Sources: Hack5
Nmap footprinting tool to get more info about target / IP (open / closed / filtered ports). The target being scanned knows it is being scanned.
IMPORTANT: you need written consent whenever you want to scan any IP address / hostname.
Can you use this tool anonymously ? As long as you are using an anonymizer like Tor etc.
# find out your IP address within your local network
ifconfig
# Look for a line like:
# inet 192.168.13.0 netmask 255.255.255.0 broadcast 192.168.13.255
# now you can run netmap on the whole IP range.
nmap -oG - 192.168.13.0-255 -vv > ~/Documents/scans/my-network.txt
Another example of nmap on a rage:
nmap 122.64.0.0/11 -sT -sV -PN -n -vvv --min-rate=5000 --min-hostgroup=256 --min-parallelism=256
# -sT : TCP, SYN Scan
# -sV : give me banners
# -PN : treat all hosts as online, aka don't ping
# -n : no traceroute (do not attempt DNS resolution)
# -vvv : super verbose
# --min-rate : send n packets / second minimum
# --min-hostgroup : work on this many hosts at a time
# --min-parallelism : how many nse scripts you run at once (make sure you have the proper router and connection)
What this is doing, is it's trying to transfer packets from your computer to china (in this case). And not all the hosts in the range are responsive / alive. And since it's attempting to do a full TCP handshake, it creates a lot of overhead.
parallel nmap python | xargs
Instead of asking the single threaded nmap to scan for the whole range, we can use a python script to generate a whole set of nmap command strings for individual IPs, and feed them to xargs (i.e. which builds and executes command lines from standard input).
Here the py script that generates individual nmap.
#!/usr/bin/python
import sys
import ipaddress
# Python 3!
# Takes input of a large subnet mask (e.g. /11)
# slice it up into how ever many /24 exist inside this /11
# Ex: python scripts/pentest/tnmap.py 122.64.0.0/11
SUBNET_PREFIX_LEN = 24 # 24 bit subnet mask
ip = ipaddress.ip_network(sys.argv[1])
if SUBNET_PREFIX_LEN < ip.prefixlen:
subnet_lsit = [ip,]
else:
subnet_list = ip.subnets(new_prefix=SUBNET_PREFIX_LEN)
for sub in subnet_list:
cmd = [
'nmap',
'-T4', # use aggressive timings
'--open', # only return open ports
'-sT', # SYN scan (TCP)
'-n', # don't attempt DNS resolution
'-vvv', # very very verbose
'--min-rate=1000', # set min packet transmition rate
'--min-hostgroup=256', # how many hosts to scan at same time
'--max-retries=2', # how many retries per host
'-sC', # run script defaults
'-Pn', # consider hosts as alive, do not ping
'-oX', 'out/%s_%s' % (sub.network_address, sub.prefixlen), # xml output to ./out/XXX.XXX.XXX.XXX
str(sub), # target specification (hostname, IP addresses, ranges, subnets, etc.)
]
print(' '.join(cmd))
Ex with xargs:
python scripts/pentest/tnmap.py 122.64.0.0/11 | xargs -I CMD -X 100
masscan
masscan scans the entire internet in under 5 minutes. A link to the github page.
Masscan is tuned for wide range scanning of a lot of machines, whereas nmap is designed for intensive scanning of a single machine or a small range
This will asynchronously scan all of the IP:ports specified and not try to establish a TCP session, it'll just spray and wait keep track of those who answer back. The answers could come from Firewalls aswell, where they even might be faking aliveness.
First we'll create an exclude file to not waste time scanning non-routable internal IP's so in your terminal do vi exclude-ips.txt:
10.0.0.0/8
192.168.0.0/16
172.16.0.0/12
If you don't know what the /8 or /16 means, it's called slash notation: a quick way to add subnet masking to an IPv4 address. For example the 172.16.0.0/12 is equivalent to 172.16.0.0 with a subnet mask of 11111111.11110000.00000000.00000000 (i.e. 255.240.0.0)
# scan port 455 on every IP address in the internet at a rate of 1M packets per second
masscan 0.0.0.0/0 -p455 --rate 1000000 --exclude exclude-ips.txt
That's fast enough to melt most networks. Note that it'll only melt your own network. It randomizes the target IP addresses so that it shouldn't overwhelm any distant network.
ipcalc
ipcalcprovides a simple way to calculate IP information for a host.
Example usage:
ipcalc 122.64.0.0 - 122.95.255.255
Shodan
Shodan manual scanning masscan
Spin a free t1 micro ECT
tcpdump 0 port ssh
lol bin living off the land ms build