Samreen Saeed
BC123197
Section 2
BC123197
Section 2
In this tutorial I'll be covering reconnaissance. In other words, how to get the information needed to hack your target system.Which is one of the most important preparatory steps to hacking.
You have to follow some steps in order to perform information gathering.We will be doing the following steps and attacks.
1.OS detection scan.
2.Performing Different Scans
- TCP connect scan.
- TCP SYN scan.
- FIN scan.
- XMax scan.
- Null Scan.
- UDP scan.
- ACK scan.
- Window Scan.
- Idle Scan.
4.Scanning a Sub net.
5.Spoofing and Decoy Scan.
6.Gathering version information.
7.Wild Card scanning.
8.Evading Firewalls.
9.Using a List.
10.Output to a file.
Before performing all these steps and scan the first thing you have to do is open Kali linux and than its terminal.
1.Open Nmap in Kali
the first step you have to do is open terminal of kali linux and type nmap there.
you will be shown some output like this.
 |
| nmap |
you will be shown with different options you have available in nmap for information gathering such as the scan Techniques,OS scanning etc.
2.Performing Different Scans.
the basic syntax of performing different scans is
nmap <scantype> IP_address_Of_the_victim
a.OS Detection Scan.
if we want to know which operating system our victim is using , we use the OS detection flag in our command i-e -O
nmap -O IP_address_Of_the_victim
 |
| OS Detection scan |
You will be shown with the operating system of your victim as shown in the figure.
b.TCP connect scan.
This scan is named after the connect call that is used by the operating system to initiate a TCP connection with some remote device.-sT Flag is used to tell that you want to perform TCP connect scan.
nmap -sT ip_address
 |
| TCP connect scan |
c. TCP SYN Scan.
The TCP SYN scan allows nmap to gather information about open ports without completing the TCP handshake process. When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.The flag used for this scan is -sS.
nmap -sS ip_address
 |
| TCP SYN Scan |
When we add -v to the command we can increase the verbosity.
d.FIN Scan.(Stealth Scan)
The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question.
This scan uses -sF flag.
nmap -sF ip_address
 |
| FIN Scan |
e. xMax Scan.(Stealth Scan)
The Xmas scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set lighting the packet up like a Christmas tree.. A close port responds with a RST, and open port is conspicuous by its silence.This scan uses the -sX Flag.
nmap -sX ip_address
 |
| XMAX scan |
f.NULL Scan.(Stealth Scan)
The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world.Does not set any bits (TCP flag header is 0).it Uses -sN flag.
nmap -sN 1p_address
 |
| NULL Scan |
g.UDP Scan.
Up until this point, all of our scans have been for TCP ports. Some services and ports use UDP to communicate to the outside world. Our previous scan types (-sS and -sT) will not find UDP ports as they are only looking for TCP ports. Some services only run on UDP, such NTP (port 123) and SNMP (port 161). To find these ports and services, we need to do a UDP scan. We can do this with the -sU switch:
nmap -sU ip_address
 |
| UDP Scan |
Note in the output from the UDP scan above that some ports are reported as open/filtered. This indicates that nmap cannot determine whether the port is open or it is filtered by a device such as a firewall.
Unlike TCP ports that respond with a RST packet when they are closed, UDP ports respond with an ICMP packet when they are closed. This can make scans far less reliable, as often the ICMP response is blocked or dropped by intermediate devices (firewalls or routers).
Nmap has a switch that will return the reason why it has placed a particular port in a particular state. For instance, we can run the same UDP scan as above with the --reason switch and nmap will return the same results, but this time will give us the reason it has determined the particular state of the port.
nmap -sU --reason ip_address
 |
| Reason of response |
h.ACK Scan.
This scan is different than the others discussed so far in that it never determines
open (or even open|filtered) ports. It is used to map out firewall rule sets, determining whether they are stateful or not and which ports are filtered.Flag used for ACK scan is -sA.
nmap -sA ip_address
 |
| ACK Scan |
i.Window Scan
The window scan is similar to an ACK scan, but the window scan has the advantage of identifying open ports. It is named after the TCP sliding window. A RST frame response from a closed port responds with a window size of zero. When an open port is sent an ACK frame, the destination station still responds with a RST frame, but the window size is a non-zero value.It uses -sW flag.
nmap -sW ip_address
 |
| Window Scan |
j.Idle Scan.
