Penetration testing with tcpdump and nmap

Leave a Comment / By /

Install necessary tools. Remove existing nmap to aovid conflicts

sudo apt-get update
sudo apt-get purge nmap
sudo apt-get install tcpdump build-essential libssl-dev

Download the latest nmap and install

wget https://nmap.org/dist/nmap-6.49BETA4.tar.bz2
tar xjvf nmap*
cd nmap*
./configure
make
nmap -V

 

Capture packets with tcpdump

sudo tcpdump host target_IP -w ~/scan_results/packets

Pause running rocess of tcpdump by hitting CTRL+Z

CTRL+Z

Resume the job

bg

Bring the running process out of background

fg

You may stop the process

CTRL + C

 

 

Run SYN scan with nmap

sudo nmap -sS -Pn -T4 -vv --reason -oN ~/scan_results/nmap.results 192.168.1.200

Full scan

sudo nmap -sS -Pn -p- -T4 -vv --reason -oN ~/scan_results/nmap.fullResults 192.168.1.200

Discover version of service

sudo nmap -sV -Pn -p 1433,3389 -vv --reason -oN ~/scan_results/service_ver.nmap 192.168.1.200

Discover operating system

sudo nmap -O -Pn -vv --reason -oN ~/scan_results/os_version.nmap 192.168.1.200

-sS Default scan if no parameter is given

-Pn Skipping host discovery. Aborts early if doesn’t respond to ping.

-p- Checks every available port

-T4 0 is the slowest and 5 is the fastest.

— reason shows reasons

-oN Writes the results to a file

 

Read scanned results

Read nmap results

less ~/scan_results/nmap.results

Read tcpdump results

sudo tcpdump -nn -r ~/scan_results/packets | less

To view only the traffic sent to the target (dst)

sudo tcpdump -nn -r ~/scan_results/packets 'dst 192.168.1.200' | less

To view only the traffic from the target (src)

sudo tcpdump -nn -r ~/scan_results/packets 'src 192.168.1.200' | less

To view response from open tcp ports (only the successful SYN responses)

sudo tcpdump -nn -r ~/scan_results/packets 'src target_IP and tcp[tcpflags] & tcp-syn != 0' | less

 

 

For UDP scan, you may wish to unlock the speed of ICMP rate limit
Check your current setting

sudo sysctl net.ipv4.icmp_ratelimit

1000 is the default
Set icmp_ratelimit to zero to speed up UDP scan

sudo sysctl -w net.ipv4.icmp_ratelimit=0

Remember to revert the back the setting. (You may just reboot the system to revert)

sudo sysctl -w net.ipv4.icmp_ratelimit=1000

For UDP scan

sudo nmap -sU -Pn -T4 -vv --reason -oN ~/scan_results/nmap.udp.results target_IP

Full UDP scan

sudo nmap -sU -Pn -p- -T4 -vv --reason -oN ~/scan_results/nmap.udp.results target_IP

 

Leave a Comment

Your email address will not be published. Required fields are marked *