CEH Practical Guide
  • Certified Ethical Hacker (CEH v12 and CEH V13) Practical Guide: Complete Study Resources & Tips
  • Module 2. Footprinting and Reconnaissance
    • 1. Footprinting through Search Engines
    • 2. Perform Footprinting Through Internet Research Services
    • 3. Footprinting through Social Networking sites
    • 4. Website Footprinting
    • 5. WHOIS Footprinting
    • 6. DNS Footprinting
    • 7. Network footprinting
    • 8. Email Footprinting
    • 9. Footprinting using footprinting tools
    • 10. Perform Footprinting using AI
  • Module 3. Scanning Networks
    • 1. Host Discovery
    • 2. Port and Service Discovery
    • 3. Perform OS Discovery
    • 4. Scan beyond Firewalls and IDS
    • 5. Network scanning using various tools
    • 6. Perform Network Scanning using AI
  • Module 4. Enumeration
    • 1. Netbios Enumeration (Port 137)
    • 2. SNMP Enumeration (Port 161,162)
    • 3. LDAP Enumeration (Port 389)
    • 4. NFS Enumeration
    • 5. DNS Enumeration
    • 6. SMTP Enumeration
    • 7. RPC, SMB and FTP Enumeration
    • 8. Enumeration using various tools
    • 9. Perform Enumeration using AI
  • Module 5. Vulnerability Assessment
    • 1. Perform Vulnerability Research with Vulnerability Scoring Systems and Databases
    • 2. Perform Vulnerability Assessment using Various Vulnerability Assessment Tools
    • 3. Perform Vulnerability Analysis using AI
  • Module 6. System Hacking
    • 1. Gain access to the system
    • 2. Privilege Escalation
    • 3. Maintain Remote Access and Hide Malicious Activities
    • 4. Clear Logs to hide the Evidence of Compromise
    • 5. Active Directory (AD) Attacks
  • Module 7. Malware Threats
    • 1. Gain access to systems with Trojans
    • 2. Infect the system using Virus
    • 3. Perform Static Malware Analysis
    • 4. Perform Dynamic Malware Analysis
  • Module 8. Sniffing
    • 1. Perform Active Sniffing
    • 2. Perform Network Sniffing using Various Sniffing Tools
    • 3. Detect Network Sniffing
  • Module 9. Social Engineering
    • 1. Perform Social Engineering using tools
    • 2. Detect a Phishing attack
    • 3. Audit Organization security for phishing attacks
    • 4. Social Engineering using AI
  • Module 10. Denial of Service
    • 1. Perform DOS and DDOS with various techniques
    • 2. Detect and Protect DOS and DDOS attacks
  • Module 11. Session Hijacking
    • 1. Perform Session Hijacking
    • 2. Detect Session Hijacking
  • Module 12. Evading IDS, antivirus and Honeypots
    • 1. Intrusion Detection using various tools
    • 2. Evade Firewall using Evasion Techniques
  • Module 13. Hacking Web Servers
    • 1. Footprint the Webserver
    • 2. Perform Webserver attacks
    • 3. Perform a Web Server Hacking using AI
  • Module 14. Hacking Web Applications
    • 1. Footprint the Web Infrastructure
    • 2. Perform Web applications Attacks
    • 3. Detect Web Vulnerabilities using using web application security tools
    • 4. Perform Web Application Hacking using AI
  • Module 15. SQL Injection
    • 1. Perform SQL Injection attacks
    • 2. Detect SQL Vulnerabilities using different tool
    • 3. Perform SQL Injection using AI
  • Module 16. Hacking Wireless Networks
    • 1. Footprint a wireless Network
    • 2. Perform Wireless Traffic Analysis
    • 3. Perform Wireless Attacks
  • Module 17. Hacking Mobile Platforms
    • 1. Hack Android Devices
    • 2. Secure Android Device
  • Module 18. IoT and OT Hacking
    • 1. Footprinting IoT and OT devices
    • 2. Capture and Analyze IoT traffic
    • 3. Perform IoT Attacks
  • Module 19. Cloud Computing
    • 1. Perform Reconnaissance on Azure
    • 2. S3 Bucket Enumeration
    • 3. Exploit S3 buckets
    • 4. Perform Privilege Escalation to Gain Higher Privileges
    • 5. Perform Vulnerability Assessment on Docker Images
  • Module 20. Cryptography
    • 1. Encrypt the Information using Various Cryptography Tools
    • 2. Create a self signed Certificate
    • 3. Perform Disk Encryption
    • 4. Cryptanalysis Using different tools
    • 5. Perform Cryptography using AI
  • Tips for exams
  • Additional Resources
Powered by GitBook
On this page
  • 1. Megaping (on windows)
  • 2. NetscanToolsPro(on windows)
  • 3. Sxtool (Linux)
  • 4. Explore Various Network Scanning Techniques using Nmap
  • 5. HPING

