dokucama

This is an old revision of the document!

---

NETCAT (NC) NC NOTES

# for tcp  
nc -kl {port}    # for the host to listen on the specified port
nc -zv 19.168.2.119 37657 <-- Alternatively we can use telnet 192.168.2.119 37657
nc -z -v -w1 google.es 443
# for udp. You need to type some text and see if it appears on the receiver
nc -luk 192.168.0.112 7777    # listens on UDP
nc -uv 192.168.0.112 7777    # opens terminal so we can send datagrams

ncat is the version bundled in the nmap bundle
For port scanning:

nc -v -z -w2 IP 100-200
echo '<14>sourcehost jaime' | nc -v -u -w 1 89.145.95.14 10514 # simulaten syslog client, check destination as there's no 'connected' when dealing with udp

socat can be considered ad advanced version of netcat

NMAP NOTES

nmap -O 192.168.2.1 <-- To determine the OS (this uses stack fingerprint!. No really open ports are required)
nmap -vv host.target.com    # port scan
nmap -sP 10.0.0.0/24 # will scan the 256 hosts for reachability
nmap <IP>    # scan for open ports

SCRIPTS:

nmap --script ssh2-enum-algos 192.168.0.250 -p22  # to sjow all the above algorithms
nmap -sn 10.8.8.150 --script ip-forwarding --script-args='target=www.google.com'  # check the ip is not forwarding (ie: mgmt address shouldn't) see: https://isc.sans.edu/forums/diary/Do+you+have+rogue+Internet+gateways+in+your+network+Check+it+with+nmap/16198/
nmap -sU -p 123 --script ntp-info <IP>
for i in {1..4} ;do (ping -c 1 LDZOOBLL2$i | grep "bytes from" &) ;done    # simple ping sweep
nmap -sU -p53 4.2.2.2/30    # UDP sweep
nmap -Pn -p80 -oG logs/pb-port80scan-%D.gnmap 216.163.128.0/20   # tcp sweep

More information for simple ping tools https://github.com/jotasantos/python-net/tree/main/tools

NMAP IN WINDOWS:

# In C:\Users\me\.ssh\config
## then with 'ssh myhos' I can ssh to panda from wherever I am creating the socks proxy with putty
Host myhost
  User pi
  HostName panda314159.duckdns.org
  ProxyCommand ncat --proxy 127.0.0.1:1080 --proxy-type socks5 %h %p

---

HPING NOTES: https://ravi73079.medium.com/attacks-to-be-performed-using-hping3-packet-crafting-98bc25584745

hping3 --help
hping3 -c 15000 --icmp --flood --rand-source 192.168.100.3    # classical icmp flood
hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.100.3  # big flood p80  based
hping3 -S -p 443 -c 3 google.com    # RTT for (web) sites where icpm is filtered (-S is just to set SYN flag)
# volumetric attacks
hping3 --flood --spoof <spoofed-ip> --udp -p 53 <victim-ip> 
hping3 --syn --flood <spoofed-ip> --udp -p 53 <victim-ip>    # SYN attack

---

KALI LINUX

• Yersinia is tool for L2 attacks
• LOIC] : low orbit ion cannon) * [[https://www.firewall.cx/general-topics-reviews/network-protocol-analyzers/1224-performing-tcp-syn-flood-attack-and-detecting-it-with-wireshark.html

---

CURIOUS SOURCE PORTS
Not a comprehensive list but source ports are useful to understand what vulnerability has been exploited in the reflection network.

• (19) chargen External Link
• (1985) hsrp