The 6 W's of Cybersecurity


These six W's helps you in asking the questions you need an answer for. Like to implement a security model, or to respond to cyber threats.
W

HO

  • Who is involved?
  • Who are the stakeholders?
  • Who is affected by the outcome?

W

HAT

  • What is at stake? 
  • What happened? 
  • What is the problem? 
  • What is the desired outcome?

W

HERE

  • Where did this take place? 
  • Where are the stakeholders? 
  • Where is the infrastructure? 
  • Does geography make a difference? 

W

HEN

  • When did it take place? 
  • Does the timing make a difference? 
  • When are the key dates? 
  • Are there deadlines to be aware of?

W

HY

  • Why are we doing this? 
  • What are the benefits? 
  • Key drivers? 
  • Motives? 

(W)

HOW

  • How will we approach this? 
  • Is it feasible? 
  • Be detailed and specific - think through each alternative.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

These six W's helps you in asking the questions you need an answer for. Like to implement a security model, or to respond t...

Nmap - Output Options


Any security tool is only as useful as the output it generates. Given the number of ways Nmap is used by people and other software, no single format can please everyone. So Nmap offers several formats, including the interactive mode for humans to read directly and XML for easy parsing by software.
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command. 
First things first, you can use the help command for Nmap by typing nmap -h

Normal Output (-oN <filespec>)

  • Requests that normal output is directed to the given filename.
  • Similar to interactive except that it displays less runtime information and warnings since it is expected to be analyzed after the scan completes rather than interactively.

XML Output (-oX <filespec>)

  • Requests that XML output is directed to the given filename.
  • The XML output references an XSL stylesheet which can be used to format the results as HTML.
  • By default, this will only work on the machine you ran Nmap on or a similarly configured one due to the hard-coded nmap.xsl filesystem path.
  • Use the --webxml (provides an online version nmap.xsl) or --stylesheet <location> (you can define any stylesheet here) options to create portable XML files that render as HTML on any web-connected machine. Example:--stylesheet https://nmap.org/svn/docs/nmap.xsl (this is similar to defining --webxml)

Script Kidde Output (-oS <filespec>)

  • Script kiddie output is like interactive output
  • Except that it is post-processed to better suit the l33t (Leet speak) HaXXorZ (Hacker Style).

Grepable Output (-oG <filespec>)

  • This output format is covered last because it is deprecated. The XML output format is far more powerful and is nearly as convenient for experienced users.
  • If you save the file in this format you can search the file using grep command using CLI. Example: (suppose file name is grep.file)
cat grep.file | grep <search/display keywords>

Output all formats (-oA <basename>)

  • Stores scan results in normal, XML, and grepable formats at once. They are stored in <basename>.nmap, <basename>.xml, and <basename>.gnmap, respectively.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Any security tool is only as useful as the output it generates. Given the number of ways Nmap is used by people and other softwa...

Nmap - IDS and Firewall Evasion


Let's dig in deep with the Intrusion Detection System (IDS) and Firewall Invasion techniques. Network obstructions such as firewalls can make mapping a network difficult. In addition to restricting network activity, companies are increasingly monitoring traffic with intrusion detection systems (IDS). 
All of the major IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks. Attackers with patience, skill, and the help of certain Nmap options can usually pass by IDSs undetected. Meanwhile, administrators must cope with large numbers of false-positive results where the innocent activity is misdiagnosed and alerted on or blocked.
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.
First things first, you can use the help command for Nmap by typing nmap -h.

Fragment Packets (-f)

  • Tells the requested scan including ping scans to use tiny fragmented IP packets.
  • The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems to detect what you are doing.
  • Nmap splits the packets into eight bytes or less after the IP header. Specify -f again to use 16 bytes per fragment.
  • Using the specified MTU (-mtu <value>)
    • You can specify your own offset size with this option.
    • Don't also specify -f if you use --mtu.
    • The offset must be a multiple of eight.

