2. Port and Service Discovery

The next step after discovering active hosts in the target network is to scan for open ports and services running on the target IP addresses

1. Megaping (on windows)

scan the subnet

sx arp 192.168.0.1/24

Let's assume that the actual ARP cache is in the arp.cache file. We can create it manually or use ARP scan as shown below:

sx arp 192.168.0.1/24 --json | tee arp.cache

Once we have the ARP cache file, we can run scans of higher-level protocols like TCP SYN scan:

cat arp.cache | sx tcp -p 1-65535 192.168.0.171

we can run udp scans as well.

cat arp.cache | sx udp --json -p 53 192.168.0.171

if no response then port is opened, otherwise in case of error code port is closed

nmap -sT -v 192.168.18.110

-v Verbose scan lists all hosts and ports in the result

-sS stealth scan

-sU UDP scan

-sX xmass scan

-sM Maimon scan (FIN/ACK)

-sA Ack scan (no response it is filtered and RST means not filtered.

-sN Null scan

-T4 Aggressive

-A all advanced and aggressive scan

-sV Detects person

-sC script scanning

Use Zenmap and get used to it.

Nmap scripts

ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

More scancs

IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.
# nmap -sI -v [target IP address]
SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.
# nmap -sY -v [target IP address]
SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.
# nmap -sZ -v [target IP address]

Ack scan no response means port is filtered. RST means closed

hping3 -A -P 80 -C 5 192.168.18.110

Syn scan on a port.

hping3 -S 192.168.149.1 -p 80

Last updated 1 month ago