# Scanning Networks

## Host Discovery

Host discovery is usually referred to as '**Ping' scanning using a sonar** analogy. The goal is to send a packet thru to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response.

### Netdiscover

Netdiscover is a discovery tool and is built into Kali Linux 2018.2. Currently in the 03-pre-beta7 version and written by Jaime Penalba, Netdiscover can reform reconnaissance and discovery on both wireless and switched networks using ARP requests.

To launch Netdiscover, type netdiscover –h to view the usage options. Should you only type the netdiscover command by itself, Netdiscover will launch a default scan.)

```
netdiscover -i (network interface name) (example: eth0 or tun0)
netdiscover -i eth0
netdiscover -r 10.10.10.0/24
```

{% hint style="info" %}
**eth0** may differ if you are on a VPN network. Mostly it would be **tun0**
{% endhint %}

* This will help to get all available machines on the network.
* Always make a habit of saving the IP of the machines since we use themin a lot.

### Nmap

We can also use nmap to discover hosts in a given IP subnet.

**Note:** In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section.

```
nmap -sn 10.10.1.1-254 -vv -oA nmapHostsOutput
    • -sn -> Disable Port scanning
    • -vv -> verbose mode
    • -0A -> output the results in 3 types of format(nmap, gnmap, xml)
```

## Nmap

### Introduction to Nmap

Nmap **allows you to scan your network and discover not only everything connected to it**, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

### Basic command

```
nmap -p- -sC -sV -O -A -T4 -oA nmapOutputfile 10.10.X.X

    • -p- -> Scans all the ports from 0 to 65535 available on the IP
    • -sC -> Runs default scripts
    • -sV -> version enumeration or service version
    • -O  -> OS enumeration
    • -A  -> Enumerate all the stuff as much as it can
    • -T4 -> fast as time 4 (default is 3)
    • -oA -> store the output on 3 types of format(nmap, gnmap, xml)
```

### Cheatsheet for nmap

This cheat sheet was prepared by <https://www.stationx.net/nmap-cheat-sheet/>. You can also check out the cheatsheet. I've attached the file below👇🏻

{% file src="<https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2FnfCUKi6arZHAFyiIIaZF%2Fnmap_cheet_sheet_v7.pdf?alt=media&token=18bec52d-6b10-4686-970b-579d563021a7>" %}
<https://www.stationx.net/nmap-cheat-sheet/>
{% endfile %}

#### Switches in nmap which you might need to know

<table><thead><tr><th width="185.26939394008483" align="center">Switch</th><th width="568.4285714285713">Description</th></tr></thead><tbody><tr><td align="center">-sA</td><td>ACK scan</td></tr><tr><td align="center">-sF</td><td>FIN scan</td></tr><tr><td align="center">-sI</td><td>IDLE scan</td></tr><tr><td align="center">-sL</td><td>DNS scan (list scan)</td></tr><tr><td align="center">-sN</td><td>NULL scan</td></tr><tr><td align="center">-sO</td><td>Protocol scan (tests which IP protocols respond)</td></tr><tr><td align="center">-sP</td><td>Ping scan</td></tr><tr><td align="center">-sR</td><td>RPC scan</td></tr><tr><td align="center">-sS</td><td>SYN scan</td></tr><tr><td align="center">-sT</td><td>TCP connect scan</td></tr><tr><td align="center">-sW</td><td>Window scan</td></tr><tr><td align="center">-sX</td><td>XMAS scan</td></tr><tr><td align="center">-A</td><td>OS detection, version detection, script scanning and traceroute</td></tr><tr><td align="center">-PI</td><td>ICMP ping</td></tr><tr><td align="center">-Po</td><td>No ping</td></tr><tr><td align="center">-PS</td><td>SYN ping</td></tr><tr><td align="center">-PT</td><td>TCP ping</td></tr><tr><td align="center">-oA</td><td>output the results in 3 types of format(nmap, gnmap, xml)</td></tr><tr><td align="center">-oN</td><td>Normal output</td></tr><tr><td align="center">-oX</td><td>XML output</td></tr><tr><td align="center">-T0 through -T2</td><td>Serial scans. T0 is slowest</td></tr><tr><td align="center">-T3 through -T5</td><td>Parallel scans. T3 is slowest</td></tr></tbody></table>

### Port specific NSE scripts

Using NSE we can perform specific enumeration or exploitation on a host.

```
ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*
```

### Bypassing Firewall

<table><thead><tr><th width="232.33333333333331">Switch</th><th width="242.5840801265156">Example</th><th>Description</th></tr></thead><tbody><tr><td>-f</td><td>nmap -f 10.10.10.10</td><td></td></tr><tr><td>-g</td><td>nmap -g 80 10.10.10.10</td><td>Port Manipulation</td></tr><tr><td>-mtu</td><td>nmap -mtu 8 10.10.10.10</td><td>Crunching down Packets to 8 Byte</td></tr><tr><td>-D RND</td><td>nmap -D RND:10 10.10.10.10</td><td>Perform Decoy Scan and Generates Random non-reserved IP</td></tr><tr><td></td><td></td><td></td></tr><tr><td>—data 0xdeadbeef</td><td>nmap 10.10.10.10 --data 0xdeadbeef</td><td></td></tr><tr><td>Send the binary data 0's and 1's</td><td></td><td></td></tr><tr><td>--data-string "Ph34r my l33t skills"</td><td>nmap 10.10.10.10 --data-string "Ph34r my l33t skills"</td><td></td></tr><tr><td>Send strings as payload</td><td></td><td></td></tr><tr><td>--data-length 5</td><td></td><td></td></tr><tr><td>nmap --data-length 5 10.10.10.10</td><td></td><td></td></tr><tr><td>--randomize-hosts</td><td>nmap --randomize-hosts 10.10.10.10</td><td></td></tr><tr><td>send request to a IP from Random non-reserved IP</td><td></td><td></td></tr><tr><td>--badsum</td><td>nmap --badsum 10.10.10.10</td><td>Sends Bad or Bongus TCP/USP Checksum</td></tr></tbody></table>

