2. Port and Service Discovery
The next step after discovering active hosts in the target network is to scan for open ports and services running on the target IP addresses
1. Megaping (on windows)
2. NetscanToolsPro(on windows)
3. Sxtool (Linux)
scan the subnet
sx arp 192.168.0.1/24
Let's assume that the actual ARP cache is in the arp.cache
file. We can create it manually or use ARP scan as shown below:
sx arp 192.168.0.1/24 --json | tee arp.cache
Once we have the ARP cache file, we can run scans of higher-level protocols like TCP SYN scan:
cat arp.cache | sx tcp -p 1-65535 192.168.0.171
we can run udp scans as well.
cat arp.cache | sx udp --json -p 53 192.168.0.171
if no response then port is opened, otherwise in case of error code port is closed
4. Explore Various Network Scanning Techniques using Nmap
nmap -sT -v 192.168.18.110
Use Zenmap and get used to it.
Nmap scripts
ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*
More scancs
IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.
# nmap -sI -v [target IP address]
SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.
# nmap -sY -v [target IP address]
SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.
# nmap -sZ -v [target IP address]
5. HPING
Ack scan no response means port is filtered. RST means closed
hping3 -A -P 80 -C 5 192.168.18.110
Syn scan on a port.
hping3 -S 192.168.149.1 -p 80
Last updated
Was this helpful?