Here are some of the basic footprinting and scanning techniques I use. These are specific to fping and Nmap.
Fping is a Linux tool that should be used instead of the standard ping utility. The steps below show how to use fping for a standard ping sweep. Fping is installed by default on Kali Linux and you can run it from the command line using the following syntax:
fping –a –g IPRANGE
The -a option forces the tool to show only alive hosts. The -g option tells the tool that we want to perform a ping sweep instead of a standard ping. You can define an IP range by using the CIDR notation or by specifying the start and the ending addresses of the sweep. Examples:
fping –a –g 10.54.12.0/24 # fping –a –g 10.54.12.0 10.54.12.255
to supress the “offline” hosts warning add /dev/null
fping -a -g 192.168.82.0 192.168.82.255 2>/dev/null
Basic Ping Scan
You can perform a ping scan by using the -sn command line switch. You can specify your targets on the command line in CIDR format, as a range and by using wildcard notation.
nmap –sn 18.104.22.168/16 # nmap –sn 22.214.171.124-12 # nmap –sn 172.16.12.*
nmap –sn 200.200.12-13.*
Moreover you can save your host list in a file and use the input list -iL command line switch. Example: You can achieve the same results of the previous example by creating a file containing:
126.96.36.199/16 188.8.131.52-12 172.16.12.* 200.200.12-13.*
you would then save this file into a txt file named hostnames.txt and would then call that text file in an map scan in conjunction with -sn:
nmap –sn –iL hostnames.txt
OS Fingerprinting w/ Nmap
OS fingerprinting is the process of determining the operating system used by a host on a network.To perform OS fingerprinting with nmap you have to use the -O command line option and specify your target(s). You can also add the -Pn switch to skip the ping scan:
nmap –Pn –O <target(s)>
You can fine tune the OS fingerprinting process by using the following options:
1.OS DETECTION: -O (Enable OS detection)
2.—osscan-limit: Limit OS detection to promising targets
3.—osscan-guess: Guess OS more aggressively
If you really need to detect the OS of a machine you know is alive, but is not responding to ping probes, you could run:
nmap –Pn –O <target>
On the other hand if you have to scan thousands of hosts you could at first limit OS reconnaissance to just the promising ones.
nmap –O --osscan-limit <targets>
Port Scanning with Nmap
Port scanning is a process and technique used to enumerate open TCP and UDP ports on target hosts. Additionally, port scanning provides information on which daemon (software and its version), is listening on a specific port. Port scanning allows us to create a list of potential weaknesses and vulnerabilities that we can use later on in our pentest.
To pass a scan type or an option on the command line, you have to use a dash “-” followed by one or more letters to specify your options. For example:
nmap –sS –sV –O --osscan-limit 192.168.1.0/24
The most used scan types are:
1. -sT that performs a TCP connect scan
2. -sS which performs a SYN scan
3. -sV that performs a version detection scan
To perform a TCP connect scan, you can use the command line switch -sT. Keep in mind that this type of scan gets recorded in the application logs on the target systems, as every daemon will receive a connection from the scanning machine.
nmap –sT <target>
To perform a TCP SYN scan, you can use the command line switch -sS. This type of scan is also known as stealth scan because it does not create a (full) connection to the target daemons. A well configured IDS will still log the scan.
nmap –sS <target>
To perform a version detection scan, you can use the command line switch -sV. This type of scan mixes a TCP connect scan with some probes used to detect what application is listening on a specific port.
nmap –sV <target>
Specifying targets by their DNS names is just a matter of writing them on the command line.
nmap <scan type> target1.domain.com target2.otherdomain.com
In the same way you can write a list of IP addresses on the command line.
nmap <scan type> 192.168.1.45 184.108.40.206 10.10.1.1 10.10.1.3
Or use the CIDR notation, if you have to scan one or more networks.
nmap <scan type> 192.168.1.0/24 220.127.116.11/16 10.0.0.0/8
When you specify one or more targets, by default Nmap scans the most common ports used on the Internet. If you want to specify custom ports, you can use the -p option. You can specify your ports as a comma separated list, or as a port interval.
nmap –p 21,22,139,445,443,80 <target> # nmap –p 100-1000 <target>
Here are some distinct Nmap examples:
This performs a TCP connect scan –
nmap –sT 192.168.12.33,45
This performs a service detection scan
nmap –sV 10.11.12.0/24 10.200.0.1
This performs a SYN scan
nmap –sS 18.104.22.168 4.5.6-9.7
This performs a SYN scan on port 80 only
nmap –p 80 10.11.12.0/24
his performs a TCP connect scan on the first 100 ports and on port 443
nmap –sT –p 1-100,443 192.168.12.33,45