Transcription

NMAP Cheat Sheetnmap scan type: -sTTcpConnect scan. Scans by attempting the TCP three way handshake connectionnmap scan type: -sXXmas scan. Scans by setting all flags on TCP packetnmap scan type: -sSSYN scan. Just send SYN packetnmap scan type: -sUUDP scan.nmap scan type: -sAACK scan. Scans by just sending the ACK packet.nmap scan type: -sFFIN scan.nmap scan type: -sNNULL scan. Send TCP packet with flags all set to null.nmap scan type: -sLList/DNS scan. Simply list targets to scannmap scan type: -sPPING scannmap scan type: -sOProtocol scan.nmap scan type: -sWWindow scan.nmap scan type: -sI (i) Idle scan.nmap scan type: -sRRPC scannmap ping detection: -P0Don't pingnmap ping detection: -PI (i)ICMP pingnmap ping detection: -PPICMP timestampnmap ping detection: -PTTCP pingnmap ping detection: -PSSYN pingnmap ping detection: -PB (PT PI). TCP ping ICMP pingnmap ping detection: -PMICMP netmasknmap output format: -oNNormal formatnmap output format: -oGGrepable formatnmap output format: -oXXML formatnmap output format: -oAAll formats (normal grepable xml)nmap timing: -T0PARANOID - serial scan 300 sec waitnmap timing: -T1SNEAKY - serial scan 15 sec waitnmap timing: -T2POLITE - serial scan 0.4 sec wait

nmap timing: -T3NORMAL - parallel scannmap timing: -T4AGGRESSIVE - parallel scan 300 sec wait 1.25 sec probenmap timing: -T5INSANE - parallel scan 75 sec timeout 0.3 sec probenmap flag: -FFast scan modenmap flag: -nNo reverse DNS lookupnmap flag: -SSource IP addressnmap flag: -gPort numbernmap flag: -ffragmentationnmap flag: -OOS detectionnmap flag: -pport rangesnmap flag: -DUse decoys to mask scannmap scan type: -sCnmap flag: -AScript enabled scanEnable OS detection, version detection, script scanning, and traceroute

HPING3 Cheat Sheet1.-ASet ACK flag2.-Fset FIN flag3.hping3 -1 (IP address)Ping Sweep4.hping3 -2 (IP address)UDP Scan5.hping3 -8 50-60 -s (IP address) -vSYN scan on port 50-606.hping3 -8 (IP address)SYN Scan7.hping3 -9 HTTP -I eth0Intercept all traffic containing HTTP signature8.hping3 -A (IP address)ACK Scan9.hping3 -F -P -U (IP address)XMAS Scan10.Mode -1ICMP (ping sweep)11.Mode -2UDP scan12.Mode -8SYN Scan13.Mode -9Listen Mode14.-PSet PSH flag16.-QShow TCP Sequence Number17.-RSet RST flag20.-USet URG flag18.-Sset SYN flag19.-sset base source port15.-pset destination portSYNOPSIShping3 [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -c count ] [ -i wait ] [ --fast ] [ -I interface ] [ 9 signature ] [ -a host ] [ -t ttl ] [ -N ip id ] [ -H ip protocol ] [ -g fragoff ] [ -m mtu ] [ -o tos ] [ -C icmp type ][ -K icmp code ] [ -s source port ] [ -p[ ][ ] dest port ] [ -w tcp window ] [ -O tcp offset ] [ -Mtcp sequencenumber ] [ -L tcp ack ] [ -d data size ] [ -E filename ] [ -e signature ] [ --icmp-ipver version] [ --icmpiphlen length ] [ --icmp-iplen length ] [ --icmp-ipid id ] [ --icmp-ipproto protocol ] [ --icmpcksum checksum ] [ --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-timestamp ] [ --tr-stop ] [ --trkeep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-source ] [ --beep ] hostnameDESCRIPTIONhping3 is a network tool able to send custom TCP/IP packets and to display target replies like pingprogram does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and canbe used in order to transfer files encapsulated under supported protocols. Using hping3 you are able toperform at least the following stuff:

