Scanning tools

IP Scanner

Source: http://10base-t.com IP Scanner for iOS scans your local area network to determine the identity of all its active machines and Internet devices. Features: o In-built Ping, Portscan, and WOL tools. o Traverse to native VNC, web browser, or any custom service directly from the scan results. o Customizable display options for assigning names and icons to discovered devices. o Ability to create your custom device categories with your images. o Ability to export, email, and print scan results.

NetScanTools Pro

Source: http://www.netscantools.com NetScanTools Pro is an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. You can easily gather information about the local LAN, as well as Internet users, IP addresses, ports, and so on using this tool. You can find vulnerabilities and exposed ports in your system. NetScanTools Pro combines many network tools and utilities categorized by their functions, such as active, passive, DNS, and local computer. o Active Discovery and Diagnostic Tools: Used for testing and locating devices connected to your network. o Passive Discovery Tools: Monitor the activities of the devices connected to your network and gather information from third parties. o DNS Tools: Help to detect DNS problems. o Local Computer and General Information Tools: Provide details about your local computer's network. Benefits: o The information gathering process is made simpler and faster by automating the use of many network tools. o Clearly produces the result reports in your web browser.

ACK Scanning on Port 80

You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple packet filtering allows you to establish a connection (packets with the ACKbitset), whereas a sophisticated stateful firewall does not allow you to establish a connection.

Nmap includes

a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

ICMP ping

Ex. hping3 -1 10.0.0.25 Hping performs an ICMP ping scan by specifying the argument -1 on the command line. You may use --ICMP of -1 argument in the command line. By issuing the above command, hping sends ICMP-echo request to 10.0.0.25 and receives ICMP-reply, the same as with a ping utility. (EC-Council) EC-Council. Certified Ethical Hacker (CEH) Version 10 eBook w/ iLabs (Volumes 1 through 4). EC-Council Academia, 08/2018. VitalBook file.

Scan entire subnet for live host

Ex. hping3 -1 10.0.1.x --rand-dest -I eth0 By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends ICMP-echo request randomly (--rand-dest) to all the hosts from 10.0.1.0 - 10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP-reply. In this case, you have not set a port, so Hping sends packets to port 0 on all IP addresses by default.

UDP scan on port 80

Ex. hping3 -2 10.0.0.25 -p 80 Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in UDP mode. You may use either --udp of -2 arguments in the command line. By issuing the above command, Hping sends UDP packets to port 80 on the host (10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open.

SYN scan on port 50-60

Ex. hping3 -8 50-60 -S 10.0.0.25 -V By using the argument -8 (or) --scan in the command, you are operating Hping in scan mode in order to scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan. Therefore, the above command performs a SYN scan on ports 50-60 on the target host.

Intercept all traffic containing HTTP signature

Ex. hping3 -9 HTTP -I eth0 The argument -9 will set the Hping to listen mode. So, by issuing the command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network to interface eth0), intercepts all the packets containing HTTP signature, and dump from signature end to the packet's end. For example, on issuing the command hping2 -9 HTTP, if Hping reads a packet that contains data 234-09sdflkjs45-HTTPhello_world, it will display the result hello_world.

ACK scan on port 80

Ex. hping3 -A 10.0.0.25 -p 80 Hping can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you are setting ACK flag in the probe packets and performing the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.

FIN, PUSH and URG scan on port 80

Ex. hping3 -F -P -U 10.0.0.25 -p 80 By adding the arguments -F, -P, and -U in the command, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open on the target, you will not receive a response. If the port is closed, Hping will return an RST response.

SYN flooding a victim

Ex. hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood The attacker employs TCP SYN flooding techniques by using spoofed IP addresses to perform DoS attack.

Firewalls and Time Stamps

Ex. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp Many firewalls drop those TCP packets that do not have TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, you can enable TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).

Collecting Initial Sequence Number

Ex. hping3 192.168.1.103 -Q -p 139 -s By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host (192.168.1.103).

Fing

Fing Source: https://www.fing.io Fing is a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. Features: o Discovers all devices connected to a Wi-Fi network o Displays MAC Address and device manufacturer o Full search by IP, MAC, Name, Vendor, and Notes o Wake On LAN: Allows you to switch on your devices from mobile or tablet o Ping and traceroute: Assesses network performance o Automatic DNS lookup and reverse lookup o Tracks when a device has gone online or offline o Launch Apps for specific ports, such as Browser, SSH, FTP o Displays NetBIOS names and properties o Supports identification by IP address for bridged networks o Sort by IP, MAC, Name, Vendor, State, and Last Change.

The following are some of the features of Hping2/Hping3:

o It determines whether the host is up even when the host blocks ICMP packets. o It aids advanced port scanning and test net performance using different protocols, packet sizes, TOS, and fragmentation. o Manual path MTU discovery o Firewalk-like usage allows discovery of open ports behind firewalls . o Remote OS fingerprinting and TCP/IP stack auditing.

Scanning tools

scan and identify live hosts, open ports, running services on a target network, location-info, NetBIOS info and information about all TCP/IP, UDP open ports. Information obtained from these tools will assist an ethical hacker in creating the profile of the target organization and to scan the network for open ports of the devices connected.