11.4. Sniffing Tools

11.4.1. Nmap

nmap [Scan Type(s)] [Options] {target specification}

11.4.1.1. Specifying Targets

• CIDR style 192.168.1.0/24

• comma separated www.baidu.com,www.zhihu.com

• Dividing line 10.22-25.43.32

• from file -iL <inputfile>

• Exclude unwanted host --exclude <host1 [, host2] [, host3] ... > --excludefile <excludefile>

11.4.1.2. Host Discovery

• -sL List Scan - simply list targets to scan

• -sn/-sP Ping Scan - disable port scan

• -Pn Treat all hosts as online – skip host discovery

• -sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans

• -sU UDP Scan

• -sN/sF/sX TCP Null, FIN, and Xmas scans

Scan mode table

Name	Package tag	Port OPEN	Port CLOSE	Features
TCP SYN scan	SYN	Reply ACK+SYN	Reply to RST	The application has no logs, but is easy to find
Full connection scan	SYN	Reply ACK+SYN	Reply to RST	easy to spot
ACK scan	ACK	Reply to RST	packet is dropped	.
FIN scan	FIN	packet is dropped	Reply to RST	Need to wait for timeout, low efficiency
TCP Xmas scan	FIN+URG+PSH	packet is dropped	Reply to RST	Need to wait for timeout, low efficiency; not applicable to all operating systems
TCP NULL scan	NULL	packet is dropped	Reply to RST	Need to wait for timeout, low efficiency; not applicable to all operating systems

11.4.1.3. Port Scanning

• --scanflags Customized TCP scan

• -P0 no ping

• PS [port list] (TCP SYN ping) // need root on Unix

• PA [port list] (TCP ACK ping)

• PU [port list] (UDP ping)

• PR (Arp ping)

• p <port message>

• F Quick scan

• r Do not scan in random order

11.4.1.4. Service and version detection

• -sV version detection

• --allports Do not exclude any ports for version detection

• --version-intensity <intensity> Set version scan strength

• --version-light Turn on lightweight mode // level 2

• --version-all try each probe // level 9

• --version-trace Track version scan activity

• -sR RPC scan

11.4.1.5. Operating System Scan

• -O Enable OS detection

• --osscan-limit OS detection for specified targets

• --osscan-guess

• --fuzzy Inferring OS detection results

11.4.1.6. Time and performance

• Resize parallel scan groups

  • --min-hostgroup<milliseconds>

  • --max-hostgroup<milliseconds>

• Adjust the parallelism of probe packets

  • --min-parallelism<milliseconds>

  • --max-parallelism<milliseconds>

• Adjusting the Probe Packet Timeout

  • --min_rtt_timeout <milliseconds>

  • --max-rtt-timeout <milliseconds>

  • --initial-rtt-timeout <milliseconds>

• Abandon slow target host

  • --host-timeout<milliseconds>

• Adjust the time interval of probe packets

  • --scan-delay<milliseconds>

  • --max_scan-delay<milliseconds>

• Set time template

  • -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>

  • -T<0-5> (bigger is faster)

11.4.1.7. Evasion related

• -f Packet Fragmentation

• --mtu Use the specified MTU

• -D<decoy1[， decoy2][， ME]， ...> Stealth Scanning Using Decoys

• -S<IP_Address> source address spoofing

• -e <interface> use the specified interface

• --source-port<portnumber>;-g<portnumber> source port spoofing

• --data-length<number> Append random data when sending a message

• --ttl <value> set ttl

• --randomize-hosts Randomize the order of target hosts

• --spoof-mac<macaddress， prefix， orvendorname> MAC address spoofing

11.4.1.8. Output

• -oN<filespec> stdout

• -oX<filespec> XML output

• -oS<filespec> ScRipTKIdd|3oUTpuT

• -oG<filespec> Grep output

• -oA<basename> Export to all formats

• --open Only output port information that may be open

11.4.1.9. Details and debugging

• -v detial output

• -d [level] debug level

• --packet-trace Track sent and received messages

• --iflist List Interfaces and Routes

11.4.2. Masscan

11.4.2.1. Compiling

sudo apt-get install git gcc make libpcap-dev
git clone https://github.com/robertdavidgraham/masscan
cd masscan
make -j

11.4.2.2. Command Line Options

• --ports Specify the port range

• --rate specified rate

• --source-ip Specify the source IP