Nmap

Nmap is network exploration tool and port scanner. It was created by Fyodor and can be downloaded from www.insecure.org free of charge. I have always had issues with the Win32 port of Nmap so I have only used it from Linux. Nmap is available for most Linux distributions.

A few things to be aware of when using Nmap is it will ping the target before it scans to see if it is up. If the target is blocking ICMP the scan may fail. This initial ping can be prevented by using the -P0 switch which will then allow Nmap to continue the port scan.

When specifying a target the following syntax can be used:

nmap target option

The target is the host or network to be scanned and the options are the list of ports and type of scan. target can be entered as a hostname (www.yahoo.com), the IP address (87.248.113.14), or CIDR addressing (192.168.1.1/24). Nmap can also be told to use an input file for target specification. There are additional methods of target specification listed in the Nmap man pages.

Options can be the scan type (SYN scan, ACK scan, list scan etc..), can be turning off certain functions such as DNS resolution or ping, can be setting the options for output such as to XML or text file, can be setting OS or version detection, can be setting up scanning through a FTP server or another host, or can be selecting the ports to be scanned. Ports can be entered in as a list (-p 21,23,80) or as a range (-p 1-1024,3389,5000) or by port type for UDP or TCP (-p U:161,53 T:80,443).

The following are some basic examples of Nmap scans.

1. Ping Scan (ping sweep)

nmap -sP 10.20.2.1/24

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:23 GMT
Host 10.20.2.4 appears to be up.
MAC Address: 00:0C:F1:5E:0B:05 (Intel)
Host 10.20.2.6 appears to be up.
MAC Address: 00:30:C1:21:0B:9C (Hewlett-packard)
Host 10.20.2.69 appears to be up.
MAC Address: 00:E0:81:6C:94:53 (Tyan Computer)
Host 10.20.2.70 appears to be up.
MAC Address: 00:60:B0:20:D0:C0 (Hewlett-packard CO.)
Host 10.20.2.71 appears to be up.
MAC Address: 00:00:84:AE:70:BF (Ricoh Company)
Nmap finished: 256 IP addresses (5 hosts up) scanned in 5.398 seconds

This scan was used to quickly identify host that are up on a particular range of IP addresses.

2. Basic Host Scan

nmap 10.20.2.41

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:13 GMT
Interesting ports on 10.20.2.41:
(The 1666 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
280/tcp open http-mgmt
443/tcp open https
515/tcp open printer
631/tcp open ipp
9100/tcp open jetdirect
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)

This scan picks a performs a TCP connect scan of a selected host. This scan would likely be picked up by an IDS. The basic scan would scan all ports including 1024 and below and certain high numbered ports listed in the nmap-services file. This file can be customised for your own environment. To peform a fast scan use the -F switch. This will just scan ports listed in the nmap-services file. Nmap will also automatically randomise the ports to be scanned, this can be disabled with the -r switch.

3. Version Scan

nmap 10.20.2.41 -sV -p 23

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:14 GMT
Interesting ports on 10.20.2.41:
PORT STATE SERVICE VERSION
23/tcp open telnet HP JetDirect printer telnetd (No password)
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Service Info: Device: printer
Nmap finished: 1 IP address (1 host up) scanned in 2.059 seconds

This scan picked a particular port and attempted to enumerate the service listening on that port.

4. OS Scan

nmap 10.20.2.41 -O -p 23,81

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:16 GMT
Interesting ports on 10.20.2.41:
PORT STATE SERVICE
23/tcp open telnet
81/tcp closed hosts2-ns
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Device type: print server
Running: HP embedded
OS details: HP printer w/JetDirect card
Uptime 74.890 days (since Wed Aug 15 16:55:33 2007)
Nmap finished: 1 IP address (1 host up) scanned in 2.579 seconds

This scan performed an OS scan on the host and correctly identified it as a HP Printer.

5. SYN Scan (Half-Open Scan)

nmap 10.20.2.41 -sS -p 23,80

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:17 GMT
Interesting ports on 10.20.2.41:
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 0.440 seconds

This scan performed a half-open scan (-sS) on ports 23 & 80. Half-open means that a full TCP connect scan was not completed. A SYN packet was sent from Nmap followed by a RST packet if a SYN/ACK was received (indicating an open port). If a RST packet was received by Nmap the port will be listed as closed. You must have root permissions to perform a SYN scan otherwise the scan will drop down to a full TCP Connect scan. SYN scans are relatively stealthy and are very fast for the reasons already mentioned. If Nmap receives no response or if an ICMP unreachable is received by Nmap the port is marked as filtered.

6. Stealthy Scan

nmap 10.20.2.41 -sS -p 23,80 -T 1

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:22 GMT
Interesting ports on 10.20.2.41:
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 45.422 seconds

This scan performs a half-open scan but the packets are sent at a very slow rate (-T 1). This is to avoid detection by an IDS. Note the time that Nmap took to scan compared to the previous examples.

7. Idle Scan (Zombie Scan)

nmap 10.20.2.41 -p 23 -T 2 -sI 10.20.2.70 -P0

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:29 GMT
Idlescan using zombie 10.20.2.70 (10.20.2.70:80); Class: Incremental
Interesting ports on 10.20.2.41:
PORT STATE SERVICE
23/tcp open telnet
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 7.650 seconds

In this example Nmap has used another host (-sI 10.20.2.70) to perform the scan on behalf of the attacker. The way this works is Nmap sends a packet to the Zombie to check the IP ID and then sends it’s scan to Target but spoofs the IP ofthe Zombie (10.20.2.70). Nmap then checks the IP ID of the Zombie to see how much it has increased by. This tells Nmap whether the port was open or closed due to response (ACK or RST) sent from the real target to the zombie. It has also prevented nmap from pinging the host (-P0) at the beginning of the scan.