Cloak a scan with decoy (-D <IPs>)

  • Cause confusion as to where the scan came from.
  • Packet originate from your system but have a different or spoofed source IP Address.
  • It is very noisy in terms of detection as multiple IPs try to scan the network.
  • Separate each decoy host with commas, and you can optionally use ME as one of the decoys to represent the position for your real IP address.
nmap <target> -D <FAKE_IP>,<FAKE_IP>,<FAKE_IP>,ME,<FAKE_IP>

Spoof source address (-s <IP>)

  • If Nmap is unable to get your IP address use this option to specify the IP address.
  • Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them.
  • The -e (use this option to define interface) option and -Pn are generally required for this sort of usage.
  • Usually, you won't receive reply packets back they will be addressed to the IP you are spoofing Not useful in generating reports.

Spoof source port number (-g/--source-port <port_number>)

  • One surprisingly common misconfiguration is to trust traffic based only on the source port number. As a result, this option can be used to exploit weaknesses and bypass network filters and firewalls.
  • Common ports which are considered as trusted are:
    • DNS - 53/TCP/UDP
    • FTP - 20/TCP
    • Kerberos - 88/TCP/UDP
    • DHCP - 67/UDP 

Relay TCP connections through a chain of Proxies (--proxies)

  • Can hide the true source of a scan.
  • Can evade firewall restrictions.
  • This only supports HTTP and SOCKS4.
  • This option is Not Recommended right now as it is still under development and has no effect on the ping, port scanning, and OS discovery phases of a scan. 

Append custom string to sent packets (--data-string <string>)

  • Add a regular string as payload in sent packets.
  • Note that some characters may depend on your system's locale and the receiver may not see the same information.
  • Enclose the string in double-quotes and escape any special characters from the shell.
  • Example:
nmap <target> --data-string "Security scan by Hack Hunt"

Append random data to sent packets (--data-length <number>)

  • Append the given number of random bytes to most of the packets it sends, and not to use any protocol-specific payloads.
  • OS Detection (-O) is not affected. Furthermore, it slows down the scan.

Randomize Target hosts order (--randomize-hosts)

  • This can make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options.
  • Nmap shuffles each group of up to 16384 hosts before it scans them.

Spoof MAC Address (--spoof-mac <MAC address, prefix, or vendor name>)

  • This option only affects raw packet scans such as SYN scan or OS detection.
  • Valid --spoof-mac argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco.
  • Not Recommended, instead change the MAC Address manually or using a tool.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Let's dig in deep with the Intrusion Detection System (IDS) and Firewall Invasion techniques. Network obstructions such as fi...

Nmap - Service, Version, and OS Detection


Let's dig in deep with Service, Version, and OS Detection. Scan a machine using Nmap and it might tell what ports are open. Nmap uses the nmap-services database of about 2,200 well-known services. This lookup is usually accurate; the vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports.
When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Version detection helps you obtain this information.
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.
First things first, you can use the help command for Nmap by typing nmap -h


Version Detection (-sV)

  • Enables version detection.
  • Alternatively, you can use -A, which enables version detection among other things.
  • Additional Options you can add with -sV 
    • --all-ports: Do not exclude any ports from version detection.
    • --version-intensity <level>: define intensity level higher the number more likely to determine but slows the scans. Levels can be defined between 0 and 9, where 7 is the default.
    • --version-light: This is the same as --version-intensity 2. This light mode makes version scanning much faster, but it is slightly less likely to identify services.
    • --version-all: This is the same as --version-intensity 9. Ensures that every single probe is attempted against each port.
    • --version-trace: Prints out extensive debugging information. It is a subset of what you get with --packet-trace.

