Scanning Commands Flashcards
(24 cards)
Nmap scan command to identify open ports
nmap -sS (performs a SYN Scan)
What is a nmap SYN Scan?
A TCP SYN scan is a stealth scan used to determine if ports on a target system are open, closed or filtered. Nmap sends a SYN packet to the target and waits for a response. If the target responds with a SYN/ACK packet, the port is considered open and ready to establish a connection.
What does a -sn nmap scan do?
The -sn command disables port scanning and performs a ping scan to identify active hosts
1) The “-sn” flag is used with nmap to perform a ping scan, which sends ICMP requests to a target host or network to determine hosts is up or not.
What is a nmap -sL scan?
-sL lists potential host targets without confirming they are live. (Creates a host list)
What is the nmap -sS scan?
Designed for port scanning with a SYN scan, does not scan for hosts. This is a stealthy and efficient method of scanning for open ports on a system
What is a nmap -sP scan?
performs a ping scan only
What is a nmap -Pn scan?
-Pn command skips host discovery and assumes the host is up. (In Nmap, the -Pn option is used to disable host discovery, effectively treating all specified target IP addresses as active and skipping the initial ping phase. This means Nmap will not send ping requests (ICMP echo requests) to determine if a host is online. Instead, it will directly proceed with any other specified scan functions, such as port scanning, against every target IP provided. )
How do you export scan results in nmap to a specific file
-oG <file>.
example: nmap -sS <Domain> -oG <file>
example: nmap -sS <www.geeksforgeeks.com> - oG nmap_results</www.geeksforgeeks.com></file></Domain></file>
What is a UDP scan?
UDP (User Datagram Protocol)
1)UDP is a connectionless protocol, meaning it doesn’t establish a persistent connection like TCP.
2)A UDP scan is a type of port scan that probes for open UDP ports on a target host. It works by sending UDP packets to various ports and observing the responses. A closed port typically responds with an ICMP “Port Unreachable” message, while a filtered port might not respond at all.
3)Open Ports: Open UDP ports typically don’t respond to UDP packets, as there’s no stateful mechanism to require building a session.
Closed Ports: If an ICMP “Port Unreachable” message is returned, the port is considered closed.
Filtered Ports: A lack of response can indicate a filtered port, where the port is blocked by a firewall or other security mechanism.
4)Typically slower than a TCP scan
What is a TCP scan?
TCP (Transmission control protocol)
1)A TCP scan, also known as a TCP connect scan, is a type of port scanning that uses the TCP protocol to establish a connection with a target host on a specific port. This process involves the TCP three-way handshake, where the scanner sends a SYN packet, the target responds with a SYN-ACK, and the scanner completes the connection with an ACK packet. By observing the responses, the scanner can determine if a port is open, closed, or filtered.
2) Port Status:
Open: If the scanner receives a SYN-ACK packet, it indicates the port is open and listening.
Closed: If the target responds with a RST (reset) packet, it means the port is closed and not listening.
Filtered: If no response is received or if an ICMP unreachable error is received, the port is considered filtered, meaning it’s blocked by a firewall or other network device.
3) TCP scans can be used for various purposes, including:
Reconnaissance: Identifying open ports on a target system to gather information about the services running there.
Vulnerability Assessment: Discovering potential vulnerabilities in the services running on open ports.
Attack Planning: Identifying targets that can be exploited.
What is the nmap command for a TCP scan
-sT
TCP scans can be used for various purposes, including:
Reconnaissance: Identifying open ports on a target system to gather information about the services running there.
Vulnerability Assessment: Discovering potential vulnerabilities in the services running on open ports.
Attack Planning: Identifying targets that can be exploited.
What is an ICMP request
An ICMP (Internet Control Message Protocol) request is a network packet used to send control or error messages between network devices. It’s often associated with ping, a troubleshooting tool that uses ICMP to test network connectivity and measure latency.
Purpose:
ICMP is used to communicate information about network problems, such as unreachable destinations, time-exceeded errors, or issues with routing.
How it works:
ICMP packets are typically embedded within IP packets, meaning they travel across the network along with other data.
Ping:
The ping command relies on ICMP to send an “echo request” to a device. If the device is reachable and responding, it sends back an “echo reply,” indicating connectivity.
Error Reporting:
ICMP also includes error messages that can indicate why a packet could not reach its destination, such as network congestion or unreachable hosts.
What does the -sU command do?
In nmap the -sU command performs a UDP scan, which allows user to discover open UDP ports and services on the target system.
What is the -F scan in nmap?
The nmap parameters of “-F” is for fast scan, which limits the target ports to just the top 100 popular (i.e., widely used) ports.
What does the -A command do in nmap?
Enables OS detection, version detection, script scanning, and traceroute
What is Powersploit?
PowerSploit is a collection of PowerShell modules that can be used to perform a variety of pentesting tasks, including code execution, gaining persistence, bypassing antimalware, and more.
What is Powerview?
PowerView uses multiple PowerShell scripts to enumerate a Windows domain environment. This tool can be used to gather information such as network shares, users, groups, and group policies. It can even help with lateral movement and privilege escalation.
What is Empire?
Empire is a popular framework designed to aid in the post-exploitation phase which involves maintaining access to compromised systems, gathering information, and executing further attacks. One of the strengths of Empire is the extensive use of PowerShell modules which allows Empire to leverage built-in Windows functions and bypass some security mechanisms.
What is PowerUpSQL?
PowerUpSQL uses PowerShell modules to discover, enumerate, pull credentials, and exploit Microsoft SQL Servers.
What is ADSearch?
ADSearch is another Active Directory reconnaissance tool. ADSearch uses the LDAP protocol to enumerate the Windows domain environment so it is not as easily detectable.
What is Powershell?
Powershell is the Windows scripting language, built on the .net framework. Default shell since Windows 10.
PowerShell can make it easier for pentesters to automate the process of exploiting the Registry, Active Directory objects, Group Policy, the Windows network stack, and more.
What is a cmdlet?
PowerShell functions mainly through the use of cmdlets, which are specialized .NET commands that interface with PowerShell. A cmdlet is a compiled library that exposes some configuration or administrative task, for example starting a VM in Hyper-V.
What is Bash?
Bash is a scripting language and the default command shell for Unix-like systems. Bash uses “system calls” and leverages existing tools.
What is Bash used for in PenTesting?
Automating the creation of files and directory structures.
Quickly scanning and identifying actionable information in logs and other text files.
Manipulating the output of existing security tools like nmap, tcpdump, Metasploit, etc.
Extending the functionality of existing system utilities and security tools.
