Scapy Packet Manuplation CE 340S Kondakc What Scapy

  • Slides: 53
Download presentation
Scapy Packet Manuplation CE 340/S. Kondakcı

Scapy Packet Manuplation CE 340/S. Kondakcı

What Scapy Does? Creating a packet Send/Receiving packets Basic Scapy commands Capturing packets (and

What Scapy Does? Creating a packet Send/Receiving packets Basic Scapy commands Capturing packets (and reading packet capture files into Scapy) • Layering packets • More Examples • •

The First Step 1. Install Python 2. 7+ 2. Download and install Scapy 3.

The First Step 1. Install Python 2. 7+ 2. Download and install Scapy 3. (Optional): Install additional software for special features. 4. Run Scapy with root privileges.

UDP Packet Header

UDP Packet Header

Datalink/Pyhsical (MAC) Packet

Datalink/Pyhsical (MAC) Packet

Hello World send(IP(dst="127. 0. 0. 1")/ICMP()/"Hello. World") • send - this tells Scapy that

Hello World send(IP(dst="127. 0. 0. 1")/ICMP()/"Hello. World") • send - this tells Scapy that you want to send a packet (just a single packet) • IP - the protocol of the packet you want to create • (dst=” 127. 0. 0. 1”) - the destination IP to send the packet to • /ICMP() - Create an ICMP packet with the default values provided by Scapy • /”Hello. World” - the payload to include in the ICMP packet

Wireshark Capture Scapy command: send(IP(dst="127. 0. 0. 1")/ICMP()/"Hello. World") Wireshark capture : Internet Protocol

Wireshark Capture Scapy command: send(IP(dst="127. 0. 0. 1")/ICMP()/"Hello. World") Wireshark capture : Internet Protocol Version 4, Src: 127. 0. 0. 12 (127. 0. 0. 12), Dst: 127. 0. 0. 1 (127. 0. 0. 1) Protocol: ICMP Data: 48656 c 6 c 6 f 576 f 726 c 64 or “Hello. World”

Example: Fab ricate an ICMP Packet send(IP(src="127. 0. 0. 1", dst="127. 0. 0. 1",

Example: Fab ricate an ICMP Packet send(IP(src="127. 0. 0. 1", dst="127. 0. 0. 1", ttl=128)/ICMP()/"Hello. World") Wireshark: Internet Protocol Version 4, Src: 127. 0. 0. 1 (127. 0. 0. 1), Dst: 127. 0. 0. 1 (127. 0. 0. 1) Time to live: 128 What does this ICMP packet mean? Internet Protocol Version 4, Src: 127. 0. 0. 1 (127. 0. 0. 1), Dst: 127. 0. 0. 1 (127. 0. 0. 1) Internet Control Message Protocol Type: 0 (Echo (ping) reply)

Sending a ping packet ip=IP() # Creates an IP header ip. src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20415%20289%22%3E%3C/svg%3E' data-src=’ 192. 168.

Sending a ping packet ip=IP() # Creates an IP header ip. src=’ 192. 168. 1. 25′ # Source address in the IP header with local IP ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. icmp=ICMP() # Creates an ICMP header icmp. type=8 # Type value inserted in ICMP header as 8 for ping icmp. code=0 # Code value inserted in ICMP header as 0 for ping send(ip/icmp) # Sending packet.

Sending a ping packet with random source IP ip=IP() # Creates an IP header

Sending a ping packet with random source IP ip=IP() # Creates an IP header ip. src=Rand. IP() # The source address in the IP header with a random IP ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. icmp=ICMP() # Creates an ICMP header icmp. type=8 # Type value inserted in ICMP header as 8 for ping crafting icmp. code=0 # Code value inserted in ICMP header as 0 for ping crafting. send(ip/icmp) # Sending packet.

Sending & Receiving Layer 3 and 2 Packets • sr() – This function sends

Sending & Receiving Layer 3 and 2 Packets • sr() – This function sends packets and receives answers. It returns a couple of packet and answers, and the unanswered packets. • sr 1() - This function is a variant that only returns one packet which answered the sent packet sent. • Exp: Simple ICMP packet (layer 3) h=sr 1(IP(dst=“ 127. 0. 0. 1")/ICMP()/”Hello World”) • srp() - This function does the same for layer 2 packets (Ethernet, 802. 3, etc).

