Lockdoor Framework

A Penetration Testing Framework

View on GitHub


War Dialers


War Dialers - Now What

War Driving

Wireless Misconfiguration

Tools for Wireless LAN Discovery



Additional tools for sniffing and crypto attacks

Network Mapping

Network Mapping with Nmap/Zenmap

How Traditional Traceroute Works

Port Scanning

Nmap allows for conducting numerous types of scans:

Other port scanners




Port Scanning

Port scanning is the process of checking for open TCP or UDP ports on a remote machine.

--Please note that port scanning is illegal in many countries and should not be performed outside the labs.--

Connect Scanning

># TCP Netcat port scan on ports 3388-3390
> nc -nvv -w 1 -z 3388-3390
# -n :: numeric only ip adressess no DNS
# -v :: verboose use twice to be more verboose
# -w :: (secs) timeout for connects and final net reads
# -z :: zero I/O mode (used for scanning)

Stealth / SYN Scanning

UDP Scanning

>> nc -nv -u -z -w 1 10.0-0.19 160-162
# -u :: UDP mode

Common Port Scanning Pitfalls

Port Scanning with Nmap

># We’ll scan one of my local machines while monitoring the amount
# of traffic sent to the specific host using iptables.
> iptables -I INPUT 1 -s -j ACCEPT
> iptables -I OUTPUT 1 -d -j ACCEPT
> iptables -Z
# -I :: insert in chain as rulenum ( default 1=first)
# -s :: source (address)
# -j :: jump target for the rulw
# -Z :: ??

> nmpap -sT
> iptables -vn -L
> iptables -Z
# -sT :: TCP Connect Scan
# -v :: Display more information in the output
# -L :: List the current filter rules.

> nmap -sT -p 1-65635
> iptables -vn -L
# -p :: port range

--Full nmap scan of a class C network (254 hosts) would result in sending over 1000 MB of traffic to the network.--

So, if we are in a position where we can’t run a full port scan on the network, what can we do?

Network Sweeping

> nmap -sP ## Deprecated in modern versions Use -sn instead
Show ips of connected devices

> nmap -sn
# -sn :: ping scan
# using the grep command can give you output that’s difficult to manage.
# let’s use Nmap’s “greppable” output parameter (-oG)
> nmap -v -sn -oG ping-sweep.txt
> grep Up ping-sweep.txt | cut -d " " -f 2

# we can sweep for specific TCP or UDP ports (-p) across the network
> nmap ­-p 80 -oG web-sweep.txt
> grep open web­-sweep.txt |cut ­-d " " -f 2

# we are conducting a scan for the top 20 TCP ports.
> nmap –sT –A --top­-ports=20 –oG top­-port-­sweep.txt

OS Fingerprinting

# OS fingerprinting (-O parameter).
> nmap -O

Nmap can also help identify services on specific ports, by banner grabbing, and running several enumeration scripts (-sV and -A parameters).

> nmap -sV -sT
# -sV :: probe open ports to determine service / version info

Nmap Scripting Engine (NSE)

> nmap --script smb-os-discovery.nse
# Another useful script is the DNS zone transfer NSE script
> nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com

Locally checking for listening ports on windows

Locally checking for listening ports on linux

On Linux/UNIX, you could run > netstat -nap