Please enable JavaScript.

Coggle requires JavaScript to display documents.

target enumration and port scaning techniques - Coggle Diagram

- - - - nping --tcp
      - nping --udp
      - nping --tcp-connect
      - nping --icmp
      - nping --arp + ip
- - - - nmap not able tp figure out weathere port is opening or not as packet being filtered which probably means machine is behind firewall
    - - open
        
        it's accessible and application is listeningf
      - closed
        
        port is inaccessple and no app is listening on it
      - unfilttered
        
        port is acccessble by nmap but nmap not abe to find it's open or not
- - - - syntax : nmapp -sS <target ip >
      - nmap -sS -N IPADDRESS -p port number
        
        i-n used to increase speed of scan
        
        -p t specify port to scan
  - - - how it works
        
        source send syn +80
        
        dst reply with syn+ack
        
        source reply with ack
        
        source sedn rst
  - - - NULL scan
        
        accoplished by sending no flags/bits inside tcp header if no response comes it means port is open if a rst packet recived it means port is closed or filtereed
        
        syntax : nmap -sN <target ip>
      - FIN scan
        
        fin basically used to close session and same idea as null
      - xmas scan
        
        used to send combination of fin urg push flags
        
        syntax :nmap -sx <target ip address>
  - - - nmap -sA ip addrr
  - - - ex snmap ,dns ,dhcp
      - syntax : nmap -sU <target ip>
  - - - works by introdusing a zombie to scan the network so hos will never be able to figure out who is orginator
        
        done under two prerequests
        
        finding candidate who's ip and id are incremintal
        
        host should be idle on the network
        
        can be done using tool called Hping2 which scan if and figure out weather host is a good candidate for idle scan hping2 is mainly a good candidate or not
        
        syntax :hping2 -s -r ip
        
        s sending syn flag
        
        d for relative id
        
        f we find in packets that id= +1 then the host is good candidate to idle scan
        
        can be done using metasploit to ensure the host is good candidate or not
        
        for a single host
        
        set RHOSTS target ip address
        
        for a arange of hosts
        
        set RHOSTS start of range-end of range of ip
        
        can be done usig nmap
        
        nmap -sI ip address of zombie ip address of the target
        
        important note that you should use -pN option to prevent nmap from sending host your real ip for packets
        
        nmap -Pn -P- -sI zombie addr target addrr
  - - - syntax -b target ftp server
- - - - -sV (Version detection)
      - Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.
      - -sR is an alias for -sV. Prior to March 2011, it was used to active the RPC grinder separately from version detection, but now these options are always combined.
    - - --version-trace (Trace version scan activity)
      - This causes Nmap to print out extensive debugging info about what version scanning is doing. It is a subset of what you get with --packet-trace.
      - Prev
- - - - greppable format
        
        grepable format is unix based search o n speciic hosts and ports syntax:nmap -sS 192.168.- -oG reafy
      - xml format
        
        best format because it easly ported on armitage
        
        nmap -sS ip -oX filename
      - normal format
        
        nmap -sS -PN ip -oN name of file we we wanna info to be saved in
- - - - T1 sneaky
        
        we will perfom a asneaky scan and analyze its behavior on wireshark
        
        nmap -T1 <target ip >
      - T2
        
        politee
      - t0
        
        paranoid
      - T4
        
        aggresive
      - T3
        
        normal
      - T5
        
        insane
  - - - nmap -f ip addr
  - - - common ports 53,21,80
        
        -g parameter allows us to specify a port , nmap -PN -g portnum ipaddr
  - - - nmap -mtu numofmtu you want target ip