Learning Kali Linux

Download 22,59 Mb. Pdf ko'rish
bet	105/225
Sana	14.05.2024
Hajmi	22,59 Mb.
	#232856

1 ... 101 102 103 104 105 106 107 108 ... 225

Bog'liq
learningkalilinux

106 | Chapter 3: Reconnaissance

High-Speed Scanning
nmap
may be the de facto port scanner, but it is not the only scanner that’s available.
In some cases, you may find you have large networks to scan.
nmap
is efficient, but it
isn’t optimized for scanning very large networks. One scanner that is designed for
scanning large networks is
masscan
. A major difference between
masscan
and
nmap
is that
masscan
uses asynchronous communication: the program will send a message,
and rather than waiting for the response to come back, it will keep sending. It uses
another part of the program to wait for the responses and record them. Its ability to
transmit at high rates of speed allows it to scan the entire internet in a matter of
minutes. Compare this with the speed of scanning just a local /24 network with a
maximum of 254 hosts using
nmap
.
106 | Chapter 3: Reconnaissance

masscan
can take different parameters, but it accepts the ones that
nmap
also accepts.
If you know how to operate
nmap
, you can pick up
masscan
quickly. One difference
between
masscan
and
nmap
, which you can see in
Example 3-19
, is the need to spec‐
ify ports.
nmap
will assume a set of ports to use.
masscan
doesn’t assume any ports. If
you try to run it without telling it which ports to scan, it will prompt you to specify
the ports you want to scan. In
Example 3-19
, you will see I set to scan the first 1,501
ports. If you were looking for all systems listening on port 443, meaning that system
was likely operating a TLS-based web server, you would specify that you wanted to
scan only port 443. Not scanning ports you don’t care about will save you a lot of
time.
Example 3-19. High-speed scanning with masscan
root@rosebud:~# masscan -sS --ports 0-1500 192.168.86.0/24
Starting masscan 1.0.3
(
http://bit.ly/14GZzcT
)
at 2017-12-31 20:27:57 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning
256
hosts
[
1501
ports/host
]
Discovered open port 445/tcp on 192.168.86.170
Discovered open port 22/tcp on 192.168.86.30
Discovered open port 1410/tcp on 192.168.86.37
Discovered open port 512/tcp on 192.168.86.239
Discovered open port 445/tcp on 192.168.86.239
Discovered open port 22/tcp on 192.168.86.46
Discovered open port 143/tcp on 192.168.86.238
Discovered open port 1410/tcp on 192.168.86.36
Discovered open port 53/tcp on 192.168.86.1
Discovered open port 1400/tcp on 192.168.86.36
Discovered open port 80/tcp on 192.168.86.38
Discovered open port 80/tcp on 192.168.86.1
You can use a multipurpose utility for port scanning that will also give you some con‐
trol over the time interval between messages being sent. Whereas
masscan
uses an
asynchronous approach to speed things up,
hping3
gives you the ability to specify the
gap between packets. This doesn’t give it the capacity to do really high-speed scan‐
ning, but
hping3
does have a lot of power to perform many other tasks.
hping3
allows
you to craft a packet with command-line switches. The challenge with using
hping3
as
a scanner is that it is really a hyperactive ping program and not a utility trying to re-
create what
nmap
and other scanners do.
However, if you want to perform scanning and probing against single hosts to deter‐
mine characteristics,
hping3
is an outstanding tool.
Example 3-20
is a SYN scan
against 10 ports. The
-S
parameter tells
hping3
to set the SYN flag. We use the
-p
flag
to indicate the port we are going to scan. By adding the
++
to the
-p
flag, we’re telling
hping3
that we want it to increment the port number. We can control the number of

Download 22,59 Mb.

1 ... 101 102 103 104 105 106 107 108 ... 225

Download 22,59 Mb.

Pdf ko'rish