Skip to main content

Nmap technique for remote scan

Here are some really cool scanning techniques using Nmap
1) Get info about remote host ports and OS detection

nmap -sS -P0 -sV -O <target>

Where < target > may be a single IP, a hostname or a subnet

-sS TCP SYN scanning (also known as half-open, or stealth scanning)

-P0 option allows you to switch off ICMP pings.

-sV option enables version detection

-O flag attempt to identify the remote operating system

Other option:

-A option enables both OS fingerprinting and version detection

-v use -v twice for more verbosity.
nmap -sS -P0 -A -v < target >

2) Get list of servers with a specific port open

nmap -sT -p 80 -oG – 192.168.1.* | grep open

Change the -p argument for the port number. See “man nmap” for different ways to specify address ranges.

3) Find all active IP addresses in a network

nmap -sP 192.168.0.*

There are several other options. This one is plain and simple.

Another option is:

nmap -sP 192.168.0.0/24

for specific  subnets

4)  Ping a range of IP addresses

nmap -sP 192.168.1.100-254

nmap accepts a wide variety of addressing notation, multiple targets/ranges, etc.

5) Find unused IPs on a given subnet

nmap -T4 -sP 192.168.2.0/24 && egrep “00:00:00:00:00:00″ /proc/net/arp

6) Scan for the Conficker virus on your LAN ect.

nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 192.168.0.1-254

replace 192.168.0.1-256 with the IP’s you want to check.

7) Scan Network for Rogue APs.

nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan 10.0.0.0/8

I’ve used this scan to successfully find many rogue APs on a very, very large network.

8) Use a decoy while scanning ports to avoid getting caught by the sys admin

sudo nmap -sS 192.168.0.10 -D 192.168.0.2

Scan for open ports on the target device/computer (192.168.0.10) while setting up a decoy address (192.168.0.2). This will show the decoy ip address instead of your ip in targets security logs. Decoy address needs to be alive. Check the targets security log at /var/log/secure to make sure it worked.

9) List of reverse DNS records for a subnet

nmap -R -sL 209.85.229.99/27 | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘

This command uses nmap to perform reverse DNS lookups on a subnet. It produces a list of IP addresses with the corresponding PTR record for a given subnet. You can enter the subnet in CDIR notation (i.e. /24 for a Class C)). You could add “–dns-servers x.x.x.x” after the “-sL” if you need the lookups to be performed on a specific DNS server. On some installations nmap needs sudo I believe. Also I hope awk is standard on most distros.

10) How Many Linux And Windows Devices Are On Your Network?

sudo nmap -F -O 192.168.0.1-255 | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux | wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) devices”

Hope you have fun, and remember don’t practice these techniques on machines or networks that are not yours.

Comments

Popular posts from this blog

Port forward of KVM Guest Virtual Machine through Host Machine using IPTABLE/FIREWALL in Linux System

Port forward of KVM Guest Virtual Machine through Host Machine using IPTABLE/FIREWALL in Linux System
There is a lot of method given in Internet for KVM guest machine port forwarding but I always look for the simple solution that can work in any Linux System.

I have issue during the port forward by IPTABLE/FIREWALL as it disable the Internet access within KVM guest machine.
If I look for Internet access within KVM guest machine then system disable port forwarding.

I have implement the simple solution in CentOS 6.5 x86_64 with can work in both situation as follows:

Step 1: Restart libvirtd service, so that it will modify your firewall rules as per KVM requirement.
# service libvirtd restart
Step 2: You need to add two rules in IPTABLE for NAT and FILTER
# iptables-save > iptable_save_default_libvirtd
# cp iptable_save_default_libvirtd iptable_modifed_libvirtd
# vim  iptable_modifed_libvirtd

Add line after *nat for SSH access

 -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNA…

AMD Graphic Driver (Radeon 6400 series) Install on Linux CentOS-6.2 x86_64 bit

Add-on in Dell vostro 3350 laptop for AMD Catalyst™
driver Radeon HD 6400 series graphic card in CentOS 6.2 x86_64 Linux
Step1: Update the CentOS with following packages
# yum install kernel-devel kernel-headers gcc gcc-c++

Now download the driver from the amd site http://support.amd.com/us/gpudownload/linux/Pages/radeon_linux.aspx

Step2: Now install AMD Graphic driver
#sh amd-driver-installer-12-4-x86.x86_64.run

Step3: check log file
#vim /usr/share/ati/fglrx-install.log

there will be an error like this

"ERROR: Module drm is in use by i915,drm_kms_helper"
.
.
"You must change your working directory to /lib/modules/fglrx
and then call ./make_install.sh in order to install the built module."

You can ignore these lines happily if they don’t contain any error message. You don’t really need to execute the command mentioned in those lines.

Step4: Blacklist radeon and radeonhd kernel modules

Add these lines to /etc/modprobe.d/blacklist.conf.

blacklist radeon
blacklist radeo…

Yum command for download list of packages

Some time we need the download the software but not to install.
Also we have a list of software from repository in a text file but need to download by the yum.
To solve this kind of problem we need some trick of Linux,
download the package yum-downloadonly plugin
create a text file with rpm name.
now parse it to yum command
#yum install $(cat rpm-list.txt)

to download only the packages
#yum install <package name> --downloadonly --downloaddir=/home/user/

combine command
# yum install  $(cat rpm-list.txt) --downloadonly --downloaddir=/home/user

create a list from yum.log
#cp /var/log/yum.log /home/user/yum.log

select the package name only
# awk '{print $5}' /home/user/yum.log > rpm-list.txt

view the list
# cat rpm-list.txt

 to query about a package
# repoquery --list <package name>

to take information about package
#yum info <package name>

to show the list of packages
# yum list

to find a package for yum list
# yum list | grep <package name>