Show the Packet Contents • • h=sr 1(IP(dst=“ 127. 0. 0. 1")/ICMP()/”Hello World”) h.

Show the Packet Contents • • h=sr 1(IP(dst=“ 127. 0. 0. 1")/ICMP()/”Hello World”) h. show() ###[ IP ]### version= 4 L ihl= 5 L tos= 0 x 0 len= 38 id= 7395 flags= frag= 0 L ttl= 64 proto= icmp chksum= 0 x 83 d 7 src= 127. 0. 0. 1 dst= 127. 0. 0. 1 options ###[ ICMP ]### type= echo-reply code= 0 chksum= 0 x 0 id= 0 x 0 seq= 0 x 0 ###[ Raw ]### load= 'Hello. World' ###[ Padding ]### load= 'x 00xe 7x 03 Nx 99' >>>

Show the TTL of the ICMP reply packet ip=IP() # Create an IP header

Show the TTL of the ICMP reply packet ip=IP() # Create an IP header ip. src=’ 192. 168. 1. 25′ # Source address in the IP header is the loca IP ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. icmp=ICMP() # Create an ICMP header icmp. type=8 # Type value inserted in ICMP header as 8 for ping crafting icmp. code=0 # Code value inserted in ICMP header as 0 for ping crafting. p=sr 1(ip/icmp) # Send and receive the packet in the variable p p. ttl # Displays the TTL value in the received IP header of the packet.

Create an ARP request ether=Ether() # Creates an ethernet header ether. src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20415%20289%22%3E%3C/svg%3E' data-src=’ 00: e

Create an ARP request ether=Ether() # Creates an ethernet header ether. src=’ 00: e 0: 1 c: 3 c: 22: b 4′ # Source MAC address in the ethernet header ether. dst=’FF: FF: FF: FF’ # Destination MAC address arp=ARP() # Create an ARP header arp. op=1 # Set the ARP type as 1 arp. hwsrc=’ 00: e 0: 1 c: 3 c: 22: b 4′ # Set the sender MAC address for local IP arp. psrc=’ 192. 168. 1. 25′ # Set the sender IP address for that MAC addr. arp. pdst=’ 192. 168. 1. 100′ # Set the target IP address arp. hwdst=’ 00: 00: 00: 00′ # Set the target MAC address as NULL p=srp 1(ether/arp) # Send the packet at layer 2 using the command srp 1, appending the ether and arp headers.

TCP Connection Establishment

TCP Connection Establishment

Normal TCP Handshake Client SYN Client SYN/ACK Client ACK Server After this, you are

Normal TCP Handshake Client SYN Client SYN/ACK Client ACK Server After this, you are ready to send data 18

SYN Port Scan Client SYN Client SYN/ACK Client RST Server The server is ready,

SYN Port Scan Client SYN Client SYN/ACK Client RST Server The server is ready, but the client decided not to complete the handshake 19

UDP Scanning • No handshake, so less useful than TCP scans • Much more

UDP Scanning • No handshake, so less useful than TCP scans • Much more powerful in newer versions of Nmap • Sends valid UDP requests to well-known ports – Send a DNS query to port 53, etc. • Response indicates open UDP port

TCP Packets p=sr(IP(dst=“ 127. 0. 0. 1")/TCP(dport=23)) Begin emission: . Finished to send 1

TCP Packets p=sr(IP(dst=“ 127. 0. 0. 1")/TCP(dport=23)) Begin emission: . Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> p (<Results: TCP: 1 UDP: 0 ICMP: 0 Other: 0>, <Unanswered: TCP: 0 UDP: 0 ICMP: 0 Other: 0>) >>> If you try and use p. show() you now get an error message: >>> p. show() Traceback (most recent call last): File "<console>", line 1, in <module> Attribute. Error: 'tuple' object has no attribute 'show' >>> ans. summary() IP / TCP 127. 0. 0. 1: ftp_data > 127. 0. 0. 1: telnet S ==> IP / TCP 127. 0. 0. 1: telnet > 127. 0. 0. 1: ftp_data RA / Padding

TCP Packets a=sr(IP(dst=“ 127. 0. 0. 1")/TCP(dport=[23, 80, 53])) Begin emission: . **Finished to

