Port Scan for Kali learning records

Port Scanning aims to identify which ports in the target system are enabled and which services can be used. For example, FTP/ssh/Telnet/print/Web Services. There are a total of 65536 ports in the computer system, so connecting to these ports and scanning out available ports makes sense.

1. Network Connection

The network of Kali is not hosted by the device by default, so you need to enable it. Enabling method:

Modify the networkmanger. conf file under/etc/NetworkManager,

Managed = false to true

Restart the host

2. fping Tool

[email protected]:~# fping -hUsage: fping [options] [targets...]   -a         show targets that are alive   -A         show targets by address   -b n       amount of ping data to send, in bytes (default 56)   -B f       set exponential backoff factor to f   -c n       count of pings to send to each target (default 1)   -C n       same as -c, report results in verbose format   -e         show elapsed time on return packets   -f file    read list of targets from a file ( - means stdin) (only if no -g specified)   -g         generate target list (only if no -f specified)                (specify the start and end IP in the target list, or supply a IP netmask)                (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)   -H n       Set the IP TTL value (Time To Live hops)   -i n       interval between sending ping packets (in millisec) (default 25)   -l         loop sending pings forever   -m         ping multiple interfaces on target host   -n         show targets by name (-d is equivalent)   -p n       interval between ping packets to one target (in millisec)                (in looping and counting modes, default 1000)   -q         quiet (don't show per-target/per-ping results)   -Q n       same as -q, but show summary every n seconds   -r n       number of retries (default 3)   -s         print final stats   -I if      bind to a particular interface   -S addr    set source address   -t n       individual target initial timeout (in millisec) (default 500)   -T n       ignored (for compatibility with fping 2.4)   -u         show targets that are unreachable   -O n       set the type of service (tos) flag on the ICMP packets   -v         show version   targets    list of targets to check (if no -f specified)

3. NMAP Tool

Usage:

[Email protected]: ~ # NMAP-hnmap 6.47 (http://nmap.org) usage: NMAP [scan type (s)] [Options] {Target specification} Target specification: can pass hostnames, IP addresses, networks, etc. ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254-IL <inputfilename>: input from List of hosts/networks-IR <num hosts>: choose random targets -- exclude 


 

  
  3.1nmap performs TCP Scanning
 
  
-St scans TCP
 
  
-P-scan all ports
 
  
-PN: Disable the Nmap network discovery function. It is assumed that all systems are active.
 
  

 
  
[email protected]:~# nmap -sT -p- -PN   192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:38 CSTStats: 0:12:34 elapsed; 0 hosts completed (1 up), 1 undergoing Connect ScanConnect Scan Timing: About 90.20% done; ETC: 20:51 (0:01:22 remaining)Stats: 0:16:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect ScanConnect Scan Timing: About 94.41% done; ETC: 20:55 (0:00:58 remaining)Nmap scan report for 192.168.115.1Host is up (0.0022s latency).Not shown: 65533 closed portsPORT   STATE SERVICE23/tcp open  telnet80/tcp open  httpNmap done: 1 IP address (1 host up) scanned in 1274.21 seconds
 
  

 
  

 
  
3.2nmap also has a reason to perform UDP scan, such as some UDP-based services, SNMP, TFTP, DHCP, DNS, etc.
 
  

 
  
[email protected]:~# nmap -sU 192.168.115.188Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:21 CSTNmap scan report for 192.168.115.188Host is up (0.00069s latency).Not shown: 994 closed portsPORT     STATE         SERVICE137/udp  open          netbios-ns138/udp  open|filtered netbios-dgm500/udp  open|filtered isakmp1900/udp open|filtered upnp4500/udp open|filtered nat-t-ike5355/udp open|filtered llmnrMAC Address: xxxxxxxxxxxxxx (Universal Global Scientific Industrial Co.)Nmap done: 1 IP address (1 host up) scanned in 974.78 seconds
 
  

 
  

 
  
3.3nmap: NMAP performs SYN scan. This is the default method. This method is faster than TCP scan because only the first two handshakes are performed. It will not cause DoS attacks.
 
  

 
  
[email protected]:~# nmap -sS -p- -PN 192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:26 CSTNmap scan report for 192.168.115.1Host is up (0.0020s latency).Not shown: 65533 closed portsPORT   STATE SERVICE23/tcp open  telnet80/tcp open  httpMAC Address: xxxxxxxxxxxxxx (Digital China (Shanghai) Networks)Nmap done: 1 IP address (1 host up) scanned in 368.52 seconds
Wow, telnet is opened ....
 
  
3.3nmap execute XMAS scan
 
  
The RFC document describes the technical details of the system. Therefore, if you obtain the RFC document, you may find system vulnerabilities. The objective of Xmas and null scan is precisely for this reason.
 
  
If the system complies with the tcp rfc document, the connection does not need to be completed. When the connection is initiated, the NAMP can determine the status of the target system.
 
  
However, Xmas is generally effective for Unix or Linux systems.
 
  

 
  
[email protected]:~# nmap -sX -p- -Pn  192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:42 CSTNmap scan report for 192.168.115.1Host is up (0.0029s latency).Not shown: 65533 closed portsPORT   STATE         SERVICE23/tcp open|filtered telnet80/tcp open|filtered httpMAC Address: XXXXXXXXXXXXX (Digital China (Shanghai) Networks)Nmap done: 1 IP address (1 host up) scanned in 382.91 seconds
 
  

 
  

 
  
3.4nmap execution null
 
  
[email protected]:~# nmap -sN -p- -Pn  192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:49 CSTStats: 0:04:54 elapsed; 0 hosts completed (1 up), 1 undergoing NULL ScanNULL Scan Timing: About 78.30% done; ETC: 20:55 (0:01:20 remaining)Nmap scan report for 192.168.115.1Host is up (0.0018s latency).Not shown: 65533 closed portsPORT   STATE         SERVICE23/tcp open|filtered telnet80/tcp open|filtered httpMAC Address: XXXXXXXXXXXXX (Digital China (Shanghai) Networks)Nmap done: 1 IP address (1 host up) scanned in 376.37 seconds
 
  

 
  

 
  



 
Port Scan for Kali learning records