Common tools for penetration testing-port scanning

AutoSccan

AutoScan is a network detection software that can automatically find the network, can automatically scan the subnet, automatically detect the operating system, etc., using a graphical interface to operate more convenient and intuitive, looks easier to operate, its main purpose is in a network environment Quickly identify linked hosts or network devices.

working principle:

Take host A (172.16.20.134) sending data to host B (172.16.20.136) as an example. When sending data, Host A will look for the target IP address in its ARP cache table. If you find it, you know that the target MAC address is (00: 0c: 29: 6d: 80: 69), just write the target MAC address into the frame and send it; if you do n’t find the corresponding one in the ARP cache table IP address, host A will send a broadcast (ARP request) on the network, the target MAC address is "FF.FF.FF.FF.FF.FF", which means to send this to all hosts in the same network segment Inquiry: "What is the MAC address of 172.16.20.136?" Other hosts on the network do not respond to the ARP query. Only when Host B receives this frame, does this response (ARP response) to Host A: "172.16.20.136 The MAC address is (00: 0c: 29: 6d: 80: 69) ". In this way, host A knows the MAC address of host B, and it can send information to host B. At the same time, it also updated its own ARP cache table, the next time it sends information to host B, just look up from the ARP cache table. The ARP cache table uses an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up the query.

About arp protocol analysis: arp protocol analysis

Insert picture description here

nmap

1. Nmap is a network connection terminal scanning software, used to scan open network connection terminals of online computers. Determine which services are
running on which connections, and infer which operating system the computer is running on (this is also known as fingerprinting).
It is one of the must-have software for network administrators, as well as to assess the security of network systems.
2. Nmap is also a favorite tool for many hackers and hackers (also known as script kid). System administrators can use nmap
to detect unauthorized servers in the working environment, but hackers will use nmap to collect the network settings of the target computer
to plan the attack method.
3. Nmap is often confused with Nessus, a software that evaluates system vulnerabilities. Nmap uses secret methods to avoid
the monitoring of the intrusion detection system and does not affect the daily operation of the target system as much as possible.

working principle

TCP is a transport layer protocol in the Internet, and uses a three-way handshake protocol to establish a connection. When the proactive party sends a SYN connection request, wait for the other party to answer the
TCP three-way handshake
TCP's three-way handshake
SYN + ACK [1], and finally perform an ACK confirmation of the other party's SYN. This method of establishing a connection can prevent
erroneous connections. The flow control protocol used by TCP is a variable-size sliding window protocol.
The process of TCP three-way handshake is as follows:
[1] The client sends a SYN (SEQ = x) message to the server and enters the SYN_SEND state.
[2] The server receives the SYN message, responds to a SYN (SEQ = y) ACK (ACK = x + 1) message, and enters the
SYN_RECV state.
[3] The client receives the SYN message from the server, responds with an ACK (ACK = y + 1) message, and enters the
Established state.

There are many nmap parameters, you can check the official manual for details

Official Chinese manual: nmap official manual

Insert picture description here
Common parameters
-sT basic tcp scan
-sS semi-open scan
-sF, -sX, -sN FIN packet scan
-sP PING scan
-sU udp scan
-sA ACK scan
-sW like ack scan (slide scan)
-sR RPC scan