Basic Scanning with Fping and Nmap

Here are some of the basic footprinting and scanning techniques I use.  These are specific to fping and Nmap.

Fping is a Linux tool that should be used instead of the standard ping utility. The steps below show how to use fping for a standard ping sweep. Fping is installed by default on Kali Linux and you can run it from the command line using the following syntax:

fping –a –g IPRANGE

The -a option forces the tool to show only alive hosts. The -g option tells the tool that we want to perform a ping sweep instead of a standard ping. You can define an IP range by using the CIDR notation or by specifying the start and the ending addresses of the sweep. Examples:
fping –a –g # fping –a –g

to supress the “offline” hosts warning add /dev/null

fping -a -g 2>/dev/null


Basic Ping Scan
You can perform a ping scan by using the -sn command line switch. You can specify your targets on the command line in CIDR format, as a range and by using wildcard notation.

nmap –sn # nmap –sn # nmap –sn 172.16.12.*

nmap –sn 200.200.12-13.*

Moreover you can save your host list in a file and use the input list -iL command line switch. Example: You can achieve the same results of the previous example by creating a file containing: 172.16.12.* 200.200.12-13.*

you would then save this file into a txt file named hostnames.txt and would then call that text file in an map scan in conjunction with -sn:
nmap –sn –iL hostnames.txt

OS Fingerprinting w/ Nmap

OS fingerprinting is the process of determining the operating system used by a host on a network.To perform OS fingerprinting with nmap you have to use the -O command line option and specify your target(s). You can also add the -Pn switch to skip the ping scan:

nmap –Pn –O <target(s)>

You can fine tune the OS fingerprinting process by using the following options:
1.OS DETECTION: -O (Enable OS detection)
2.—osscan-limit: Limit OS detection to promising targets
3.—osscan-guess: Guess OS more aggressively

If you really need to detect the OS of a machine you know is alive, but is not responding to ping probes, you could run:
nmap –Pn –O <target>
On the other hand if you have to scan thousands of hosts you could at first limit OS reconnaissance to just the promising ones.
nmap –O --osscan-limit <targets>

Port Scanning with Nmap

Port scanning is a process and technique used to enumerate open TCP and UDP ports on target hosts. Additionally, port scanning provides information on which daemon (software and its version), is listening on a specific port. Port scanning allows us to create a list of potential weaknesses and vulnerabilities that we can use later on in our pentest.

To pass a scan type or an option on the command line, you have to use a dash “-” followed by one or more letters to specify your options. For example:
nmap –sS –sV –O --osscan-limit

The most used scan types are:
1. -sT that performs a TCP connect scan
2. -sS which performs a SYN scan
3. -sV that performs a version detection scan

To perform a TCP connect scan, you can use the command line switch -sT. Keep in mind that this type of scan gets recorded in the application logs on the target systems, as every daemon will receive a connection from the scanning machine.
nmap –sT <target>

To perform a TCP SYN scan, you can use the command line switch -sS. This type of scan is also known as stealth scan because it does not create a (full) connection to the target daemons. A well configured IDS will still log the scan.
nmap –sS <target>

To perform a version detection scan, you can use the command line switch -sV. This type of scan mixes a TCP connect scan with some probes used to detect what application is listening on a specific port.
nmap –sV <target>

Specifying targets by their DNS names is just a matter of writing them on the command line.
nmap <scan type>

In the same way you can write a list of IP addresses on the command line.
nmap <scan type>
Or use the CIDR notation, if you have to scan one or more networks.
nmap <scan type>

When you specify one or more targets, by default Nmap scans the most common ports used on the Internet. If you want to specify custom ports, you can use the -p option. You can specify your ports as a comma separated list, or as a port interval.
nmap –p 21,22,139,445,443,80 <target> # nmap –p 100-1000 <target>

Here are some distinct Nmap examples:
This performs a TCP connect scan –
nmap –sT,45
This performs a service detection scan
nmap –sV
This performs a SYN scan
nmap –sS 4.5.6-9.7
This performs a SYN scan on port 80 only
nmap –p 80
his performs a TCP connect scan on the first 100 ports and on port 443
nmap –sT –p 1-100,443,45