- Test firewall rules - Advanced port scanning - Test net performance using different protocols, packetsize, TOS (type of service) and fragmentation. - Path MTU discovery - Transferring files between evenreally fascist firewall rules. - Traceroute-like under different protocols. - Firewalk-like usage. - Remote OSfingerprinting. - TCP/IP stack auditing. - A lot of others.It's also a good didactic tool to learn TCP/IP. hping3 is developed and maintainedby [email protected] and is licensed under GPL version 2. Development is open so you can send mepatches, suggestion and affronts without inhibitions.BASE OPTIONS-h --helpShow a help screen on standard output, so you can pipe to less.-v --versionShow version information and API used to access to data link layer, linux sock packet or libpcap.-c --count countStop after sending (and receiving) count response packets. After last packet was send hping3 waitCOUNTREACHED TIMEOUT seconds target host replies. You are able to tune COUNTREACHED TIMEOUTediting hping3.h-i --intervalWait the specified number of seconds or micro seconds between sending each packet. --interval Xset wait to X seconds, --interval uX set wait to X micro seconds. The default is to wait one secondbetween each packet. Using hping3 to transfer files tune this option is really important in order toincrease transfer rate. Even using hping3 to perform idle/spoofing scanning you should tune this option,see HPING3-HOWTO for more information.--fastAlias for -i u10000. Hping will send 10 packets for second.--fasterAlias for -i u1. Faster then --fast ;) (but not as fast as your computer can send packets due to the signaldriven design).--floodSent packets as fast as possible, without taking care to show incoming replies. This is ways faster than tospecify the -i u0 option.-n --numericNumeric output only, No attempt will be made to lookup symbolic names for host addresses.-q --quiet

Quiet output. Nothing is displayed except the summary lines at startup time and when finished.-I --interface interface nameBy default on linux and BSD systems hping3 uses default routing interface. In other systems or whenthere is no default route hping3 uses the first non-loopback interface. However you are able to forcehping3 to use the interface you need using this option. Note: you don't need to specify the whole name,for example -I et will match eth0 ethernet0 myet1 et cetera. If no interfaces match hping3 will try to uselo.-V --verboseEnable verbose output. TCP replies will be shown as follows:len 46 ip 192.168.1.1 flags RA DF seq 0 ttl 255 id 0 win 0 rtt 0.4 ms tos 0 iplen 40 seq 0ack 1380893504 sum 2010 urp 0-D --debugEnable debug mode, it's useful when you experience some problem with hping3. When debug mode isenabled you will get more information about interface detection, data link layer access, interfacesettings, options parsing, fragmentation, HCMP protocol and other stuff.-z --bindBind CTRL Z to time to live (TTL) so you will able to increment/decrement ttl of outgoing packetspressing CTRL Z once or twice.-Z --unbindUnbind CTRL Z so you will able to stop hping3.--beepBeep for every matching received packet (but not for ICMP errors).PROTOCOL SELECTIONDefault protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with a winsize of64 without any tcp flag on. Often this is the best way to do a 'hide ping', useful when target is behind afirewall that drop ICMP. Moreover, a tcp null-flag to port 0 has a good probability of not being logged.-0 --rawipRAW IP mode, in this mode hping3 will send IP header with data appended with --signature and/or --file,see also --ipproto that allows you to set the ip protocol field.-1 --icmpICMP mode, by default hping3 will send ICMP echo-request, you can set other ICMP type/code using -icmptype --icmpcode options.-2 --udp

UDP mode, by default hping3 will send udp to target host's port 0. UDP header tunable options are thefollowing: --baseport, --destport, --keep.-8 --scanScan mode, the option expects an argument that describes groups of ports to scan. port groups arecomma separated: a number describes just a single port, so 1,2,3 means port 1, 2 and 3. ranges arespecified using a start-end notation, like 1-1000, that tell hping to scan ports between 1 and 1000(included). the special word all is an alias for 0-65535, while the special word known includes all theports listed in /etc/services.Groups can be combined, so the following command line will scan ports between 1 and 1000 AND port8888 AND ports listed in /etc/services: hping --scan 1-1000,8888,known -S target.host.comGroups can be negated (subtracted) using a ! character as prefix, so the following command line willscan all the ports NOT listed in /etc/services in the range 1-1024: hping --scan '1-1024,!known' -Starget.host.comKeep in mind that while hping seems much more like a port scanner in this mode, most of the hpingswitches are still honored, so for example to perform a SYN scan you need to specify the -S option, youcan change the TCP windows size, TTL, control the IP fragmentation as usually, and so on. The only realdifference is that the standard hping behaviors are encapsulated into a scanning algorithm.Tech note: The scan mode uses a two-processes design, with shared memory for synchronization. Thescanning algorithm is still not optimal, but already quite fast.Hint: unlike most scanners, hping shows some interesting info about received packets, the IP ID, TCPwin, TTL, and so on, don't forget to look at this additional information when you perform a scan!Sometimes they shows interesting details.-9 --listen signatureHPING3 listen mode, using this option hping3 waits for packet that contain signature and dumpfrom signature end to packet's end. For example if hping3 --listen TEST reads a packet that contain 23409sdflkjs45-TESThello world it will display hello world.IP RELATED OPTIONS-a --spoof hostnameUse this option in order to set a fake IP source address, this option ensures that target will not gain yourreal address. However replies will be sent to spoofed address, so you will can't see them. In order to seehow it's possible to perform spoofed/idle scanning see the HPING3-HOWTO.--rand-sourceThis option enables the random source mode. hping will send packets with random source address. It isinteresting to use this option to stress firewall state tables, and other per-ip basis dynamic tables insidethe TCP/IP stacks and firewall software.--rand-destThis option enables the random destination mode. hping will send the packets to random addressesobtained following the rule you specify as the target host. You need to specify a numerical IP address as

