# 2. Port and Service Discovery

## <mark style="color:red;">1. Megaping (on windows)</mark>

## <mark style="color:red;">2. NetscanToolsPro(on windows)</mark>

## <mark style="color:red;">3. Sxtool (Linux)</mark>

{% embed url="<https://github.com/v-byte-cpu/sx>" %}

scan the subnet

```
sx arp 192.168.0.1/24
```

Let's assume that the actual ARP cache is in the `arp.cache` file. We can create it manually or use ARP scan as shown below:

```
sx arp 192.168.0.1/24 --json | tee arp.cache
```

Once we have the ARP cache file, we can run scans of higher-level protocols like TCP SYN scan:

```
cat arp.cache | sx tcp -p 1-65535 192.168.0.171
```

we can run udp scans as well.

```
cat arp.cache | sx udp --json -p 53 192.168.0.171
```

if no response then port is opened, otherwise in case of error code port is closed

## 4. Explore Various Network Scanning Techniques using Nmap

```
nmap -sT -v 192.168.18.110
```

{% hint style="info" %}
-v  Verbose scan lists all hosts and ports in the  result

-sS stealth scan

-sU UDP scan

-sX xmass scan

-sM Maimon scan (FIN/ACK)

-sA Ack scan (no response it is filtered and RST means not filtered.

-sN Null scan

-T4 Aggressive

-A all advanced and aggressive scan

-sV Detects person

-sC script scanning
{% endhint %}

<mark style="color:red;">**Use Zenmap and get used to it.**</mark>

**Nmap scripts**

```
ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*
```

{% embed url="<https://www.stationx.net/nmap-cheat-sheet/>" %}
Use the cheatsheat
{% endembed %}

**More scancs**

* **IDLE/IPID Header Scan**: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.

  **# nmap -sI -v \[target IP address]**
* **SCTP INIT Scan**: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.

  **# nmap -sY -v \[target IP address]**
* **SCTP COOKIE ECHO Scan**: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.

  **# nmap -sZ -v \[target IP address]**

## 5. HPING

Ack scan no response means port is filtered. RST means closed

```
hping3 -A -P 80 -C 5 192.168.18.110
```

{% hint style="info" %}

* -c –count: packet count
* –faster: alias for -i u1000 (100 packets for second)
* –flood: sent packets as fast as possible. Don’t show replies.
* -V –verbose: verbose mode
* -0 –rawip: RAW IP mode
* -1  –icmp: ICMP mode
* -2 –udp: UDP mode
* -8 –scan: SCAN mode.
* -9 –listen: listen mode
* -a –spoof: spoof source address
* -C –icmptype: icmp type
* -K –icmpcode: icmp code
* -L –setack: set TCP ack
* -F –fin: set FIN flag
* -S  –syn: set SYN flag
* -R  –rst: set RST flag
* -A –ack: set ACK flag
* -X –xmas: set X unused flag (0x40)
* -Y –ymas: set Y unused flag (0x80)
  {% endhint %}

Syn scan on a port.

```
hping3 -S 192.168.149.1 -p 80
```

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}