# 2. Port and Service Discovery

## <mark style="color:red;">1. Megaping (on windows)</mark>

## <mark style="color:red;">2. NetscanToolsPro(on windows)</mark>

## <mark style="color:red;">3. Sxtool (Linux)</mark>

{% embed url="<https://github.com/v-byte-cpu/sx>" %}

scan the subnet

```
sx arp 192.168.0.1/24
```

Let's assume that the actual ARP cache is in the `arp.cache` file. We can create it manually or use ARP scan as shown below:

```
sx arp 192.168.0.1/24 --json | tee arp.cache
```

Once we have the ARP cache file, we can run scans of higher-level protocols like TCP SYN scan:

```
cat arp.cache | sx tcp -p 1-65535 192.168.0.171
```

we can run udp scans as well.

```
cat arp.cache | sx udp --json -p 53 192.168.0.171
```

if no response then port is opened, otherwise in case of error code port is closed

## 4. Explore Various Network Scanning Techniques using Nmap

```
nmap -sT -v 192.168.18.110
```

{% hint style="info" %}
-v  Verbose scan lists all hosts and ports in the  result

-sS stealth scan

-sU UDP scan

-sX xmass scan

-sM Maimon scan (FIN/ACK)

-sA Ack scan (no response it is filtered and RST means not filtered.

-sN Null scan

-T4 Aggressive

-A all advanced and aggressive scan

-sV Detects person

-sC script scanning
{% endhint %}

<mark style="color:red;">**Use Zenmap and get used to it.**</mark>

**Nmap scripts**

```
ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*
```

{% embed url="<https://www.stationx.net/nmap-cheat-sheet/>" %}
Use the cheatsheat
{% endembed %}

**More scancs**

* **IDLE/IPID Header Scan**: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.

  **# nmap -sI -v \[target IP address]**
* **SCTP INIT Scan**: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.

  **# nmap -sY -v \[target IP address]**
* **SCTP COOKIE ECHO Scan**: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.

  **# nmap -sZ -v \[target IP address]**

## 5. HPING

Ack scan no response means port is filtered. RST means closed

```
hping3 -A -P 80 -C 5 192.168.18.110
```

{% hint style="info" %}

* -c –count: packet count
* –faster: alias for -i u1000 (100 packets for second)
* –flood: sent packets as fast as possible. Don’t show replies.
* -V –verbose: verbose mode
* -0 –rawip: RAW IP mode
* -1  –icmp: ICMP mode
* -2 –udp: UDP mode
* -8 –scan: SCAN mode.
* -9 –listen: listen mode
* -a –spoof: spoof source address
* -C –icmptype: icmp type
* -K –icmpcode: icmp code
* -L –setack: set TCP ack
* -F –fin: set FIN flag
* -S  –syn: set SYN flag
* -R  –rst: set RST flag
* -A –ack: set ACK flag
* -X –xmas: set X unused flag (0x40)
* -Y –ymas: set Y unused flag (0x80)
  {% endhint %}

Syn scan on a port.

```
hping3 -S 192.168.149.1 -p 80
```

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-3.-scanning-networks/2.-port-and-service-discovery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.