Tiny Deathstars of Foulness

Prepare for your network administrators to cringe… I’ve spoken on these commands but never really put them together in this way, exactly. So I wanted to find a coworker on a network. So one way to find people is to use a ping sweep. Here I’m going to royally piss off my switch admins and ping sweep the subnet:


Next, I’m going to run arp to translate:

arp -a

Finally, if a machine is ipv6, it wouldn’t show up. So I’m going to run:

ndp -a

Now, I find the hostname, then look at the MAC address, copy that to my clipboard, find for that to get the IP and then I can flood that host with all the things. Or you could use nmap… :-/

January 7th, 2017

Posted In: Mac OS X, Network Infrastructure

Tags: , , , , , ,

Leave a Comment

The nmap application is a pretty easy-to-use tool that can be used to port scan objects in a network environment. To obtain mmap in an easy-to-use package installer, for OS X check out the download page at (use the same page to grab it for Windows or *nix as well). Once downloaded run the package/rpm/whatever.

Before I scan a system, I like to pull the routing table and eth info to determine how scans are being run, which can be run by using the mmap command anong with the —iflist option:

nmap —iflist

Basic Scanning
To then scan a computer, just use the mmap command followed by the host name or even throw a -v option in there to see more information (you can use a hostname or an IP):

nmap -v

Use the -6 option if scanning via IPv6:

nmap -v -6 8a33:1a2c::83::1a

Can drop the -v for less info on these, but I usually like more than less. Shows ports, states, services (for the ports) and a MAC address for each IP being scanned.

You can also scan a range of IPs. I usually take the lazy way for this, by using a wildcard. I can replace an octet to scan all objects in that octet. For example, to scan all systems running on the 192.168.210 class B:

nmap 192.168.210.*

You can scan a subnet, which can cover more or less than one octet worth of IPs, by including the net mask:


You can also just list a range, which is much easier in some cases, using the —exclude option to remove an address that will be angry if port scanned:

nmap —exclude

Or to do a few hosts within that range:


Of you can even use the following to read in a list of addresses and subnets where each is on its own line:

nmap -iL ~/nmaplist.txt

By default, mmap is scanning all ports. However, if you know what you’re looking for, scans can be processed much faster if you constrain it to a port or range of ports. