Please enable JavaScript.

Coggle requires JavaScript to display documents.

Target Enumeration (Firewall / IDS evasion (Timing Technics (play with…

- - - - -T0 / -T1 / -T2 / -T3 / -T4 / -T5
  - - - nmap -f target
  - - - nmap -g port target
  - - - Create packets of specified size, multiple of 8
        
        nmap -mtu size target
  - - - nmap -badsum target
  - - - Drown in requests flow
        
        harder to detect initial source IP on the scan
        
        nmap -D RND:{Random number of Decoys} target
- - - - SYN+port =>, SYN/ACK <=, ACK =>, RST <=; (-sT)
    - - No bits in TCP header + port =>, SI no réponse = port Open / SI RST = port closed; (-sN)
    - - FIN+port =>, SI no rep = Open, Si RST = Closed; (-sF)
    - - Anonymous scan
        
        Send SYN/ACK to Zombie & note fragmentID
        => Send SYN spoofed packets with zombie IP to the target,
        => Target answer SYN/ACK to Zombie,
        => Zombie Send RST cause it did not start communication and Increment the FragmentID,
        => ping SYN/ACK to zombie; Zombie aswer with RST + FragmentID incremented;
        => analyse the fragmentID : SI incremented port Open ELSE Not open/filtered
        
        hping -S -r IP pour trouver un zombie
        
        nmap -pN -p- -sI IP_Zombier IP_Cible
        
        -pN to prevent sending Initial pck to target with your IP
    - - FIN + URG + PUSH + port =>, Si no rep = Open, SI RST = Closed; (-sX)
    - - Used to determine Firewall & ACL rules and if it is statefull
        
        if stateful: it would know that no SYN pckt has been sent & will not allow packt to reach destination
        
        ACK+port =>, SI no rep = Stateful, SI RST = No statefull: (-sA)
    - - SYS+port =>, SYN/ACK <=, RST =>; (-sS)
    - - NMAP website
    - - <Old> USE a ftp server as proxy
        
        Try to send a file on a specific port on the target.
        Allow Internal Network scans
        
        use nmap -b
- - - - + TCP SYN to 80,443