HPING3

hping3 -S <IP> -p <port> = Simple SYN packet to specified port. This will send packets until manually stopped. ADD -c <#> to specify an amount of packets to send.

hping3 -S --scan 1-1000 <IP> = Scan ports 1-1000
hping3 -S --scan 80,22,3389 <IP> = Scan specified ports
hping3 -S --scan <all/known> = Scan all ports or well known ports

NMAP

-sU = UDP Scans DONT FORGET TO DO THEM
-sI = Idle scan.

• Involves a zombie within the target network that has no other traffic going through it.

Determining a zombie
nmap -O -v <IP> -p <KnownOpenPort>

• This will determine if the host is incrementing the IP ID sequence by 1.
• "IP ID Sequence Generation: Incremental" will be the results from nmap

Once a zombie has been identified

1. Send a SYN/ACK to the zombie
2. Zombie should respond with an RST and its IP ID
3. Create a SYN packet with IP Spoofing (set source as the zombie IP address) and send it to the target host

If port is OPEN

1. Target host will send a SYN/ACK to the zombie
2. Zombie will send a RST to target and increment the IP ID by 1
3. Attacker then probes the zombie with a SYN/ACK
4. Zombie responds with a RST and an IP ID incremented by 2

If port is CLOSED

1. Target host repsonds with a RST which does not increment the IP ID
2. Attacker probes the zombie with a SYN/ACK
3. Zombie responds with a RST and the IP ID is incremented only by

Sending IDLE scan
nmap -Pn -sI <ZombieIP>:<port> <TargetIP> -v -p <ports>

• Pn stops nmap from sending pings from our host machine

nmap -S <ZombieIP> <TargetIP> -p <Port> -Pn -n -e <interface> --disable-arp-ping

---

-n = No DNS resolution. Speeds up scans and produces less noise
-b = FTP bounce scan. Will utilize the FTP server to send scans, hiding our original IP.

-sN = Null scan. No bits are set in the TCP flag header.
-sF = FIN scan. Only sets TCP FIN bit.
-sX = XMAS scan. Sets FIN,PSH,URG bits.

• Dated scanning techniques that will most likely get caught by a firewall/IDS/IPS.
• No response = Open port

-sA = ACK scan. Used to determine firewall rules.

• Unfiltered systems will return RST packets on both open and closed ports. NMAP will mark them as unfilitered.
• Ports not responding are marked filtered.

nmap -sS -Pn --disable-arp-ping -n -d -v -p 80 192.168.0.0/24

• Disables ARP ping, DNS resolution, and ICMP pings.

---

Idle Scan with hping3

hping3 -S -r -p <port> <IP> = -r dispalys the relative ID field.

• First determine an open port and then utilize this scan.
• As long as the id field is incrementing by 1, the target can be a possible candidate.
• After running the next command, the ID should increment by 2 (If the port is open on the target)

hping3 -a <ZombieIP> -S -p <port> <TargetIP>

• After running this command, continue to monitor the first scan (and the zombie ID incrementing)

---

NSE (Nmap Scripting Engine)

USE THIS MORE

/usr/share/nmap/scripts

nmap --script-updatedb = Update script database
nmap --script-help <script> = Display script usage
nmap --script whois-domain <domain> -sn = No port scan; obtain whois info from specified domain
nmap --script smb-os-discovery -p 445 <TargetIP> = SMB discovery of target
nmap --script smb-enum-shares <TargetIP> -p 445 = Enumerate SMB shares and any anonymous permissions

Running categories of scripts against targets:
nmap --script <category> <target>

• https://nmap.org/book/nse-usage.html#:~:text=NSE scripts define a list,safe %2C version %2C and vuln .

---

Banner Grabbing

Netcat:
nc <TargetIP> <Port>

Telnet:
telnet <TargetIP> <Port>

Fingerprinting

Use NMAP for active fingerprinting with -sV and -O options.

P0f is a passive fingerprinting tool.

• https://lcamtuf.coredump.cx/p0f3/

p0f will start the listener
pof -i <interface> to specify an interface to listen on

---

Firewall and IDS Evasion

http://nmap.org/book/man-bypass-firewalls-ids.html

Fragmentation
Has become obsolete due to modern technology.

nmap -sS -f <Target>
nmap -sS --mtu <8/16/24/32> - has to be a multiple of 8

nmap -sS --data-length 10 -p <Port> <TargetIP> = Appends 10 bytes of data to the packet

Decoys

1. Decoy IPs should be alive on the network
2. Attacker IP should appear in random order

nmap -sS -D <DecoyIP>,<DecoyIP>,<DecoyIP>,ME,<DecoyIP> <TargetIP>

nmap -sS -D RND:<#> -Pn -n --disable-arp-ping <TargetIP> = Set random decoy IPs

Timing

nmap -sS -T<1-5> <TargetIP>

nmap -sS --scan-delay 1m <TargetIP>

nmap -sS --scan-delay 1m --max-retries 1 -p <Ports> <TargetIP>

hping3 -S --scan <Ports> <TargetIP> -i <seconds>

Source Port

nmap -sS --source-port <Port> <TargetIP>

OR

nmap -sS -g <Port> <TargetIP>

MAC Spoofing
nmap -sS --spoof-mac <Vendor> -Pn --disable-arp-ping <TargetIP> = Spoof mac to a known vendor MAC address

nmap -sS --spoof-mac 0 -Pn --disable-arp-ping <TargetIP> = Set random MAC

nmap -sS --spoof-mac <MAC> -Pn --disable-arp-ping <TargetIP> = Manually set MAC address

Randomize Hosts
nmap -sS -Pn -n --disable-arp-ping -p <Port> <TargetIP> --randomize-hosts