OS Detection (-O)

  • Uses TCP/IP stack fingerprinting and Nmap sends a series of TCP packets to the remote host and examines the response.
  • Alternatively, you can use -A to enable OS detection along with other things.
  • Additional Options you can add with -O
    • --osscan-limit: Limits OS detection to promising targets. OS detection is far more effective if at least one open and one closed TCP port is found. Set this option and Nmap will not even try OS detection against hosts that do not meet these criteria. Saves a lot of time.
    • --osscan-guess: Guess the OS more aggressively.
    • --max-os-tries <value>: When Nmap performs OS detection and fails to detect, it usually repeats the attempt. By default, Nmap tries five times if conditions are good, and twice when conditions aren't so good. Specifying a lower --max-os-tries value such as 1 speed Nmap up.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Let's dig in deep with Service, Version, and OS Detection. Scan a machine using Nmap and it might tell what ports are open. ...

Nmap - Target Specified Commands

We discussed a lot of theories and important topics in the last few blogs about Nmap. But now let's dig in with Target Specified Commands Section. After the end of this read, you will learn and understand how you can define a single IP or range of IPs or a Domain Name or how to exclude IPs for scanning using Nmap.

Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.

First things first, you can use the help command for Nmap by typing nmap -h


Ways to define IPs and Domain Name:

  • As we discussed in Nmap - Working and Basic Commands how to scan a single IP. But if you want to scan the whole network, you can use
    • Syntax: nmap <IP>/<net_mask>
    • Example: nmap 192.168.0.1/24
  • To scan the specific range of IPs, you can use
    • Syntax: nmap <IP>-<last_ip>
    • Example: Suppose you need to scan only the first 20 IPs in the network which has mask 24. Then, nmap 192.168.1.1-20. This can be anything not necessarily starting from 1. It can be, nmap 192.168.1.29-250. This will scan the IPs starting from 192.168.0.20 to 192.168.0.250.
  • To scan via a domain name, you can use
    • Syntax: nmap <domain_name> OR nmap <domain>/<mask>
    • Example: nmap scanme.nmap.org OR nmap microsoft.com/24
  • To scan multiple networks or IPs. You do not need to wait or to open multiple tabs for scanning. Write everything in a text file, one host per line, and save it as .txt.
    • Example: 
    • To start scanning, type
nmap -iL scan.txt

  • To randomly scan any network or host, type
nmap -iR <no._of_host>
  • To exclude one or two hosts from a network, you can add
    • Syntax: nmap <IP>/<mask> --exclude <IP> [Use comma(,) to add more host to exclude list]
    • Example: nmap 192.168.0.1/24 --exclude 192.168.0.1,192.168.0.20 [This will scan all the IPs in the given range expect two mentions above]
**NOTE - If you want to exclude multiple hosts you can also use the command --excludefile <filename>. Every host should be in a new line.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

We discussed a lot of theories and important topics in the last few blogs about Nmap. But now let's dig in with Target Specif...

Nmap - Port Specification


Let's dig in deep with Port Specifications. Nmap offers options/commands for specifying which ports are scanned and whether the scan order should be sequential or randomized. By default, Nmap scans the most common 1,000 ports for each protocol.
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.
First things first, you can use the help command for Nmap by typing nmap -h


Only Scan Specified ports (-p)

  • This option specifies which ports you want to scan and overrides the default.
  • You can define individual value separated by comma (,) or ranges can be used separated by a hyphen (-). Example (This will scan ports from 5 till 1010 and from 1024 till 1050. This will be an SYN scan which is the default).
nmap <IP> -p5-1010,1024-1050
  • The beginning and/or end values of a range may be omitted. Which will make Nmap scan 1 and 65535, respectively. Examples:
    • nmap <IP> -p- (This will scan all ports from 1 to 65535)
    • nmap <IP> -p-2000 (This will scan all ports from 1 as there is no initial value till 2000)
    • nmap <IP> -p0- (This will scan all ports from 0 as it is defined explicitly till 65535)
    • For the IP protocol (-sO) option, specify the protocol numbers you wish to scan for between 0–255
  • When scanning a combination of protocols (e.g. TCP and UDP), you can specify a particular protocol by preceding the port numbers by
    • T: for TCP
    • U: for UDP
    • S: for SCTP
    • P: for IP Protocol
    • Example (You can define any ports you want but note that to scan both UDP and TCP, you have to specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added to all protocol lists.
nmap <IP> -p U:53,111,137,5353,T:21-25,80-139-8080 -sU -sS
  • Ports can also be specified by name according to what the port is referred to in the nmap-services. You can use * with the name. Example - To scan FTP and all ports whose names begin with http
nmap <IP> -p ftp,http*