target host like 10.0.0.x. All the occurrences of x will be replaced with a random number in the range 0255. So to obtain Internet IP addresses in the whole IPv4 space use something like hping x.x.x.x --randdest. If you are not sure about what kind of addresses your rule is generating try to use the -debug switch to display every new destination address generated. When this option is turned on,matching packets will be accept from all the destinations.Warning: when this option is enabled hping can't detect the right outgoing interface for the packets, soyou should use the --interface option to select the desired outgoing interface.-t --ttl time to liveUsing this option you can set TTL (time to live) of outgoing packets, it's likely that you will use this with -traceroute or --bind options. If in doubt try 'hping3 some.host.com -t 1 --traceroute'.-N --idSet ip- id field. Default id is random but if fragmentation is turned on and id isn't specified it willbe getpid() & 0xFF, to implement a better solution is in TODO list.-H --ipprotoSet the ip protocol in RAW IP mode.-W --winidid from Windows* systems before Win2k has different byte ordering, if this option is enable hping3 willproperly display id replies from those Windows.-r --relDisplay id increments instead of id. See the HPING3-HOWTO for more information. Increments aren'tcomputed as id[N]-id[N-1] but using packet loss compensation. See relid.c for more information.-f --fragSplit packets in more fragments, this may be useful in order to test IP stacks fragmentation performanceand to test if some packet filter is so weak that can be passed using tiny fragments (anachronistic).Default 'virtual mtu' is 16 bytes. see also --mtu option.-x --morefragSet more fragments IP flag, use this option if you want that target host send an ICMP time-exceededduring reassembly.-y --dontfragSet don't fragment IP flag, this can be used to perform MTU path discovery.-g --fragoff fragment offset valueSet the fragment offset.-m --mtu mtu value

Set different 'virtual mtu' than 16 when fragmentation is enabled. If packets size is greater that 'virtualmtu' fragmentation is automatically turned on.-o --tos hex tosSet Type Of Service (TOS), for more information try --tos help.-G --rrouteRecord route. Includes the RECORD ROUTE option in each packet sent and displays the route buffer ofreturned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignoreor discard this option. Also note that using hping you are able to use record route even if target hostfilter ICMP. Record route is an IP option, not an ICMP option, so you can use record route option even inTCP and UDP mode.ICMP RELATED OPTIONS-C --icmptype typeSet icmp type, default is ICMP echo request (implies --icmp).-K --icmpcode codeSet icmp code, default is 0 (implies --icmp).--icmp-ipverSet IP version of IP header contained into ICMP data, default is 4.--icmp-iphlenSet IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).--icmp-iplenSet IP packet length of IP header contained into ICMP data, default is the real length.--icmp-ipidSet IP id of IP header contained into ICMP data, default is random.--icmp-ipprotoSet IP protocol of IP header contained into ICMP data, default is TCP.--icmp-cksumSet ICMP checksum, for default is the valid checksum.--icmp-tsAlias for --icmptype 13 (to send ICMP timestamp requests).--icmp-addr

