Tools: Nmap SuperScan, THC-Amap

Nmap is explained in another article, please check here:

SuperScan is pretty straight forward.

THC-Amap is the final port-scanning tool discussed here. It was developed as a Linux-based port-scanning tool to overcome some problems that had previously plagued port scanners. Traditional scanning programs did not always grab banners effectively. As an example, some services, such as SSL, expect a handshake. Amap handles this problem by storing a collection of responses that it can fire off at a port to interactively elicit a response from it. Another problem is that scanning programs sometimes make basic assumptions that may be fl awed. Many port scanners assume that if a particular port is open, then the default application for that port must be present. Amap probes these ports to fi nd out what is really running there.



Security professionals can use to detect bogus routes or potential redirect of traffic, it can also be used by attackers to enumerate a path.

Understanding traceroute can help you identify the number of networks, hops, devices, and locations between you and the destination host. Traceroute works by using the TTL field in the IP header.


OS  Fingerprinting

There are two ways for OS detection: Passive or Active.

Passive OS fingerprinting does not interact with the actual target system by monitoring network traffic.

Active OS fingerprinting works by sending several probes or triggers to a target. By analyzing the responses received from the target, it is often possible to guess, with good accuracy, which OS is in control.

Passive Fingerprinting

Four commonly examined items that are used to fingerprint an OS are listed here:
■ The IP TTL value— Different operating systems set the TTL to unique values on outbound packets.
■ The TCP window size— OS vendors use different values for the initial window size.
■ The IP DF option— Not all OS vendors handle fragmentation in the same way.
■ The IP TOS option— Type of Service is a 3-bit field that controls the priority of specific packets.

P0F – Linux-based tool for fingerprinting

P0f looks specifi cally at TCP session startups. In particular, it concentrates on step 1, the SYN segment. The program uses a fi ngerprint database (in a file named p0f.fp ) to identify the host that connects to you.

P0f can also operate in promiscuous mode (you use the -p option)

Idle scan


Nmap is probably your best option for performing an idle scan. An example:

nmap -sI target_IP

The initializing party of the handshake sends a SYN packet, to which the receiving party will return a SYN/ACK packet if the port is open. For closed ports, the receiving party will return an RST. The RST acts as a notice that something is wrong and that further attempts to communicate should be discontinued. RSTs are not replied to; if they were, you might have a situation where two systems fl ooded each other with a stream of RSTs. This means that unsolicited RSTs are ignored.