Active Scanning

Live Host Scanning

Commonly done with ICMP sweeps (typically disallowed by firewalls and secure and windows 10+). We listen for echo replies and know the host is alive if it responds(fping, hping, nmap, nc):

• fping -a -g //-a alive scan, -g generate list

• nmap -sn //-sn "ping sweep" but its actually an arp sweep

• nmap -sn --disable-arp-ping //makes it a real ping sweep

ARP Discovery Scan

ARP Discovery scan for live hosts. Just finds the hosts, not a port scan! netdiscover: netdiscover -i tap0 -r 10.10.10.0/24 or netdiscover -i tap0 -S -L -f -r 10.10.10.0/24 arp-scan: arp-scan -I tap0 10.10.10.0/24

hping: This tool lets us craft our packets to run the scans we want without extra noise. hping3 -S <ip> -p 80 -c 2 -p No port will default to port 0, not all ports. -S sets a syn only flag and will syn scan the port/ip. What we should see here is 2 syn packets being sent and, if live, we will see a syn-ack and a rst flag being set as the target responds to say the port is open then closes our stateful connection. -c says to only send 2 syn attempts The first is a rst-ack (closed). The second is a syn-ack (open)

Classic Ping Sweep Scripts

#!/bin/bash
for ip in $(seq 0 254); do
ping -c 1 192.168.31.$ip | grep "bytes from" |cut -d " " -f4 |cut -d ":" -f1 &
done

for i {1..254} do ping -c 1 10.0.1.$i | fgrep ttl & done 2>/dev/null | sed -e 's/^.*from //' -e 's/:.*$//' | sort -n -t. -k4

for /l %i in (1,1,254) do @ping -n 1 -w 100 10.185.11.%i

Then start looking for low hanging fruit:

• Misconfigured servers

• Missing or bad ACLs

• Default or weak pass

• Open shares or null sessions allowed

• Broadcast requests

• Vulnerable to public exploits