[Detect] ICMP, TCP & UDP

Hi there!

Welcome to the first of a new series of posts from the Extrahop Security Team. We will be using these posts to demonstrate how Reveal(x) detects some of the most popular Penetration Testing tools or techniques and malware family traffic.

Starting with the most basic of reconnaissance techniques used by bad actors - ping scans and TCP/UDP port scans.

You can use simple tools such as nmap to trigger these simple detections, using the sample syntax listed below:

TCP SYN SCAN
Use the command nmap -sS -n -Pn < IP Range > where the range covers at least three IP addresses. This command will scan 1000 ports on each IP address and trigger the detection panel below.

UDP PORT SCAN
Use the command nmap -sU -n -Pn < IP Range > where the range covers at least three IP addresses. This command will scan multiple UDP ports on each IP address and trigger the detection panel below.

ICMP PING SWEEP
Use the command nmap -n -sn -PE < IP Range > where the range covers a class C IP range. This command will scan each IP address in the range and trigger the detection panel below.

If your prefer the GUI of Zenmap, the Intense Scan + UDP will produce the same results as the above three nmap commands.

1 Like