Exclude the specified ports (--exclude-ports)

  • This can be used to define which ports you want to exclude from Nmap to scan. 
  • The <port_ranges> are specified similar to -p.
  • For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to exclude between 0–255.
  • When excluded, they will be excluded from all types of scans (i.e. they will not be scanned under any circumstances). This also includes the discovery phase.

Don't Randomize Ports (-r)

  • By default, Nmap randomizes the scanned port order.
  • This randomization is normally desirable, but you can specify this option for sequential (sorted from lowest to highest) port scanning instead.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Let's dig in deep with Port Specifications. Nmap offers options/commands for specifying which ports are scanned and whether th...

Nmap - Host Discovery Techniques


Let's dig in deep with Host Discovery Options. A hacker or pen-tester or anyone will be looking for an active host with open ports in the network that can be exploited to compromise the target. 
Host discovery will help you dig deep into the target to know active hosts (IPs) and which services are running on them from the IPs, domains and subdomains you got from your early information-gathering stages. This will narrow down the list of IPs and domains to only the active ones on which we can focus.

The discovery probes of Nmap are designed to seek responses which demonstrate that an IP address is actually active.  
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.

If no host discovery options selected then Nmap sends,
  • ICMP echo request (ping).
  • TCP SYN packet to port 443.
  • TCP ACK packet to port 80.
  • ICMP timestamp request.

First things first, you can use the help command for Nmap by typing nmap -h


List Scan (-sL) 

  • Least Invasive type of scan.
  • Do not scan the network.
  • Does a reverse DNS resolution on the host to learn their names. 
  • Add the switch in the beginning or at the end of the command. Does not require any value. 
nmap <IP> -sL
  • Example: 
nmap 10.0.1.0/24 -sL OR nmap -sL 10.0.1.0/24

Ping Scan (-sn)

  • As the name suggests it pings and finds the host in the network.
  • Do not do the port scan.
  • This tells the Nmap not to do a port scan after the discovery stage and only print the available host i.e. which responded to the host discovery probes.
  • Add the switch in the beginning or at the end of the command. Does not require any value.
nmap <IP> -sn
  • Example: 
  • nmap 10.0.2.0/24 -sn OR nmap -sn 10.0.2.0/24

Treat all the host as online (-Pn)

  • As the name suggests it will treat all the host as online i.e. Nmap attempts the requested scanning function against every target IP address.
  • So, essentially this means skip the discovery stage but still do a scan.
  • As this will skip a stage (discovery) it makes the scan faster.
  • Add the switch in the beginning or at the end of the command. Does not require any value.
nmap <IP> -Pn
  • Example:
nmap 10.0.3.0/24 -Pn OR nmap -Pn 10.0.3.0/24

Discovery to Given Ports

  • If you want to scan the specific type of protocol.
  • -PS => TCP SYN
  • -PA => TCP ACK
  • -PU => UDP
  • -PY => SCTP
  • You can also define the specific ports. 
nmap <IP> -PS/PA/PU/PY[port_numbers]
  • Examples:
    • nmap 10.0.3.0/24 -PS80,443 -PU53 (Scans the HTTP and HTTPS port over TCP and DNS over UDP for every host in the given range)


IP Protocol Ping (-PO)

  • The default is 1,2,4 which is ICMP, IGMP, IP in IP respectively.
nmap <IP> -PO1,2,4

Specify Custom DNS Servers (--dns--server)