TCP Packets a=sr(IP(dst=“ 127. 0. 0. 1")/TCP(dport=[23, 80, 53])) Begin emission: . **Finished to send 3 packets. * Received 4 packets, got 3 answers, remaining 0 packets >>> a (<Results: TCP: 3 UDP: 0 ICMP: 0 Other: 0>, <Unanswered: TCP: 0 UDP: 0 ICMP: 0 Other: 0>) >>>

TCP SYN to port 80 tcp=TCP() # Create a TCP header tcp. dport=80 #

TCP SYN to port 80 tcp=TCP() # Create a TCP header tcp. dport=80 # The destination port in the TCP header is 80. tcp. flags=’S’ # Set the flag in the TCP header with the SYN bit. ip=IP() # Create an IP header ip. src=’ 192. 168. 1. 25′ # Source address in the IP header is local IP address ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. send(ip/tcp) # Send the crafted tcp packet.

Details of the TCP packet >>> p (<Results: TCP: 3 UDP: 0 ICMP: 0

Details of the TCP packet >>> p (<Results: TCP: 3 UDP: 0 ICMP: 0 Other: 0>, <Unanswered: TCP: 0 UDP: 0 ICMP: 0 Other: 0>) >>> ans, unans=_ >>> ans. summary() IP / TCP 127. 0. 0. 1: ftp_data > 127. 0. 0. 1: telnet S ==> IP / TCP 127. 0. 0. 1: telnet > 127. 0. 0. 1: ftp_data RA / Padding IP / TCP 127. 0. 0. 1: ftp_data > 127. 0. 0. 1: http S ==> IP / TCP 127. 0. 0. 1: http > 127. 0. 0. 1: ftp_data SA / Padding IP / TCP 127. 0. 0. 1: ftp_data > 127. 0. 0. 1: domain S ==> IP / TCP 127. 0. 0. 1: domain > 127. 0. 0. 1: ftp_data SA / Padding >>>

The http (port 80) packet IP / TCP 127. 0. 0. 15: ftp_data >

The http (port 80) packet IP / TCP 127. 0. 0. 15: ftp_data > 127. 0. 0. 1: http S ==> IP / TCP 127. 0. 0. 1: http > 127. 0. 0. 15: ftp_data SA / Padding S = SYN from client (request from the client)) SA = SYN-ACK from the server (reply from the server)

The telnet (port 23) Packet IP / TCP 127. 0. 0. 1: ftp_data >

The telnet (port 23) Packet IP / TCP 127. 0. 0. 1: ftp_data > 127. 0. 0. 1: telnet S ==> IP / TCP 127. 0. 0. 1: telnet > 127. 0. 0. 1: ftp_data RA / Padding SYN Sent from the source Destination responded with a RSTACK (RA) which is a RESet & ACKnowledge flag in the TCP packet telling the source to reset the connection

Port Scan (TCP-SYN Scan) a=sr(IP(dst="127. 0. 0. 1")/TCP(sport=666, dport=[ 22, 80, 21, 443], flags="S"))

Port Scan (TCP-SYN Scan) a=sr(IP(dst="127. 0. 0. 1")/TCP(sport=666, dport=[ 22, 80, 21, 443], flags="S")) Source port =666 Destination ports: 22, 80, 21, and 443 flags="S"= SYN scan

Port Scan (TCP-SYN Scan) cont’d >>> p=sr(IP(dst="127. 0. 0. 1")/TCP(sport=666, dport=[22, 80, 21, 443],

Port Scan (TCP-SYN Scan) cont’d >>> p=sr(IP(dst="127. 0. 0. 1")/TCP(sport=666, dport=[22, 80, 21, 443], flags="S")) Begin emission: ***Finished to send 4 packets. * Received 4 packets, got 4 answers, remaining 0 packets >>> p (<Results: TCP: 4 UDP: 0 ICMP: 0 Other: 0>, <Unanswered: TCP: 0 UDP: 0 ICMP: 0 Other: 0>) >>> ans, unans=_ >>> ans. summary() IP / TCP 127. 0. 0. 15: 666 > 127. 0. 0. 1: ssh S ==> IP / TCP 127. 0. 0. 1: ssh > 127. 0. 0. 15: 666 SA / Padding IP / TCP 127. 0. 0. 15: 666 > 127. 0. 0. 1: http S ==> IP / TCP 127. 0. 0. 1: http > 127. 0. 0. 15: 666 SA / Padding IP / TCP 127. 0. 0. 15: 666 > 127. 0. 0. 1: ftp S ==> IP / TCP 127. 0. 0. 1: ftp > 127. 0. 0. 15: 666 RA / Padding IP / TCP 127. 0. 0. 15: 666 > 127. 0. 0. 1: https S ==> IP / TCP 127. 0. 0. 1: https > 127. 0. 0. 15: 666 RA / Padding >>>

TCP ACK flag sent after SYN flag >>> p=sr(IP(dst="127. 0. 0. 1")/TCP(sport=888, dport=[21, 22,

TCP ACK flag sent after SYN flag >>> p=sr(IP(dst="127. 0. 0. 1")/TCP(sport=888, dport=[21, 22, 80, 443], flags="A")) Begin emission: . ***Finished to send 4 packets. * Received 5 packets, got 4 answers, remaining 0 packets >>> p (<Results: TCP: 4 UDP: 0 ICMP: 0 Other: 0>, <Unanswered: TCP: 0 UDP: 0 ICMP: 0 Other: 0>) >>> ans, unans=_ >>> ans. summary() IP / TCP 127. 0. 0. 15: 888 > 127. 0. 0. 1: ftp A ==> IP / TCP 127. 0. 0. 1: ftp > 127. 0. 0. 15: 888 R / Padding IP / TCP 127. 0. 0. 15: 888 > 127. 0. 0. 1: ssh A ==> IP / TCP 127. 0. 0. 1: ssh > 127. 0. 0. 15: 888 R / Padding IP / TCP 127. 0. 0. 15: 888 > 127. 0. 0. 1: http A ==> IP / TCP 127. 0. 0. 1: http > 127. 0. 0. 15: 888 R / Padding IP / TCP 127. 0. 0. 15: 888 > 127. 0. 0. 1: https A ==> IP / TCP 127. 0. 0. 1: https > 127. 0. 0. 15: 888 R / Padding >>> Notice: • the A (ACK) flag on the sent packet, with a R (RST) flag on the response , why? • Because we sent a packet that it's only supposed to receive after a SYN-ACK packet and so it's reset by the destination.

DNS Query sr 1(IP(dst="127. 0. 0. 1")/UDP()/DNS(rd=1, qd=DN SQR(qname="www. ieu. edu. tr"))) dst=27. 0.

DNS Query sr 1(IP(dst="127. 0. 0. 1")/UDP()/DNS(rd=1, qd=DN SQR(qname="www. ieu. edu. tr"))) dst=27. 0. 0. 1 = destionation IP (DNS server) /UDP() = DNS uses UDP protocol /DNS = This is a DNS packet rd=1 = Telling Scapy that recursion is desired qd=DNSQR(qname=” www. ieu. edu. tr") = Get the DNS info about www. ieu. edu. tr

Traceroute traceroute (["www. google. com"], maxttl=20) Begin emission: . . *Finished to send 20

Traceroute traceroute (["www. google. com"], maxttl=20) Begin emission: . . *Finished to send 20 packets. ********* Received 20 packets, got 18 answers, remaining 2 packets 74. 125. 132. 99: tcp 80 1 172. 1. 16. 2 11 3 80. 3. 129. 161 11 4 212. 43. 163. 221 11 5 62. 252. 192. 157 11 6 62. 253. 187. 178 11 17 74. 125. 132. 99 SA 18 74. 125. 132. 99 SA 19 74. 125. 132. 99 SA 20 74. 125. 132. 99 SA (<Traceroute: TCP: 7 UDP: 0 ICMP: 11 Other: 0>, <Unanswered: TCP: 2 UDP: 0 ICMP: 0 Other: 0>) >>>

ARP Scan on A Network >>> arping(“ 172. 1. 16. *") ***Finished to send

ARP Scan on A Network >>> arping(“ 172. 1. 16. *") ***Finished to send 256 packets. * Received 4 packets, got 4 answers, remaining 252 packets 30: 46: 9 a: 83: ab: 70 172. 1. 16. 2 00: 25: 64: 8 b: ed: 1 a 172. 1. 16. 18 00: 26: 55: 00: fc: fe 172. 1. 16. 12 d 8: 9 e: 3 f: b 1: 29: 9 b 172. 1. 16. 22 (<ARPing: TCP: 0 UDP: 0 ICMP: 0 Other: 4>, <Unanswered: TCP: 0 UDP: 0 ICMP: 0 Other: 252>)

