Network Scanning and Evasion Techniques in Kali Linux
Network Discovery and Target Identification
Network reconnaissance involves identifying active devices and services on a target network. This process typically includes host discovery, port scanning, and service enumeration to map the attack surface.
Host Discovery with ICMP
ICMP echo requests (ping) are commonly used to check host availability. The following command sends a singlee ICMP packet to a target:
ping -c 1 192.168.1.100
For IPv6 targets, use ping6 with the interface specification:
ping6 -c 1 fe80::aabb:ccff:fedd:eeff%eth0
Parallel Host Discovery
The fping utility enables simultaneous probing of multiple hosts. To scan a subnet:
fping -g 192.168.1.0/24
Statistical output can be generated with:
fping -s example.com google.com
Custom Packet Crafting with hping3
hping3 allows manual construction of network packets for advanced probing. Send an ICMP echo request:
hping3 -1 192.168.1.100 -c 1
Test firewall rules using TCP SYN packets:
hping3 -S -p 22 192.168.1.100
Operating System Fingerpritning
Passive OS detection analyzes network traffic patterns to identify remote operating systems without direct interaction. The p0f tool examines TCP packet characteristics:
p0f -f /etc/p0f/p0f.fp -o log.txt
Port Scanning Fundamentals
Port scanning determines the state of TCP/UDP ports on target systems. Key concepts include:
- Open ports: Services listening for connections
- Closed ports: No service listening
- Filtered ports: Blocked by firewall devices
TCP Scanning with Nmap
Nmap provides multiple scanning techniques:
# SYN stealth scan (default for privileged users)
nmap -sS 192.168.1.100
# TCP connect scan (unprivileged)
nmap -sT 192.168.1.100
# Version detection
nmap -sV 192.168.1.100
# OS detection
nmap -O 192.168.1.100
UDP Scanning
UDP port scanning requires different approaches due to connectionless nature:
nmap -sU -p 53,161 192.168.1.100
Service Enumeration
Identifying service versions provides critical information for vulnerability assessment:
nmap -sV --version-intensity 9 192.168.1.100
Firewall Evasion Techniques
Several methods can bypass network protection systems:
# Packet fragmentation
nmap -f 192.168.1.100
# Decoy addresses
nmap -D RND:10 192.168.1.100
# Source port manipulation
nmap -g 53 192.168.1.100
# Timing adjustments
nmap -T2 192.168.1.100
Automated Assessment Tools
Nmap Scripting Engine
NSE extends Nmap's functionality with specialized scripts:
# Default script scan
nmap -sC 192.168.1.100
# Specific script categories
nmap --script vuln 192.168.1.100
Sparta Automation Framework
Sparta integrates multiple tools for comprehensive assesmsent:
# Launch GUI-based automation
sparta
Traffic Anonymization with Nipe
Route traffic through Tor network for anonymous scanning:
# Install and initialize
git clone https://github.com/GouveaHeitor/nipe.git
cd nipe
perl nipe.pl install
# Start anonymization
perl nipe.pl start
Output Management
Save scan results in multiple formats for analysis and reporting:
nmap -oA scan_results 192.168.1.100
Convert XML output to HTML for readability:
xsltproc scan_results.xml -o report.html