Nmap uses idlescan to gather port information using another station on the network, and it will appear that the scanning process is initiated from this third-party IP address instead of the nmap station.
Before launching an idlescan, a "zombie" station must be identified. This third station will be the pivot point of the idlescan.This scan uses -sI flag.
nmap -sI zombie_ip victim_ip
 |
| Idle Scan |
3.Port Range Scanning
Sometimes we are looking for a specific port or a port range. Nmap uses the -p switch to designate a port or port range. So, if we were only looking for ports 25-100, we could use:
As you can see, this command scans and reveals only the ports in that port range.
nmap ip_address -p25-150
 |
| Port Range Scanning |
4.Scanning a Subnet
Often, we want to scan more than a single IP address. Nmap allows us to use CIDR notation to designate an entire subnet. So, for instance, if we wanted to scan on entire Class C subnet (256 hosts) for port 80 open, we could type:
nmap 192.168.1.0/24 -p1-100
 |
| Subnet Scan |
5.Spoofing and Decoy Scan
When we are scanning machines that are not ours, we often want to hide our IP (our identity). Obviously, every packet must contain our source address or else the response from the target system will not know where to return to.
The same applies to spoofing our IP when using nmap. We CAN spoof our IP address (-S) in nmap, but as a result, any response and any info we are trying to gather will return to the spoofed IP. Not very useful, if we are scanning for info gathering.
A better solution is to obfuscate our IP address. In other words, bury our IP address among many IP addresses so that the network/security admin can't pinpoint the source of the scan. Nmap allows us to use decoy IP addresses so that it looks like many IP addresses are scanning the target.
We can do this by using the -D switch, such as:
nmap -sS victim_ip -D 10.0.0.1,10.0.0.2,10.0.0.3
 |
| Spoof/Decoy Scan |
This scan will use three decoy IP addresses, but also use our own address as well. In this way, we get responses and the info on the target AND the admin of the system sees scans coming from four systems simultaneously. In this way, he can't pinpoint the true source of the scan easily.
6.Gathering Version Information
When nmap runs a port scan, it retrieves the port info (open/closed/filtered) and then gives us the default service that is running on that port. As one can run ANY service on any port, that may not be adequate information. If our attack requires a particular service on a particular port, gathering the default information may not be enough.
We need to know what service is actually running on that port, not the default service. For instance, knowing that port 80 is open and running http is good to know, but if our attack is specific to Apache, then if the target has Microsoft's IIS running on that port, it won't work. We often need the service on the port.
Nmap has a feature that interrogates the service running on each port scanned. It can be used with the -sV switch, such as:
nmap -sV ip_address
 |
| Check Version information |
7.Wild Card Scanning
You can scan a range of IP address using a wildcard:
nmap 192.168.1.*
 |
| Wildcard Scan |
8.Evading Firewalls
Many firewalls and routers block or drop the ICMP (echo request, echo reply) ping. This is meant to obscure the presence of the hosts behind the firewall and protect against a possible DoS using the ping packet.
When you use nmap to scan a system or network, by default, it send out a ping to see if the host is up and if it gets a response, it then sends the specified packets to scan the system. If the ping is blocked or dropped, nmap gives up and says, "host is down."
To get around firewalls and routers that block or drop the ping, we need to suppress nmap's default behavior of sending out that initial ping and get past the firewall that is blocking us. We can do this by using the -P0 switch:
nmap -sS -P0 ip_address
 |
| Evading Firewall |
9.Using a List
Many times we want to scan a list of IP addresses and not an entire subnet. We can use any text editor and create a list of IP addresses and "feed" it to nmap. Here, I am using Leafpad, which is built into Kali (any text editor will work), to put together a list of IP addresses I want to scan.
 |
| text file |
Then I can use this list of IP address in nmap rather than having to retype these IP addresses each time I scan.
nmap -iL ipaddress.txt
 |
| File Scan |
10.Output To a File
If we are scanning multiple IP addresses, we probably want to save the output to a file for later reference. Although nmap has many ways and formats to save the output, I prefer the -oN (output normal) switch.
Simply add the -oN switch at the end of the command with the name of the file you want to save the output to. Here, I have used a file named "scan.txt":
nmap -sS ip_addres -oN scan
 |
| Output to a file |
When I run the command, I get my same output to the screen, but I also get that output saved to a file.We can view the contents of the file by opening that file in leafpad or any other text editor.
 |
| File output |