Useful Nmap Options

-sT: Full TCP connect scan.

-sS: SYN scan. Stealthier than a TCP connect scan.

-sF: FIN scan. Stealthy. A RST indicates the port is closed

-sR: Scans RPC services and attempts to identify listening programs.

-sI: Idle scan.

-b: Bounces the scan of a FTP server.

-sX: Xmas tree scan. All flags are set. A RST indicates a port is closed, no response may mean the port is open.

-sU: Scan for status of UDP ports.

-sL: Performs a list scan. Will attempt to perform a reverse lookup of hosts

-sP: Ping scan, not a scan as such but can be used initially to locate alive hosts.

-O: OS Fingerprinting.

-sV: Identifies the service and version in some cases.

-A: Both version and OS fingerprinting.

-T 1: Timing is slow (1). Can be increased to 2, 3, 4 or 5 (5 being the fastest)

-sA: TCP ACK scan. This may get through certain packet filtering devices.

-iL : Input from list of hosts/networks

-sP: Ping Scan - go no further than determining if host is online

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

-p : Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080

-r: Scan ports consecutively - don't randomize

-D: : Cloak a scan with decoys

-S: : Spoof source address

-e: : Use specified interface

-g/--source-port : Use given port number

OUTPUT:

-oN/-oX/-oS/-oG : Output scan in normal, XML, s|

and Grepable format, respectively, to the given filename.

-oA: : Output in the three major formats at once

-v: Increase verbosity level (use twice for more effect)

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

ScanLine (sl)

ScanLine does not have anywhere near the same amount of functionality as a tool such as Nmap. But it can be used to quickly identify if a port is open, a host is up . To perform a basic scan with ScanLine (sl) use the following syntax:

Sl 192.168.1.1

This will ping the host and perform a basic scan of known ports below is the result.

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Scan of 1 IP started at Thu Oct 25 21:51:36 2007
--------------------------------------------------------
192.168.1.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 21 80 1723
UDP ports:

We can see from the result that it has found open TCP ports 21, 80, 1723

As some devices are configured to drop ICMP sl may assume the host is not up if it get’s no response and quit. To prevent this use the –p option. The –t or –u option can also be specified followed by port numbers to address only certain ports.Below is an example of this.

sl -vpbt 80 192.168.1.1

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Adding IP 192.168.1.1
Banner grabbing enabled.
No pinging before scanning.
Scan of 1 IP started at Thu Oct 25 22:01:16 2007
Scanning 1 IP...
------------------------------------------------------
192.168.1.1
Responds with ICMP unreachable: No
TCP ports: 80
TCP 80:
[HTTP/1.0 401 Unauthorized Access Denied]
------------------------------------------------------
Scan finished at Thu Oct 25 22:01:16 2007
1 IP and 1 port scanned in 0 hours 0 mins 0.05 secs

Above you can see that I have discovered a web server listening on port 80.

You can also specify a range of ports or addresses to sl such as:

sl –pt 21,23,80-250 192.168.1.1-10

The output of scan can also be output to a file using the –o switch followed by a filename.

For additional info on the other switches available use sl /?

Netcat

Netcat can pretty much do anything from being a proxy, transfer files, a chat client, a backdoor and yes, port scanning.Now, it’s not fast and it’s not pretty but it’ll do it. The syntax is below.

nc -vv -z -n -w1 192.168.1.1 23 80 34

And the output is……..

(UNKNOWN) [192.168.1.1] 23 (?): connection refused
(UNKNOWN) [192.168.1.1] 80 (?) open
(UNKNOWN) [192.168.1.1] 34 (?): TIMEDOUT
sent 0, rcvd 0: NOTSOCK

So I can see that I have open ports 23 and 80.

Links

Source

Credit

Bulk Rename Utility

Introduction

Bulk Rename Utility is a free file renaming software for Windows. Bulk Rename Utilityallows you to easily rename files and entire folders based upon extremely flexible criteria.

Add date/time stamps, replace numbers, insert text, convert case, add auto-numbers, process folders and sub-folders....plus a whole lot more!

Rename multiple files quickly, according to many flexible criteria.

Rename files in many ways: add, replace, insert text into file names. Convert case, add numbers. Remove or change file extensions.

Check the detailed preview before renaming.

Rename photos using EXIF meta data (i.e. "Date Picture Taken", "Resolution" and other information embedded in all JPG photo files) Rename your holiday pictures from a meaningless dsc1790.jpg to NewYork1.jpg in a flash.

Rename MP3 files using ID3 tags (a.k.a. MP3 ID3 tag renaming).

Change files' creation and modification time stamps.

It's free. Easy to Install. Download and start renaming your files now!

Source

Learn Ethical Hacking - No More a Secret

Pages

DataRecoveryv2.4.7UPDATED

The Chakra Project !

The Chakra Project !

Chakra GNU/LInux is a free, user-friendly and extremely powerful liveCD and distribution using the award winning KDE SC and Plasma Desktop with a bundle system to use GTK-apps.

ESSPEE - Penetration Testing & Forensics

DEMONSTRATION ON JAVA ZERO-DAY _ VIDEO

How to get someones IP Address using an Image - Video

How to get someones IP Address using an Image

Nmap - Windows - CMD- Scan- Options - Example

Utility to remove OS/process locks on files while copying, renaming or deleting

Key Features

Bulk Rename Utility - Windows-Freewaree

Introduction

How To Crack, Hack or Remove Windows Passwords

Windows Password Crack: Method #1. The Easy Way

Windows 7 :- Create Keyboard Shortcuts for Programs

Create Keyboard Shortcuts for Programs

Labels

Total Pageviews

Popular Posts

Followers

Blog Archive

Shout Here