The ICMP, TCP, and UDP Ping: ans, unans=sr(IP(dst=“ 172. 1. 1 -254")/ICMP()) ans, unans=sr(

The ICMP, TCP, and UDP Ping: ans, unans=sr(IP(dst=“ 172. 1. 1 -254")/ICMP()) ans, unans=sr( IP(dst=” 172. 1. 1. *”)/TCP(dport=80, flags=”S”) ) ans, unans=sr( IP(dst=“ 172. 1. 1. *"/UDP(dport=0) )

Packet Sniffing sniff() CTRL-C (to stop sniffing) get something like <Sniffed: TCP: 43 UDP:

Packet Sniffing sniff() CTRL-C (to stop sniffing) get something like <Sniffed: TCP: 43 UDP: 24 ICMP: 2 Other: 0> a=_ a. nsummary() 0003 Ether / IP / UDP / DNS Qry "daisy. ubuntu. com. " 0004 Ether / IP / UDP / DNS Qry "daisy. ubuntu. com. " 0005 Ether / IP / UDP / DNS Qry "daisy. ubuntu. com. " 0006 Ether / IP / UDP / DNS Qry "daisy. ubuntu. com. " 0007 Ether / IP / UDP / DNS Qry "daisy. ubuntu. com. " 0008 Ether / IP / UDP / DNS Ans "91. 189. 95. 54" 0009 Ether / IP / UDP / DNS Ans "91. 189. 95. 54" 0010 Ether / IP / UDP / DNS Ans "91. 189. 95. 54" 0011 Ether / IP / UDP / DNS Ans "91. 189. 95. 55

ICMP traffic through eth 0 interface sniff(iface="eth 0", filter="icmp", count=10) a=_ >>> a. nsummary()

ICMP traffic through eth 0 interface sniff(iface="eth 0", filter="icmp", count=10) a=_ >>> a. nsummary() 0000 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "91. 189. 95. 55" 0001 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "91. 189. 95. 54" 0002 Ether / IP / ICMP 10. 1. 99. 25 > 74. 125. 132. 103 echo-request 0 / Raw 0003 Ether / IP / ICMP 74. 125. 132. 103 > 10. 1. 99. 25 echo-reply 0 / Raw 0004 Ether / IP / ICMP 10. 1. 99. 25 > 74. 125. 132. 103 echo-request 0 / Raw 0005 Ether / IP / ICMP 74. 125. 132. 103 > 10. 1. 99. 25 echo-reply 0 / Raw 0006 Ether / IP / ICMP 10. 1. 99. 25 > 74. 125. 132. 103 echo-request 0 / Raw 0007 Ether / IP / ICMP 74. 125. 132. 103 > 10. 1. 99. 25 echo-reply 0 / Raw 0008 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "wb-in-f 103. 1 e 100. net. " 0009 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "wb-in-f 103. 1 e 100. net. “ a[2] <Ether dst=30: 46: 9 a: 83: ab: 70 src=00: 22: 19: e 7: 90: ae type=0 x 800 |<IP version=4 L ihl=5 L tos=0 x 0 len=84 id=0 flags=DF frag=0 L ttl=64 proto=icmp chksum=0 xfeaa src=10. 1. 99. 25 dst=74. 125. 132. 103

Nping is an open source tool for • network packet generation, • response analysis

Nping is an open source tool for • network packet generation, • response analysis and response time measurement. • Nping can generate network packets for a wide range of protocols, allowing users full control over protocol headers. Syntax: nping [Probe mode] [Options] {target specification} Example: nping blabla. com Starting Nping 0. 6. 01 ( http: //nmap. org/nping ) at 2012 -06 -20 20: 27 CEST SENT (0. 1879 s) ICMP 192. 168. 60. 129 > 199. 83. 132. 66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 SENT (1. 1890 s) ICMP 192. 168. 60. 129 > 199. 83. 132. 66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 SENT (2. 1901 s) ICMP 192. 168. 60. 129 > 199. 83. 132. 66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28

Nping Modes/TCP Probe Modes

Nping Modes/TCP Probe Modes

Nping Modes/UDP & ICMP Probe Modes

Nping Modes/UDP & ICMP Probe Modes

Nping Modes/ARP & IPv 4 Probe Modes

Nping Modes/ARP & IPv 4 Probe Modes

Nping Modes/Echo Client/server Probe Modes

Nping Modes/Echo Client/server Probe Modes

Nping Output

Nping Output

Nping Using TCP Flags nping --tcp -p 80 --flags ack -c 3 aldeid. com

Nping Using TCP Flags nping --tcp -p 80 --flags ack -c 3 aldeid. com

Nping Echo Client/Server nping --echo-server "pass 123" -e eth 0 -vvv nping --echo-client "pass