  • To change the DNS server to a custom one.
  • This will do a reverse DNS
  • Can be used to specify a private DNS Server like Google or one made by you.
  • Can be used to specify the router's DNS Server to know the name of the devices in their network which can be very helpful.
nmap <IP> --dns-server <IP/domain_name>
  • Example (using Router's IP):
nmap 10.0.4.0/24 --dns-server 10.0.2.1

ARP Scan (-PR)

  • Faster than IP Discovery
  • Host Discovery's fastest way
nmap <IP> -PR

ICMP Ping Types

  • Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts.
  • -PE => ICMP Echo
  • -PP => Timestamp
  • -PM => Netmask request discovery probes.
nmap <IP> -PE/PP/PM

Trace path to host (--traceroute)

  • Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target.
  • Traceroute works by sending packets with a low TTL (time-to-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host.
  • It works with all scan types except connect scans (-sT) and idle scans (-sI).
nmap <IP> --traceroute

No DNS Resolution (-n)

  • Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. 
  • DNS Resolution can make the scan slow.
nmap <IP> -n

DNS Resolution for all targets (-R)

  • Tells Nmap to always do reverse DNS resolution on the target IP addresses.
nmap <IP> -R

Use System DNS resolver (--system-dns)

  • Specify this option to use your system resolver.
  • This is slower and rarely useful unless you find a bug in the Nmap parallel resolver.
nmap <IP> --system-dns
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Let's dig in deep with Host Discovery Options. A hacker or pen-tester or anyone will be looking for an active host with open...

Detect ARP Attacks via ARP Tables



Address Resolution Protocol (ARP) is the method for finding a host's Link Layer (MAC) address when only its IP address is known. The ARP table is used to maintain a correlation between each MAC address and its corresponding IP address. The ARP table can be manually entered by the user. User entries are not aged out.
With the same context, ARP Tables can also be used to detect Man in the Middle Attacks.
  • In Command Prompt or Terminal, based on your Operating System, type ipconfig for Windows Users and ifconfig for MAC and Linux Users. Note the Default Gateway IP Address. In our case it is 10.0.2.1.
Windows Result

  • Now type, arp -a and check if the MAC Address of Default Gateway is like any other IP. If yes, then the IP with which the MAC Address is the same as the Attacker.
  • Not under attack as the Default Gateway's MAC Address is not the same with anyone.
  • Under Attack as the Default Gateway and the IP [10.0.2.60] has the same MAC Address. So, the IP [10.0.2.60] is the attacker.

**NOTE - This is the manual way of detecting the ARP Poisoning Attacks, to use our personalized-made tool or check other ways. CLICK HERE!



Video Tutorial



We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Address Resolution Protocol (ARP) is the method for finding a host's Link Layer (MAC) address when only its IP address is kno...

Nmap - Port Scanning Techniques


Let's dig in deep with Port Scanning Techniques. Port scanning in Nmap is like an art. Experts understand the different types of scan techniques and choose one or a combination for a given task which is well suited. On the other hand, inexperienced users and script kiddies try to solve the problem using a simple SYN scan.

 Alert: Use Nmap as a root user. If you do not have root access type sudo before every Nmap command. 
Only one type of scan be used at a time, expect UDP scan (-sU), and anyone of the SCTP scan types (-sY, -sZ) may be combined with any one of the TCP scan types.
First things first, you can use the help command for Nmap by typing nmap -h


SYN and CONNECT scan

TCP SYN scan (-sS)

  • SYN scan is the most powerful and default scan option.
  • It is stealthy since it never completes TCP connections. 
  • It is fast and can scan up to thousands of ports per second on a fast network. 

TCP connect scan (-sT)

  • Default TCP scan when SYN is not available (Generally when the root privilege is not available).
  • Less efficient as it takes longer time and requires more packets to obtain the same result.
  • In this case, Nmap does not craft rat packets instead the OS sends the request.
  • These kinds of scans are noisier, in terms of IDS. 

