmap.

Fping is a Linux tool that should be used instead of the standard ping utility. The steps below show how to use fping for a standard ping sweep. Fping is installed by default on Kali Linux and you can run it from the command line using the following syntax:

fping –a –g IPRANGE

The -a option forces the tool to show only alive hosts. The -g option tells the tool that we want to perform a ping sweep instead of a standard ping. You can define an IP range by using the CIDR notation or by specifying the start and the ending addresses of the sweep. Examples:
fping –a –g 10.54.12.0/24 # fping –a –g 10.54.12.0 10.54.12.255

to supress the “offline” hosts warning add /dev/null

fping -a -g 192.168.82.0 192.168.82.255 2>/dev/null

Nmap

Basic Ping Scan
You can perform a ping scan by using the -sn command line switch. You can specify your targets on the command line in CIDR format, as a range and by using wildcard notation.

nmap –sn 200.200.0.0/16 # nmap –sn 200.200.123.1-12 # nmap –sn 172.16.12.*

nmap –sn 200.200.12-13.*

Moreover you can save your host list in a file and use the input list -iL command line switch. Example: You can achieve the same results of the previous example by creating a file containing:
200.200.0.0/16 200.200.123.1-12 172.16.12.* 200.200.12-13.*

you would then save this file into a txt file named hostnames.txt and would then call that text file in an map scan in conjunction with -sn:
nmap –sn –iL hostnames.txt

OS Fingerprinting w/ Nmap

OS fingerprinting is the process of determining the operating system used by a host on a network.To perform OS fingerprinting with nmap you have to use the -O command line option and specify your target(s). You can also add the -Pn switch to skip the ping scan:

nmap –Pn –O <target(s)>

You can fine tune the OS fingerprinting process by using the following options:
1.OS DETECTION: -O (Enable OS detection)
2.—osscan-limit: Limit OS detection to promising targets
3.—osscan-guess: Guess OS more aggressively

If you really need to detect the OS of a machine you know is alive, but is not responding to ping probes, you could run:
nmap –Pn –O <target>
On the other hand if you have to scan thousands of hosts you could at first limit OS reconnaissance to just the promising ones.
nmap –O --osscan-limit <targets>

Port Scanning with Nmap

Port scanning is a process and technique used to enumerate open TCP and UDP ports on target hosts. Additionally, port scanning provides information on which daemon (software and its version), is listening on a specific port. Port scanning allows us to create a list of potential weaknesses and vulnerabilities that we can use later on in our pentest.

To pass a scan type or an option on the command line, you have to use a dash “-” followed by one or more letters to specify your options. For example:
nmap –sS –sV –O --osscan-limit 192.168.1.0/24

The most used scan types are:
1. -sT that performs a TCP connect scan
2. -sS which performs a SYN scan
3. -sV that performs a version detection scan

To perform a TCP connect scan, you can use the command line switch -sT. Keep in mind that this type of scan gets recorded in the application logs on the target systems, as every daemon will receive a connection from the scanning machine.
nmap –sT <target>

To perform a TCP SYN scan, you can use the command line switch -sS. This type of scan is also known as stealth scan because it does not create a (full) connection to the target daemons. A well configured IDS will still log the scan.
nmap –sS <target>

To perform a version detection scan, you can use the command line switch -sV. This type of scan mixes a TCP connect scan with some probes used to detect what application is listening on a specific port.
nmap –sV <target>

Specifying targets by their DNS names is just a matter of writing them on the command line.
nmap <scan type> target1.domain.com target2.otherdomain.com

In the same way you can write a list of IP addresses on the command line.
nmap <scan type> 192.168.1.45 200.200.14.56 10.10.1.1 10.10.1.3
Or use the CIDR notation, if you have to scan one or more networks.
nmap <scan type> 192.168.1.0/24 200.200.1.0/16 10.0.0.0/8

When you specify one or more targets, by default Nmap scans the most common ports used on the Internet. If you want to specify custom ports, you can use the -p option. You can specify your ports as a comma separated list, or as a port interval.
nmap –p 21,22,139,445,443,80 <target> # nmap –p 100-1000 <target>

Here are some distinct Nmap examples:
This performs a TCP connect scan –
nmap –sT 192.168.12.33,45
This performs a service detection scan
nmap –sV 10.11.12.0/24 10.200.0.1
This performs a SYN scan
nmap –sS 1.2.3.4 4.5.6-9.7
This performs a SYN scan on port 80 only
nmap –p 80 10.11.12.0/24
his performs a TCP connect scan on the first 100 ports and on port 443
nmap –sT –p 1-100,443 192.168.12.33,45