To send a SYN packet to a computer on a network, use this command.
nmap -sS -v 192.168.1.10 |
If you want to send SYN packets to a range of IP addresses, this is the command to use.
nmap -sS -v 192.168.1.10-100 |
This will send SYN packets to the IP addresses in the range between 192.168.1.0 and 192.168.1.100. This is a useful trick when you are scanning an IP range looking for a particular machine. Use the command below if you are getting output that scrolls off your terminal screen.
nmap -sS -v 192.168.1.10-100 | less |
Here is an example scan against hell.com. This shows that port 80 is open on this server.
ec2-user@ip-172-31-30-35 ~ $ sudo nmap -sS -v hell.com Starting Nmap 6.25 ( http://nmap.org ) at 2014-10-27 11:44 UTC Initiating Ping Scan at 11:44 Scanning hell.com (23.23.140.162) [4 ports] Completed Ping Scan at 11:44, 1.28s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:44 Completed Parallel DNS resolution of 1 host. at 11:44, 0.00s elapsed Initiating SYN Stealth Scan at 11:44 Scanning hell.com (23.23.140.162) [1000 ports] Discovered open port 80/tcp on 23.23.140.162 Increasing send delay for 23.23.140.162 from 0 to 5 due to 136 out of 451 dropped probes since last increase. Increasing send delay for 23.23.140.162 from 5 to 10 due to 11 out of 35 dropped probes since last increase. SYN Stealth Scan Timing: About 51.50% done; ETC: 11:45 (0:00:30 remaining) Increasing send delay for 23.23.140.162 from 10 to 20 due to max_successful_tryno increase to 4 Increasing send delay for 23.23.140.162 from 20 to 40 due to max_successful_tryno increase to 5 SYN Stealth Scan Timing: About 61.34% done; ETC: 11:46 (0:00:39 remaining) Increasing send delay for 23.23.140.162 from 40 to 80 due to 15 out of 49 dropped probes since last increase. Increasing send delay for 23.23.140.162 from 80 to 160 due to max_successful_tryno increase to 6 SYN Stealth Scan Timing: About 66.15% done; ETC: 11:47 (0:00:52 remaining) SYN Stealth Scan Timing: About 79.17% done; ETC: 11:47 (0:00:41 remaining) Completed SYN Stealth Scan at 11:48, 250.81s elapsed (1000 total ports) Nmap scan report for hell.com (23.23.140.162) Host is up (0.27s latency). Other addresses for hell.com (not scanned): 23.21.106.33 rDNS record for 23.23.140.162: ec2-23-23-140-162.compute-1.amazonaws.com Not shown: 849 closed ports, 150 filtered ports PORT STATE SERVICE 80/tcp open http Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 252.38 seconds Raw packets sent: 2378 (104.608KB) | Rcvd: 1173 (46.924KB) |
Below is an example of a range scan performed against a range of IP addresses.
ec2-user@ip-172-31-30-35 ~ $ sudo nmap -P0 -T4 23.23.140.94-96 Starting Nmap 6.25 ( http://nmap.org ) at 2014-10-27 12:14 UTC Nmap scan report for ec2-23-23-140-94.compute-1.amazonaws.com (23.23.140.94) Host is up (0.26s latency). Not shown: 847 closed ports, 151 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap scan report for ec2-23-23-140-95.compute-1.amazonaws.com (23.23.140.95) Host is up. All 1000 scanned ports on ec2-23-23-140-95.compute-1.amazonaws.com (23.23.140.95) are filtered Nmap scan report for ec2-23-23-140-96.compute-1.amazonaws.com (23.23.140.96) Host is up (0.26s latency). Not shown: 848 closed ports, 151 filtered ports PORT STATE SERVICE 80/tcp open http Nmap done: 3 IP addresses (3 hosts up) scanned in 145.02 seconds |
I scanned three possible IP addresses and found servers running on two of them. That is a pretty good effort.
Sending ICMP ping requests to a server using the hping command on Gentoo.
ip-172-31-30-35 ec2-user # hping -1 hackthissite.com HPING hackthissite.com (eth0 184.168.221.104): icmp mode set, 28 headers + 0 data bytes len=28 ip=184.168.221.104 ttl=50 id=3987 icmp_seq=0 rtt=155.0 ms len=28 ip=184.168.221.104 ttl=50 id=3988 icmp_seq=1 rtt=160.0 ms len=28 ip=184.168.221.104 ttl=50 id=3989 icmp_seq=2 rtt=160.0 ms len=28 ip=184.168.221.104 ttl=50 id=3990 icmp_seq=3 rtt=160.0 ms len=28 ip=184.168.221.104 ttl=50 id=3991 icmp_seq=4 rtt=160.0 ms ^C --- hackthissite.com hping statistic --- 5 packets tramitted, 5 packets received, 0% packet loss round-trip min/avg/max = 155.0/159.0/160.0 ms |
There is more information about the hping command here: http://0daysecurity.com/articles/hping3_examples.html.