Jan 26, 2018

Nmap and Tcpdump

Nmap security scanner

Basics

Scans the entire network for example for open ports, operating systems. You can customize Nmap with Nmap Scripting Engine (NSE), if you want a GUI use Zenmap.

Basic uses

Use -v , -vv , -vvv for verbose information.

Scan an single address:

$ nmap 192.168.0.24

Pingscan:

$ nmap -sP 192.168.0.*

TCP scan, protocol scan, version scan, OS scan:

$ nmap -sS -P0 -sV -O 192.168.0.2

How higher T, how faster the scan, but can be inaccurate:

$ nmap -T5 192.168.1.0/24

Scan the top 20 ports:

$ nmap --top-ports 20 192.168.0.0/24

TCP connect scan:

$ nmap -sT -p80 192.168.0.0/24

Decoy attack, also "attacks" with other ip addresses:

$ nmap -sS 192.168.0.0-5 -D 192.168.0.99, 192.168.0.98

Skip the ping process:

$ nmap -Pn 192.168.0.0/24

Scan a lot of things:

$ nmap -A -T4 192.168.0.2

Massive scan: (with scripts, see below)

# nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 \
  -PA80,113,443,10042 -PO --script all

Ipv6

$ nmap -6 <ipv6-address>

Overview of interfaces

$ nmap --iflist

Nmap Scripting Engine

$ nmap --script=default 192.168.0.2
$ nmap -sC 192.168.0.2

Show all available scripts:

$ nmap --script-help discovery

Use of a script:

$ nmap --script=dos 192.168.0.2

Group scripts:

$ nmap --script "safe and exploit" 192.168.0.2

Script categories

auth (deal with authentication credentials)
broadcast (discovery of hosts not listed on the command line)
brute (brute force attacks to guess authentication credentials)
default (the default set)
discovery (actively discover more about the network by querying public registries)
dos (may cause a denial of service)
exploit (aim to actively exploit some vulnerability)
external (may send data to a third-party database)
malware (test whether the target platform is infected by malware or backdoors)
fuzzer (send server software unexpected or randomized fields in each packet)
safe (scripts which weren't designed to crash services)
version (version detection)

Tcpdump

Basics

Tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface.

Basic uses

Use -v , -vv , -vvv for verbose information, increase the amount of packet information.

Show all interfaces:

# tcpdump --list-interfaces
# tcpdump -D

Lsten to any interfaces:

# tcpdump -i any

Listen to specific interfaces and see the basics:

# tcpdump -nS -i wlp8s0

Do not resolve hostnames or portnames:

# tcpdump -nn -i wlp8s0

Be less verbose, quite:

# tcpdump -q -i wlp8s0

Show a lot of information/packer (packet content in hex and ascii):

# tcpdump -xxvvv -i wlp8s0

Only get ICMP packets:

# tcpdump icmp -i wlp8s0

Decrypt IPSEC traffic by providing an encryption key:

# tcpdump -E -i wlp8s0

Print absolute sequence numbers and get ethernet header:

# tcpdump -Se -i wlp8s0

Heavy packet viewing, grab the whole packet:

# tcpdump -nnvvXSs 1514 -i wlp8s0

Look for traffic based on the IP address or find traffic from src & Digest:

# tcpdump host 192.168.0.1 -i wlp8s0
# tcpdump src 192.168.0.2 -i wlp8s0

See only traffic to or from a certain ports:

# tcpdump (src,dst) port 3838 -i wlp8s0

Combine Filters:

# tcpdump udp and src port 53 -i wlp8s0

Get creative with expressions

and &&
or ||
not !

Example:

# tcpdump -nvvXSs 1514 dst 192.168.0.2 and \ 
  src 192.168.0.1 and not icmp -i wlp8s0

Writing to a file

# tcpdump -nnvvXSs 1514 port 443 -i wlp8s0 -w capture_file

Read from a file:

# tcpdump -r capture_file

Advanced

Show all URGENT (URG) packets:

# tcpdump ‘tcp[13] & 32!=0‘

Show all ACKNOWLEDGE (ACK) packets:

# tcpdump ‘tcp[13] & 16!=0‘

Show all PUSH (PSH) packets:

# tcpdump ‘tcp[13] & 8!=0‘

Show all RESET (RST) packets:

# tcpdump ‘tcp[13] & 4!=0‘

Show all SYNCHRONIZE (SYN) packets:

# tcpdump ‘tcp[13] & 2!=0‘

Show all FINISH (FIN) packets:

# tcpdump ‘tcp[13] & 1!=0‘

Specialized traffic

Ipv6 traffic:

# tcpdump ip6

Packets with both the RST and SYN flag set:

# tcpdump ‘tcp[13] = 6’

Traffic with the 'Evil Bit' set:

# tcpdump ‘ip[6] & 128 != 0‘

Nmap and Tcpdump

Nmap security scanner

Basics

Basic uses

Ipv6

Overview of interfaces

Nmap Scripting Engine

Script categories

Tcpdump

Basics

Basic uses

Get creative with expressions

Writing to a file

Advanced

Specialized traffic

Notes

cheatsheets

Guides

Netsec

LINUX CERTIFICATIONS

Programming languages