Nping Echo Client/Server nping --echo-server "pass 123" -e eth 0 -vvv nping --echo-client "pass 123" 192. 168. 1. 18 --tcp -p 1 -30 --flags ack

Nmap Single Target Scanning • • • ### Scan a single ip address ###

Nmap Single Target Scanning • • • ### Scan a single ip address ### nmap 192. 168. 1. 1 ## Scan a host name ### nmap www. google. com ## Scan a host name with more info### nmap –v myhost. ieu. edu. tr

Nmap Multiple Target Scanning • • nmap 192. 168. 1. 1 192. 168. 1.

Nmap Multiple Target Scanning • • nmap 192. 168. 1. 1 192. 168. 1. 2 192. 168. 1. 3 nmap 192. 168. 1. 1, 2, 3 ## You can scan a range of IP address: nmap 192. 168. 1. 1 -20 ## IP address range using a wildcard: nmap 192. 168. 1. * ## Read list of hosts/networks from a file: namp –i. L. /hosts. txt

More Nmap Commands • • ## Detect OS and OS version nmap -A 192.

More Nmap Commands • • ## Detect OS and OS version nmap -A 192. 168. 1. 254 nmap -v -A 192. 168. 1. 1 nmap -A -i. L /tmp/scanlist. txt ## Is a host/network protected by a firewall nmap -s. A 192. 168. 1. 254 ## Scan it when protected by the firewall nmap -PN 192. 168. 1. 1

More Nmap Commands • ## host discovery or ping scan: – nmap -s. P

More Nmap Commands • ## host discovery or ping scan: – nmap -s. P 192. 168. 1. 0/24 • ## perform a fast scan – nmap -F 192. 168. 1. 1 • ## Show only open ports – nmap --open 192. 168. 1. 1 • ## Show all packets sent and received – nmap --packet-trace 192. 168. 1. 1 • Show host interfaces and routes – nmap --iflist

More Nmap Commands • Show host interfaces and routes – nmap --iflist

More Nmap Commands • Show host interfaces and routes – nmap --iflist

Scan Specific ports • • • nmap -p [port] host. Name ## Scan port

Scan Specific ports • • • nmap -p [port] host. Name ## Scan port 80 nmap -p 80 192. 168. 1. 1 • • ## Scan TCP port 80 nmap -p T: 80 192. 168. 1. 1 • • ## Scan UDP port 53 nmap -p U: 53 192. 168. 1. 1 • • ## Scan two ports ## nmap -p 80, 443 192. 168. 1. 1 • • ## Scan port ranges ## nmap -p 80 -200 192. 168. 1. 1

Scan Specific ports • • • ## Combine all options ## – nmap -p

Scan Specific ports • • • ## Combine all options ## – nmap -p U: 53, 111, 137, T: 21 -25, 80, 139, 8080 192. 168. 1. 1 – nmap -v -s. U -s. T -p U: 53, 111, 137, T: 21 -25, 80, 139, 8080 192. 168. 1. 254 ## Scan all ports with * wildcard : – nmap -p "*" 192. 168. 1. 1 ## Scan top 10 most common ports ## – nmap --top-ports 10 192. 168. 1. 1

Host Discovery (1) • ## host discovery or ping scan: – nmap -s. P

Host Discovery (1) • ## host discovery or ping scan: – nmap -s. P 192. 168. 1. 0/24 Host 192. 168. 1. 1 is up (0. 00035 s latency). MAC Address: BC: AE: C 5: C 3: 16: 93 (Unknown) Host 192. 168. 1. 2 is up (0. 0038 s latency). MAC Address: 74: 44: 01: 40: 57: FB (Unknown) Host 192. 168. 1. 5 is up. Host nas 03 (192. 168. 1. 12) is up (0. 0091 s latency). MAC Address: 00: 11: 32: 11: 15: FC (Synology Incorporated) Nmap done: 256 IP addresses (4 hosts up) scanned in 2. 80 second

Host Discovery (2) nmap -O 192. 168. 1. 1 nmap -O --osscan-guess 192. 168.