## Zenmap

Zenmap is the official <mark style="color:purple;">**Nmap Security Scanner GUI**</mark>. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

{% embed url="<https://nmap.org/zenmap>" %}
Official Zenmap link
{% endembed %}

{% hint style="info" %}

* <mark style="color:red;">**I strongly recomend**</mark> you to go with [<mark style="color:purple;">**Zenmap**</mark>](#zenmap) for the exam point of view.
* When you started your exam, the first objective you have to do is that start **Zenmap (GUI Version of Nmap)** scan on your windows machine.&#x20;
* The reason is that in <mark style="color:green;">**Parrot OS**</mark> you may find it hard to parse all the IPs because the <mark style="color:green;">**green colour**</mark> with the terminal might overwhelm you. Instead, the [<mark style="color:purple;">**Zenmap GUI**</mark>](#zenmap) would be useful to find out the services, OS running on that IP with a cute User Interface.&#x20;
* **Trust me!💪🏻** this would be the great life-changer of your exam.&#x20;
* I know as a penetration tester working on the terminal is cool 😎 but in the heat of the moment, the browser-based VM would make you tense.
  {% endhint %}

## Angry IP Scanner

* Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has [many other features](https://angryip.org/about/).
* It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.
* It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.

![](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2F7nvGwJJ30F4YmAOqS3SS%2Fipscan-win10.png?alt=media\&token=99f46271-b48b-4784-a8b4-57db352acd86)

{% embed url="<https://angryip.org>" %}

## MegaPing

* MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals.
* Mega Ping is also a port and service scanning tool which is for Windows.

![https://www.softpedia.com/get/Network-Tools/Network-Monitoring/MegaPing.shtml](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2F4uwZL52HIvetHIy3Q2wX%2FMegaPing.png?alt=media\&token=5103ac30-bc09-448b-8cb0-a59e0f19a559)

## Hping3

* hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.&#x20;
* It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language.
* Hping3 is a python based tool used to scan and flood(DOS) the particular IP.

```
hping3 10.10.10.x --udp --random-source --data 500
hping3 -S 10.10.10.x -p 80 -c 5 (5 TCP packets sent)
hping3 10.10.10.x --flood (PING OF DEATH! Flooding the IP with TCP Packets)
```

{% hint style="success" %}
Later in the upcoming modules you may read have chance to use [**Hping3**](#hping3). But for time being as per my suggestion, use [<mark style="color:purple;">**ZenMap GUI**</mark>](#zenmap) to scan the IP range to get the information or if you are comfortable with CLI go for [**nmap**.](#nmap)
{% endhint %}

## Operating System Discovery

* The Operating System(OS) discovery has **two types** they are:
  * Active Banner Grabbing
  * Passive Banner Grabbing
* By Banner Grabbing the TTL and TCP Window Size of respective IP, we can identify the Operating System that server runs on. Here are the list of Operating System.

<table><thead><tr><th width="269.3333333333333">Operating System (OS)</th><th width="186.50597609561754">Time To Live</th><th>TCP Window Size</th></tr></thead><tbody><tr><td>Linux (Kernel 2.4 and 2.6)</td><td>64</td><td>5840</td></tr><tr><td>Google Linux</td><td>64</td><td>5720</td></tr><tr><td>FreeBSD</td><td>64</td><td>65535</td></tr><tr><td>OpenBSD</td><td>64</td><td>16384</td></tr><tr><td>Windows 95</td><td>32</td><td>8192</td></tr><tr><td>Windows 2000</td><td>128</td><td>16384</td></tr><tr><td>Windows XP</td><td>128</td><td>65535</td></tr><tr><td>Windows 98, Vista and 7 (Server 2008)</td><td>128</td><td>8192</td></tr><tr><td>iOS 12.4 (Cisco Routers)</td><td>255</td><td>4128</td></tr><tr><td>Solaris 7</td><td>255</td><td>8760</td></tr><tr><td>AIX 4.3</td><td>64</td><td>16384</td></tr></tbody></table>

![TTL of this IP is 128 so it might be Windows 98, Vista and 7 (Server 2008)](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2F5ea2xPKdfC0yIn8CthgH%2Fimage.png?alt=media\&token=5540d543-1bed-4b06-a0fb-babf75177f0a)

### Nmap Script

```
nmap --script smb-os-discovery.nse 10.10.10.x
```

## Metasploit

> We can also scan our target using metasploit

#### Init the Metasploit Framework and check the status of database

```
msfdb init
service postgresql start
msfconsole
db status
```

#### Scanning using Nmap inside Metasploit

```
nmap -Pn -sS -A -oX Test 10.10.10/24
db import Test
hosts (Here you will now listed with the Details of the subnets)
services or db_services
```

{% hint style="success" %}
As per my whish i avoided the Nmap scan using Metasploit because it might looks process tedious **as for me** where using [<mark style="color:purple;">**ZenMap GUI**</mark>](#zenmap) or even through [**Nmap CLI**](#nmap) are even much easier you can get the available machine's IP from the IP subnet through [**hostdiscover**](#host-discovery) command.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.