Was this helpful?

  1. Module 3. Scanning Networks

2. Port and Service Discovery

The next step after discovering active hosts in the target network is to scan for open ports and services running on the target IP addresses

Previous1. Host DiscoveryNext3. Perform OS Discovery

Last updated 7 months ago

Was this helpful?

1. Megaping (on windows)

2. NetscanToolsPro(on windows)

3. Sxtool (Linux)

scan the subnet

sx arp 192.168.0.1/24

Let's assume that the actual ARP cache is in the arp.cache file. We can create it manually or use ARP scan as shown below:

sx arp 192.168.0.1/24 --json | tee arp.cache

Once we have the ARP cache file, we can run scans of higher-level protocols like TCP SYN scan:

cat arp.cache | sx tcp -p 1-65535 192.168.0.171

we can run udp scans as well.

cat arp.cache | sx udp --json -p 53 192.168.0.171

if no response then port is opened, otherwise in case of error code port is closed

4. Explore Various Network Scanning Techniques using Nmap

nmap -sT -v 192.168.18.110

-v Verbose scan lists all hosts and ports in the result

-sS stealth scan

-sU UDP scan

-sX xmass scan

-sM Maimon scan (FIN/ACK)

-sA Ack scan (no response it is filtered and RST means not filtered.

-sN Null scan

-T4 Aggressive

-A all advanced and aggressive scan

-sV Detects person

-sC script scanning

Use Zenmap and get used to it.

Nmap scripts

ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

More scancs

  • IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.

    # nmap -sI -v [target IP address]

  • SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.

    # nmap -sY -v [target IP address]

  • SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.

    # nmap -sZ -v [target IP address]

5. HPING

Ack scan no response means port is filtered. RST means closed

hping3 -A -P 80 -C 5 192.168.18.110

  • -c –count: packet count

  • –faster: alias for -i u1000 (100 packets for second)

  • –flood: sent packets as fast as possible. Don’t show replies.

  • -V –verbose: verbose mode

  • -0 –rawip: RAW IP mode

  • -1 –icmp: ICMP mode

  • -2 –udp: UDP mode

  • -8 –scan: SCAN mode.

  • -9 –listen: listen mode

  • -a –spoof: spoof source address

  • -C –icmptype: icmp type

  • -K –icmpcode: icmp code

  • -L –setack: set TCP ack

  • -F –fin: set FIN flag

  • -S –syn: set SYN flag

  • -R –rst: set RST flag

  • -A –ack: set ACK flag

  • -X –xmas: set X unused flag (0x40)

  • -Y –ymas: set Y unused flag (0x80)

Syn scan on a port.

hping3 -S 192.168.149.1 -p 80
GitHub - v-byte-cpu/sx: Fast, modern, easy-to-use network scannerGitHub
Nmap Cheat SheetStation X
Use the cheatsheat
Logo
Certified Ethical Hacker (CEHv12) Practical hands on LabsUdemy
Logo
Logo