116 ◾
Ethical Hacking and Penetration Testing Guide Example The –g parameter helps us specify a source port, which in this case is 53 (DNS).
nmap –PN –g 53 192.168.15.1
Specifying an MTU MTU stands for maximum transmission unit. The values that can be defined as MTU are mul-
tiples of 8 (e.g., 8, 16, 24, 32). Nmap allows us to specify our own MTU. Based on your input,
nmap will generate packets. For example, if you specify 32, nmap will generate a 32 byte packet.
The change of this MTU can help us evade some of the firewalls.
Example nmap –mtu 32 Sending Bad Checksums Checksums are used in the TCP header for error detection. However, we can use incorrect
checksums to our advantage. By sending bad/incorrect checksums, we can bypass some firewalls
depending upon the rule sets and how they are configured.
Target Enumeration and Port Scanning Techniques ◾
117 Example nmap –badsum Decoys This is the last method that we will discuss in this section. It is very effective when you want to
use stealth. The idea behind this scan is to send spoofed packets from other hosts, which would
make it very difficult for network administrators to detect from which host the scan originated.
Since the decoy has the potential to generate a very large number of packets, it could cause a
possible DOS (denial of service).
Example nmap –D RND:10 This command would generate a random number of decoys for the target iP.
ZENMAP Zenmap is a GUI version of nmap. Personally I am not a big fan of this tool, but I thought it would
be worth mentioning for all the GUI lovers. It does include some built-in profiles for scanning and
118 ◾
Ethical Hacking and Penetration Testing Guide I guess I have talked about every parameter that they have used in their scanning profiles. So just
take some time to understand the scanning profiles, their function, and most importantly what
they are doing in background by inspecting the packets through wireshark.
The topology option inside zenmap will draw a picture of the network topology. In this way
you can visualize where exactly the host is located.
