Ethical Hacking – Nmap/Scruby/Hping3

In this article, I will go in depth with 3 scanners you can use. The scanners are Nmap, Scruby and Hping3. You can use these scanners to see what ports are open/closed, which OS, banner grabbing and a lot more.

This post is part of a series called “Ethical Hacking”.

Nmap

Nmap (Network Mapper) is a security scanner, originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich), used to discover hosts and services on a computer network, thus building a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host(s) and then analyzes the responses.

Here is some typical nmap commands:

  • nmap <ip/range>
    • Scans 1000 ports (default behavior).
  • nmap -sP <ip/range>
    • Ping (ICMP) scan only.
  • nmap -sS -P0 -sV -O <ip/range>
    • -sS = TCP Syn Scan.
    • -P0 = Protocol Scan
      • ICMP = 1
      • TCP = 6
      • UDP = 17
      • etc.
    • -sV = Determine the version.
    • -O = Discover the operating system (Windows, OS X, Linux/Unix etc.).
  • nmap -T5 <ip/range>
    • Aggressive scan (less time between scans) .
  • nmap –top-ports 20 <ip/range>
    • 20 of the most commonly ports.
  • nmap -sT -p80 <ip/range>
    • -sT = TCP Connect Scan Type.
    • -p80 = Only port 80.
  • nmap -sS <ip/range> -D <ip/range>,<ip/range>
    • -sS = TCP Syn Scan
    • -D = Decoy, launch the scan with other IP’s as well.
  • nmap -v <ip/range>
    • Verbose the output.
  • nmap -F <ip/range> –exclude <ip/range>
    • -F = Scan the commonly 100 ports.
    • –exclude = Exclude IP addresses.
  • nmap -Pn <ip/range>
    • Skip the ping scan.
  • nmap -6 <ip/range>
    • Scan IPv6 addresses.
  • nmap –iflist
    • Gives an overview with interfaces.
  • nmap -sC <ip/range>
    • Runs the default script.
  • nmap -A -T4 <ip/range>
    • -A = Script, OS, Version, Traceroute
    • -T4 = Aggressive timing
  • nmap -sn <ip/range>
    • Gives an overview of availbile devices.
  • nmap -Pn -sI <source ip> -p50-200 <target ip> –packet-trace
    • -Pn = Skip Host Discovery
    • -sI = Idle Scan
    • -p50-200 = Port range
    • –packet-trace = Show detailed information about the package request/reply.
  • nmap -sU -pU:123 –script=ntp-monlist <ip>
    • -sU = UDP Scan
    • -pU = UDP Port 123
    • -script = Use a script

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

Here is some syntax of nmap scripts.

  • nmap –script=<script> <ip/range>
    • -script = Choose script.
  • nmap  –script-help <script>
    • Display help on the scripts.
  • nmap –script “<script> or <script><ip/range>
    • Runs multiple scripts.

See list of the official scripts here and if you interressted in a GUI for nmap take a look at ZenMap.

Scruby

Scapy is a powerful interactive packet manipulation program (written in Python). It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, trace routing, probing, unit tests, attacks or network discovery. It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technique  (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel).

Here is some typical Scapy commands:

  • send(IP(src=”<ip>“,dst=”<ip>“)/ICMP()/”OurPayload”)
    • send = Sends the packet
    • IP = Layer 3
      • src = Source IP address.
      • dst = Destination IP address.
    • ICMP() = Use ICMP protocol.
    • “OurPayload” = The text inside the ICMP.
  • sniff(iface=”eth0″, prn=lambda x: x.show())
    • sniff = Sniff packets.
    • iface = Which interface.
    • prn = Function to apply to each packet.
    • x.show() = Output the result.
  • sniff(filter=”host <ip>“, count=5)
    • sniff = Sniff packets.
    • filter = Filter on the output
    • count = Only show 5 results.

You can use variables with Scapy to create malicious packets. Here is some common ways to use it.

For more information on how to use Scapy visit their homepage here.

Hping3

hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). It is a one type of a tester for network security. It is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.

Here is some typical Hping3 commands:

  • hping3 -S <ip> -p 80 -c 2
    • -S = SYN request.
    • -p 80 = Port 80.
    • -c 2 = Stop after 2 times.
  • hping3 -S <ip> -p ++50 -c 5
    • -S = SYN request.
    • -p ++50 = Start with port 50.
    • -c 5 = Stop after 5 times.
  • hping3 -1 192.168.1.x –rand-dest -I eth0
    • -1 = ICMP request
    • 192.168.1.x = Everyone in the subnet.
    • –rand-dest = Ping IP in random order.
    • -I = Which interface to use.
  • hping3 -1 <ip> –icmp-ts -c 2
    • -1 = ICMP request.
    • –icmp-ts = Request ICMP timestamp.
    • -c 2 = Stop after 2 times.
  • hping3 -1 <ip> –icmp-addr -c 2
    • -1 = ICMP request.
    • –icmp-addr = Request the ICMP address mask.
    • -c 2 = Stop after 2 times.
  • hping3 -8 50-56 -S <ip>
    • -8 = Scan
    • 50-56 = Range of port
    • -S = SYN request.
  • hping3 -2 <ip> -p 80 -c 1
    • -2 = UDP.
    • -p 80 = Port 80.
    • -c 1 = Stop after 1 count.
  • hping3 -F -P -U <ip> -c 3
    • -F = TCP Flag FIN
    • -P = TCP Flag PSH
    • -U = TCP Flag URG
    • -c = Stop after 3 times.
  • hping3 <ip> -Q -p 139 -S
    • -Q = Display sequence numbers
    • -p 139 = Port 139
    • -S = SYN request
  • hping3 -S <ip> -a <ip> -p 22 –flood
    • -S = SYN request.
    • -a = Source address (Decoy).
    • -p 22 = Port 22.
    • –flood = Send as fast possible.
  • hping3 -2 <ip> -p ++44444 -T -n
    • -2 = UDP.
    • -p ++44444 = Start with port 44444.
    • -T = Do a traceroute.
    • -n = Don’t do a name resolution.
  • hping3 -S <ip> -p 53 -T
    • -S = SYN flag
    • -p = Port 53.
    • -T = traceroute
  • hping3 -S <ip> -p 80 -T -ttl 13 –tr-keep-ttl -n
    • -S = SYN flag.
    • -p 80 = Port 80.
    • -T = Traceroute.
    • -ttl 13 = Stop the traceroute at step 13.
    • –tr-keep-ttl = Don’t change the TTL.
    • -n = Don’t use name resolution.
  • hping3 (interactive mode)
    • hping send “ip(saddr=<ip>,daddr=<ip>,ttl=15)+tcp(sport=6783,dport=80,flags=s)”
      • ip()
        • saddr = Source address.
        • daddr = Destination address.
        • ttl = Time-To-Live
      • tcp()
        • sport = Source port.
        • dport = Destination port.
        • flags = TCP Flags

Experienced advanced operations engineer with a demonstrated history of working in the information technology and services industry. Skilled in Windows Server, Azure, Ethical Hacking, Office 365, Exchange, Jenkins, SCCM, Octopus Deploy and PowerShell to name a few. Strong engineering professional with a big passion for knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.