**NETCAT (NC) NC NOTES**
  # for tcp  
  nc -kl {port}    # for the host to listen on the specified port
  nc -zv 19.168.2.119 37657 <-- Alternatively we can use telnet 192.168.2.119 37657
  nc -z -v -w1 google.es 443
  # for udp. You need to type some text and see if it appears on the receiver
  nc -luk 192.168.0.112 7777    # listens on UDP
  nc -uv 192.168.0.112 7777    # opens terminal so we can send datagrams
  while true; do dd if=/dev/urandom bs=1400 | pv -L 10M | nc 10.80.8.1 4444; done    # to generate traffic. We can omit the pv bit 
  
  
ncat is the version bundled in the nmap bundle\\
For port scanning:
  nc -v -z -w2 IP 100-200
  echo '<14>sourcehost jaime' | nc -v -u -w 1 89.145.95.14 10514 # simulaten syslog client, check destination as there's no 'connected' when dealing with udp

[[https://www.redhat.com/sysadmin/getting-started-socat.|socat]] can be considered ad advanced version of netcat


**NMAP NOTES**

  nmap -O 192.168.2.1 <-- To determine the OS (this uses stack fingerprint!. No really open ports are required)
  nmap -vv host.target.com    # port scan
  nmap -sP 10.0.0.0/24 # will scan the 256 hosts for reachability
  nmap <IP>    # scan for open ports
  
SCRIPTS:
  nmap --script ssh2-enum-algos 192.168.0.250 -p22  # to sjow all the above algorithms
  nmap -sn 10.8.8.150 --script ip-forwarding --script-args='target=www.google.com'  # check the ip is not forwarding (ie: mgmt address shouldn't) see: https://isc.sans.edu/forums/diary/Do+you+have+rogue+Internet+gateways+in+your+network+Check+it+with+nmap/16198/
  nmap -sU -p 123 --script ntp-info <IP>
  for i in {1..4} ;do (ping -c 1 LDZOOBLL2$i | grep "bytes from" &) ;done    # simple ping sweep
  nmap -sU -p53 4.2.2.2/30    # UDP sweep
  nmap -Pn -p80 -oG logs/pb-port80scan-%D.gnmap 216.163.128.0/20   # tcp sweep
  
More information for simple ping tools [[https://github.com/jotasantos/python-net/tree/main/tools]]

NMAP IN WINDOWS:\\
  # In C:\Users\me\.ssh\config
  ## then with 'ssh myhos' I can ssh to panda from wherever I am creating the socks proxy with putty
  Host myhost
    User pi
    HostName panda314159.duckdns.org
    ProxyCommand ncat --proxy 127.0.0.1:1080 --proxy-type socks5 %h %p
  


----
HPING NOTES:
[[https://ravi73079.medium.com/attacks-to-be-performed-using-hping3-packet-crafting-98bc25584745]] ; For all flags check [[https://www.kali.org/tools/hping3/|this]]
  hping3 --help
  hping3 -c 15000 --icmp --flood --rand-source 192.168.100.3    # classical icmp flood
  hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.100.3  # big flood p80  based. We can set the rate by removing 'flood' and doing '-i u1000'
  hping3  --fast  -d 0 -L 0 -S -w 64 -p 80  10.68.0.2    # note d 0 is payload (then + 20B TCP + 20B IP)
  hping3 -S -p 443 -c 3 google.com    # RTT for (web) sites where icpm is filtered (-S is just to set SYN flag)
  # volumetric attacks
  hping3 --flood --spoof <spoofed-ip> --udp -p 53 <victim-ip> 
  hping3 --syn --flood <spoofed-ip> --udp -p 53 <victim-ip>    # SYN attack
  hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source # SYN-flood (datagram 120B)
  

----


**KALI LINUX**\\
  * [[https://www.kali.org/tools/yersinia/|Yersinia]] is tool for L2 attacks
  * [[https://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon|LOIC] : low orbit ion cannon)
  * [[https://www.firewall.cx/general-topics-reviews/network-protocol-analyzers/1224-performing-tcp-syn-flood-attack-and-detecting-it-with-wireshark.html]]

----


**CURIOUS SOURCE PORTS**
\\
Not a comprehensive list but source ports are useful to understand what vulnerability has been exploited in the reflection network.
  * (19) chargen [[https://www.incibe-cert.es/en/blog/chargen-cyberattacks-based-chargen-protocol|External Link]]
  * (1985) hsrp