Port Scanning aims to identify which ports in the target system are enabled and which services can be used. For example, FTP/ssh/Telnet/print/Web Services. There are a total of 65536 ports in the computer system, so connecting to these ports and scanning out available ports makes sense.
1. Network Connection
The network of Kali is not hosted by the device by default, so you need to enable it. Enabling method:
Modify the networkmanger. conf file under/etc/NetworkManager,
Managed = false to true
Restart the host
2. fping Tool
[email protected]:~# fping -hUsage: fping [options] [targets...] -a show targets that are alive -A show targets by address -b n amount of ping data to send, in bytes (default 56) -B f set exponential backoff factor to f -c n count of pings to send to each target (default 1) -C n same as -c, report results in verbose format -e show elapsed time on return packets -f file read list of targets from a file ( - means stdin) (only if no -g specified) -g generate target list (only if no -f specified) (specify the start and end IP in the target list, or supply a IP netmask) (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24) -H n Set the IP TTL value (Time To Live hops) -i n interval between sending ping packets (in millisec) (default 25) -l loop sending pings forever -m ping multiple interfaces on target host -n show targets by name (-d is equivalent) -p n interval between ping packets to one target (in millisec) (in looping and counting modes, default 1000) -q quiet (don't show per-target/per-ping results) -Q n same as -q, but show summary every n seconds -r n number of retries (default 3) -s print final stats -I if bind to a particular interface -S addr set source address -t n individual target initial timeout (in millisec) (default 500) -T n ignored (for compatibility with fping 2.4) -u show targets that are unreachable -O n set the type of service (tos) flag on the ICMP packets -v show version targets list of targets to check (if no -f specified)
3. NMAP Tool
Usage:
[Email protected]: ~ # NMAP-hnmap 6.47 (http://nmap.org) usage: NMAP [scan type (s)] [Options] {Target specification} Target specification: can pass hostnames, IP addresses, networks, etc. ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254-IL <inputfilename>: input from List of hosts/networks-IR <num hosts>: choose random targets -- exclude
3.1nmap performs TCP Scanning
-St scans TCP
-P-scan all ports
-PN: Disable the Nmap network discovery function. It is assumed that all systems are active.
[email protected]:~# nmap -sT -p- -PN 192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:38 CSTStats: 0:12:34 elapsed; 0 hosts completed (1 up), 1 undergoing Connect ScanConnect Scan Timing: About 90.20% done; ETC: 20:51 (0:01:22 remaining)Stats: 0:16:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect ScanConnect Scan Timing: About 94.41% done; ETC: 20:55 (0:00:58 remaining)Nmap scan report for 192.168.115.1Host is up (0.0022s latency).Not shown: 65533 closed portsPORT STATE SERVICE23/tcp open telnet80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 1274.21 seconds
3.2nmap also has a reason to perform UDP scan, such as some UDP-based services, SNMP, TFTP, DHCP, DNS, etc.
[email protected]:~# nmap -sU 192.168.115.188Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:21 CSTNmap scan report for 192.168.115.188Host is up (0.00069s latency).Not shown: 994 closed portsPORT STATE SERVICE137/udp open netbios-ns138/udp open|filtered netbios-dgm500/udp open|filtered isakmp1900/udp open|filtered upnp4500/udp open|filtered nat-t-ike5355/udp open|filtered llmnrMAC Address: xxxxxxxxxxxxxx (Universal Global Scientific Industrial Co.)Nmap done: 1 IP address (1 host up) scanned in 974.78 seconds
3.3nmap: NMAP performs SYN scan. This is the default method. This method is faster than TCP scan because only the first two handshakes are performed. It will not cause DoS attacks.
[email protected]:~# nmap -sS -p- -PN 192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:26 CSTNmap scan report for 192.168.115.1Host is up (0.0020s latency).Not shown: 65533 closed portsPORT STATE SERVICE23/tcp open telnet80/tcp open httpMAC Address: xxxxxxxxxxxxxx (Digital China (Shanghai) Networks)Nmap done: 1 IP address (1 host up) scanned in 368.52 seconds
Wow, telnet is opened ....
3.3nmap execute XMAS scan
The RFC document describes the technical details of the system. Therefore, if you obtain the RFC document, you may find system vulnerabilities. The objective of Xmas and null scan is precisely for this reason.
If the system complies with the tcp rfc document, the connection does not need to be completed. When the connection is initiated, the NAMP can determine the status of the target system.
However, Xmas is generally effective for Unix or Linux systems.
[email protected]:~# nmap -sX -p- -Pn 192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:42 CSTNmap scan report for 192.168.115.1Host is up (0.0029s latency).Not shown: 65533 closed portsPORT STATE SERVICE23/tcp open|filtered telnet80/tcp open|filtered httpMAC Address: XXXXXXXXXXXXX (Digital China (Shanghai) Networks)Nmap done: 1 IP address (1 host up) scanned in 382.91 seconds
3.4nmap execution null
[email protected]:~# nmap -sN -p- -Pn 192.168.115.1Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:49 CSTStats: 0:04:54 elapsed; 0 hosts completed (1 up), 1 undergoing NULL ScanNULL Scan Timing: About 78.30% done; ETC: 20:55 (0:01:20 remaining)Nmap scan report for 192.168.115.1Host is up (0.0018s latency).Not shown: 65533 closed portsPORT STATE SERVICE23/tcp open|filtered telnet80/tcp open|filtered httpMAC Address: XXXXXXXXXXXXX (Digital China (Shanghai) Networks)Nmap done: 1 IP address (1 host up) scanned in 376.37 seconds
Port Scan for Kali learning records