2. Port and Service Discovery
1. Megaping (on windows)
2. NetscanToolsPro(on windows)
3. Sxtool (Linux)
scan the subnet
Let's assume that the actual ARP cache is in the arp.cache
file. We can create it manually or use ARP scan as shown below:
Once we have the ARP cache file, we can run scans of higher-level protocols like TCP SYN scan:
we can run udp scans as well.
if no response then port is opened, otherwise in case of error code port is closed
4. Nmap scans
-v Verbose scan lists all hosts and ports in the result
-sS stealth scan
-sU UDP scan
-sX xmass scan
-sM Maimon scan (FIN/ACK)
-sA Ack scan (no response it is filtered and RST means not filtered.
-sN Null scan
-T4 Aggressive
-A all advanced and aggressive scan
-sV Detects person
-sC script scanning
Use Zenmap and get used to it.
Nmap scripts
5. HPING
Ack scan no response means port is filtered. RST means closed
-c –count: packet count
–faster: alias for -i u1000 (100 packets for second)
–flood: sent packets as fast as possible. Don’t show replies.
-V –verbose: verbose mode
-0 –rawip: RAW IP mode
-1 –icmp: ICMP mode
-2 –udp: UDP mode
-8 –scan: SCAN mode.
-9 –listen: listen mode
-a –spoof: spoof source address
-C –icmptype: icmp type
-K –icmpcode: icmp code
-L –setack: set TCP ack
-F –fin: set FIN flag
-S –syn: set SYN flag
-R –rst: set RST flag
-A –ack: set ACK flag
-X –xmas: set X unused flag (0x40)
-Y –ymas: set Y unused flag (0x80)
Syn scan on a port.
Last updated