Host Discovery (2) nmap -O 192. 168. 1. 1 nmap -O --osscan-guess 192. 168. 1. 1 nmap -v -O --osscan-guess 192. 168. 1. 1 Starting Nmap 5. 00 ( http: //nmap. org ) at 2012 -11 -27 01: 29 IST NSE: Loaded 0 scripts for scanning. Initiating ARP Ping Scan at 01: 29 Scanning 192. 168. 1. 1 [1 port] Completed ARP Ping Scan at 01: 29, 0. 01 s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 01: 29 Completed Parallel DNS resolution of 1 host. at 01: 29, 0. 22 s elapsed Initiating SYN Stealth Scan at 01: 29 Scanning 192. 168. 1. 1 [1000 ports] Discovered open port 80/tcp on 192. 168. 1. 1 Discovered open port 22/tcp on 192. 168. 1. 1 Completed SYN Stealth Scan at 01: 29, 0. 16 s elapsed (1000 total ports) Initiating OS detection (try #1) against 192. 168. 1. 1 Retrying OS detection (try #2) against 192. 168. 1. 1 Retrying OS detection (try #3) against 192. 168. 1. 1 Retrying OS detection (try #4) against 192. 168. 1. 1 Retrying OS detection (try #5) against 192. 168. 1. 1 Host 192. 168. 1. 1 is up (0. 00049 s latency). Interesting ports on 192. 168. 1. 1: Not shown: 998 closed ports

Host Discovery (3) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address:

Host Discovery (3) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: BC: AE: C 5: C 3: 16: 93 (Unknown) Device type: WAP|general purpose|router|printer|broadband router Running (JUST GUESSING) : Linksys Linux 2. 4. X (95%), Linux 2. 4. X|2. 6. X (94%), Mikro. Tik Router. OS 3. X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2. 4. X (89%), Netgear Linux 2. 4. X (89%) Aggressive OS guesses: Open. Wrt White Russian 0. 9 (Linux 2. 4. 30) (95%), Open. Wrt 0. 9 - 7. 09 (Linux 2. 4. 30 - 2. 4. 34) (94%), Open. Wrt Kamikaze 7. 09 (Linux 2. 6. 22) (94%), Linux 2. 4. 21 - 2. 4. 31 (likely embedded) (92%), Linux 2. 6. 15 - 2. 6. 23 (embedded) (92%), Linux 2. 6. 15 - 2. 6. 24 (92%), Mikro. Tik Router. OS 3. 0 beta 5 (92%), Mikro. Tik Router. OS 3. 17 (92%), Linux 2. 6. 24 (91%), Linux 2. 6. 22 (90%) No exact OS matches for host (If you know what OS is running on it, see http: //nmap. org/submit/ ). TCP/IP fingerprint: OS: SCAN(V=5. 00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC 5%TM=50 B 3 CA OS: 4 B%P=x 86_64 -unknown-linux-gnu)SEQ(SP=C 8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7 OS: )OPS(O 1=M 2300 ST 11 NW 2%O 2=M 2300 ST 11 NW 2%O 3=M 2300 NNT 11 NW 2%O 4=M 2300 ST 11 NW 2%O 5 OS: =M 2300 ST 11 NW 2%O 6=M 2300 ST 11)WIN(W 1=45 E 8%W 2=45 E 8%W 3=45 E 8%W 4=45 E 8%W 5=45 E 8%W OS: 6=45 E 8)ECN(R=Y%DF=Y%T=40%W=4600%O=M 2300 NNSNW 2%CC=N%Q=)T 1(R=Y%DF=Y%T=40%S OS: =O%A=S+%F=AS%RD=0%Q=)T 2(R=N)T 3(R=N)T 4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R OS: D=0%Q=)T 5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T 6(R=Y%DF=Y%T=40%W= OS: 0%S=A%A=Z%F=R%O=%RD=0%Q=)T 7(R=N)U 1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID OS: =G%RIPCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 12. 990 days (since Wed Nov 14 01: 44: 40 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=200 (Good luck!) IP ID Sequence Generation: All zeros Read data files from: /usr/share/nmap OS detection performed. Please report any incorrect results at http: //nmap. org/submit/. Nmap done: 1 IP address (1 host up) scanned in 12. 38 seconds Raw packets sent: 1126 (53. 832 KB) | Rcvd: 1066 (46. 100 KB)