Alias for --icmptype 17 (to send ICMP address mask requests).TCP/UDP RELATED OPTIONS-s --baseport source porthping3 uses source port in order to guess replies sequence number. It starts with a base source portnumber, and increase this number for each packet sent. When packet is received sequence number canbe computed as replies.dest.port - base.source.port. Default base source port is random, using thisoption you are able to set different number. If you need that source port not be increased for each sentpacket use the -k --keep option.-p --destport [ ][ ]dest portSet destination port, default is 0. If ' ' character precedes dest port number (i.e. 1024) destination portwill be increased for each reply received. If double ' ' precedes dest port number (i.e. 1024),destination port will be increased for each packet sent. By default destination port can be modifiedinteractively using CTRL z.--keepkeep still source port, see --baseport for more information.-w --winSet TCP window size. Default is 64.-O --tcpoffSet fake tcp data offset. Normal data offset is tcphdrlen / 4.-M --setseqSet the TCP sequence number.-L --setackSet the TCP ack.-Q --seqnumThis option can be used in order to collect sequence numbers generated by target host. This can beuseful when you need to analyze whether TCP sequence number is predictable. Output example:#hping3 win98 --seqnum -p 139 -S -i u1 -I eth0HPING uaz (eth0 192.168.4.41): S set, 40 headers 0 data bytes2361294848 23612948482411626496 503316482545844224 1342177282713616384 167772160

2881388544 1677721603049160704 1677721603216932864 1677721603384705024 1677721603552477184 1677721603720249344 1677721603888021504 1677721604055793664 1677721604223565824 167772160The first column reports the sequence number, the second difference between current and lastsequence number. As you can see target host's sequence numbers are predictable.-b --badcksumSend packets with a bad UDP/TCP checksum.--tcp-timestampEnable the TCP timestamp option, and try to guess the timestamp update frequency and the remotesystem uptime.-F --finSet FIN tcp flag.-S --synSet SYN tcp flag.-R --rstSet RST tcp flag.-P --pushSet PUSH tcp flag.-A --ackSet ACK tcp flag.-U --urgSet URG tcp flag.-X --xmas

Set Xmas tcp flag.-Y --ymasSet Ymas tcp flag.COMMON OPTIONS-d --data data sizeSet packet body size. Warning, using --data 40 hping3 will not generate 0 byte packets butprotocol header 40 bytes. hping3 will display packet size information as first line output, likethis: HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers 40 data bytes-E --file filenameUse filename contents to fill packet's data.-e --sign signatureFill first signature length bytes of data with signature. If the signature length is bigger than data size anerror message will be displayed. If you don't specify the data size hping will use the signature size asdata size. This option can be used safely with --file filename option, remainder data space will be filledusing filename.-j --dumpDump received packets in hex.-J --printDump received packets' printable characters.-B --safeEnable safe protocol, using this option lost packets in file transfers will be resent. For example in orderto send file /etc/passwd from host A to host B you may use the following:[host a]# hping3 host b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd[host b]# hping3 host a --listen signature --safe --icmp-u --endIf you are using --file filename option, tell you when EOF has been reached. Moreover prevent that otherend accept more packets. Please, for more information see the HPING3-HOWTO.-T --traceroute

Traceroute mode. Using this option hping3 will increase ttl for each ICMP time to live 0 duringtransit received. Try hping3 host --traceroute. This option implies --bind and --ttl 1. You can override thettl of 1 using the --ttl option. Since 2.0.0 stable it prints RTT information.--tr-keep-ttlKeep the TTL fixed in traceroute mode, so you can monitor just one hop in the route. For example, tomonitor how the 5th hop changes or how its RTT changes you can try hping3 host --traceroute --ttl 5 -tr-keep-ttl.--tr-stopIf this option is specified hping will exit once the first packet that isn't an ICMP time exceeded isreceived. This better emulates the traceroute behavior.--tr-no-rttDon't show RTT information in traceroute mode. The ICMP time exceeded RTT information aren't evencalculated if this option is set.--tcpexitcodeExit with last received packet tcp- th flag as exit code. Useful for scripts that need, for example, toknown if the port 999 of some host reply with SYN/ACK or with RST in response to SYN, i.e. the service isup or down.TCP OUTPUT FORMATThe standard TCP output format is the following:len 46 ip 192.168.1.1 flags RA DF seq 0 ttl 255 id 0 win 0 rtt 0.4 mslen is the size, in bytes, of the data captured from the data link layer excluding the data link header size.This may not match the IP datagram size due to low level transport layer padding.ip is the source ip address.flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for notstandard 0x40, Y for not standard 0x80.If the reply contains DF the IP header has the don't fragment bit set.seq is the sequence number of the packet, obtained using the source port for TCP/UDP packets, thesequence field for ICMP packets.id is the IP ID field.win is the TCP window size.rtt is the round trip time in milliseconds.If you run hping using the -V command line switch it will display additional information about thepacket, example:

