Nmap and Enumeration

  • Scanning networks and hosts

    • Active – Make some noise. Interact with targets

      • Footprinting – Discovering the layout. Routing. DHCP.

      • Fingerprinting – Discovering what is running. Services

      • Nmap

        • Nmap -sn 192.168.50.1/24

          • Ping sweep

        • -sT TCP connect scan

        • -sS Syn Scan. Half open. Stealth scan. By default, it’s a stealth scan.

        • -p specifies ports

        • -t0 Slower scan. -t5 fastest.

        • -f fast mode

        • -sU UDP scan

        • -D decoy

        • -sI zombie host

        • -S spoof IP address

        • -f fragment packets

        • -O OS detection

        • -sV service and version

        • -A aggressive. Get as much info as possible.

      • Hping – alternative to Nmap

        • Hping3 -S -p 80

          • Syn scan on port 80

        • Hping3 -A -p 80

          • Ack scan

        • Timestamp shows updtime

      • Responder – MiTM tool

        • LLMNR vulnerability checker

    • Semi-passive – looks like normal traffic. Low and slow. Sparse.

    • Passive – Makes no noise. Listen to network traffic.

      • POFv3 is a passive scan.

      • Zeek/Bro – passive traffic scanner

Last updated