UDP and SCTP scan

UDP scan (-sU)

  • Most services run of TCP protocol. UDP services are widely used such as DNS (53), SNMP (161/162), and DHCP (67/68).
  • UDP scanning is generally slower and more difficult than TCP, that is why some security auditors ignore these ports.
  • This option can be combined with an SYN scan (-sS) to check both protocols during the same run.
  • --host-timeout can be used to tell the Nmap do not spend more than a specified time on a single host. The below example will spend a maximum of 2 minutes on each port. 
nmap <IPs> -sU --host-timeout 2m

SCTP INIT scan (-sY)

  • SCTP stands for String Control Transmission Protocol.
  • It is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP.wh
  • It is mostly being used for SS7/SIGTRAN services like cellular networks.
  • This scan is the SCTP equivalent of a TCP SYN scan.

SCTP Cookie ECHO (-sZ)

  • It is a more advanced SCTP scan.
  • It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed.
  • The downside is that SCTP COOKIE ECHO scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in both cases.

TCP NULL, FIN, and Xmas scans

These scans are the same in behavior except the TCP flag set in the probe packet. These scanned types exploit a subtle loophole in TCP RFC to differentiate OPEN or CLOSED ports. The key advantage of these scan types is that they can possibly sneak through certain non-stateful firewalls.

NULL scan (-sN)

  • Does not set any bits (TCP flag header is 0)

FIN scan (-sF)

  • Sets just the TCP FIN bit.

Xmas scan (-sX)

  • Sets the FIN, PSH, and URG flags, lighting the packet like a Christmas tree thus the name Xmas.

TCP ACK and Window scans

TCP ACK scan (-sA)

  • This scan never determines whether the port is open or open|filtered.
  • It is used to maps out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

TCP Window Scan (-sW)

  • Exactly same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when an RST is returned.

Maimon and IP Protocol scans

TCP Maimon Scan (-sM)

  • This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK
  • Useful on BSD systems as many BSD-derived systems simply drop the packet if the port is open.

IP Protocol Scan (-sO)

  • This scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.
  • This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Let's dig in deep with Port Scanning Techniques. Port scanning in Nmap is like an art. Experts understand the different typ...

Remove Write Protection from USB


Write protection is defined as the ability of a hardware device or software program to prevent new information being written, meanwhile old information being modified or changed. In simple words, when a disk is write-protected, you cannot use it normally to write data or copy data on it.
 
Generally, most of the USB based Flash/Pen-drives provide a write protection button which prevents from data being moved to or from the Pen drive. However, we can copy or paste the USB data by unlocking the write protection button.
A normal USB become write-protected because of the virus. It is somewhat difficult to remove write protection from USB.

Method 1: Change Pen Drive Read-Write Properties

  • Go to My Computer/This PC and under Devices with Removable Storage, look for your pen drive device. 
  • Right-click on it and click Properties. Click Edit, in the pop-up box, sometimes there's an option to Remove write-protection. Change the status of this option and try again.

Method 2: Disable Write Protection Using CMD

Windows Command Prompt is the must attempt method to remove write protection from any drive in Windows 10 and lower. If you are willing to challenge the command that seems to be a little higher-leveled, it is very likely that you can successfully remove over 90% write protection from a pen drive.

  •  Search command prompt in Windows and run the program as an administrator.
  • On the Windows Command Prompt, type each command line as follows and each command should be followed by an Enter key. 

diskpart

list disk

select disk #

attributes disk clear read only 


NOTE - Instead of #, you need to type the number of the disk (check the size and match the number).
  •  When the write protection has been removed, you will see the message 'Disk attribute cleared successfully'. Type exit, so you can close the window.

NOTE - Do not try to format a write-protected USB flash drive before you can find a way to remove the write protection. When the pen drive is write-protected, you can neither use the native Windows disk formatting programs nor any third-party USB formatter to format it.

After removing the write protection from your pen drive, now you can feel free to format it without a hitch. EaseUS Partition Master the highly recommended free partition manager that enables users to format a USB drive to FAT32 or NTFS or EXT. 


We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Write protection is defined as the ability of a hardware device or software program to prevent new informatio...