len 46 ip 192.168.1.1 flags RA DF seq 0 ttl 255 id 0 win 0 rtt 0.4 ms tos 0 iplen 40 seq 0ack 1223672061 sum e61d urp 0tos is the type of service field of the IP header.iplen is the IP total len field.seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.sum is the TCP header checksum value.urp is the TCP urgent pointer value.UDP OUTPUT FORMATThe standard output format is:len 46 ip 192.168.1.1 seq 0 ttl 64 id 0 rtt 6.0 msThe field meaning is just the same as the TCP output meaning of the same fields.ICMP OUTPUT FORMATAn example of ICMP output is:ICMP Port Unreachable from ip 192.168.1.1 name nano.marmoc.netIt is very simple to understand. It starts with the string "ICMP" followed by the description of the ICMPerror, Port Unreachable in the example. The ip field is the IP source address of the IP datagramcontaining the ICMP error, the name field is just the numerical address resolved to a name (a dns PTRrequest) or UNKNOWN if the resolution failed.The ICMP Time exceeded during transit or reassembly format is a bit different:TTL 0 during transit from ip 192.168.1.1 name nano.marmoc.netTTL 0 during reassembly from ip 192.70.106.25 name UNKNOWNThe only difference is the description of the error, it starts with TTL 0.

XOR and use for NonceXOR represents the bitwise logical "exclusive-or".Please find the XOR truth table below:INPUTABOUTPUT0000111011100 False1 TrueWhen the inputs match the output is a 0, and when the inputs do not match the output is a 1.Use the XOR operation process below:Example below taken from RFC317401101100101110011101001001111011XOR 01100101110000010110100110110111 00001001011110001011101111001100Types of Bitwise logical word operations:X AND Y bitwise logical "and" of X and Y.X OR Y bitwise logical "inclusive-or" of X and Y.X XOR Y bitwise logical "exclusive-or" of X and Y.NOT X bitwise logical "complement" of X.Using XOR in practice: Below is an example of applying the XOR function to an initialization vector/nonce for acryptographic cipher.Let’s break down the definition so that we can understand all the pieces:A nonce is an initialization vector (IV), a random bit string that is the same length as the block size andis XORed with the message.An initialization vector is a field added to the payload (any attribute likely to be known by the both the sender andreceiver but be unpredictable by a third party). Therefore a nonce is an initialization vector; it is added to the encryptedpayload as part of the cipher-text. The nonce can be random, can be a counter, a timestamp, or amessage number.A nonce can also be considered as a one-time session key. You would not want to reuse a nonce, it should be unique toeach execution of the encryption operation.If the nonce is XOR’d then the initialization vector goes through a modulus of 2 operation; this can also be considered anexclusive disjunction operation. The best way and easiest way to define an exclusive disjunction operation is to think of thisas ‘flipping the bits’ or ‘bit flipping’.

Example below taken from RFC3174 (example same as above)01101100101110011101001001111011XOR 01100101110000010110100110110111 00001001011110001011101111001100So, why would we need to use a nonce and in what types of technologies would it be used?A nonce is used to prevent replay attacks as well as man-in-the-middle attacks, and the function assists withsession/message synchronization.Here are some examples of how a nonce can be used:RFC 2617 - HTTP Authentication: Basic and Digest Access AuthenticationLike Basic Access Authentication, the Digest scheme is based on asimple challenge-response paradigm. The Digest scheme challengesusing a nonce value. A valid response contains a checksum default, the MD5 checksum)of the username, the password, the given nonce value, the HTTP method,and the requested URI. In this way, the password is never sentin the clear. Just as with the Basic scheme, the username and passwordmust be prearranged in some fashion not addressed by this document. .cut for brevity .An implementation might choose not to accept a previously usednonce or a previously used digest, in order to protect against areplay attack. Or, an implementation might choose to use one-timenonces or digests for POST or PUT requests and a time-stamp for GETrequests.RFC 4418 - UMAC: Message Authentication Code using Universal Hashing - https://tools.ietf.org/html/rfc4418Nonce is a value that changes with each generated tag. Thereceiver needs to know which nonce was used by the sender, so somemethod of synchronizing nonces needs to be used. This can be done byexplicitly sending the nonce along with the message and tag, oragreeing upon the use of some other non-repeating value such as asequence number. The nonce need not be kept secret, but care needsto be taken to ensure that, over the lifetime of a UMAC key, adifferent nonce is used with each message.

nmap flag: -A Enable OS detection, version detection, script scanning, and traceroute . HPING3 Cheat Sheet 1.-A Set ACK flag 2.-F set FIN flag 3. hping3 -1 (IP address) Ping Sweep 4. hping3 -2 (IP address) UDP Scan 5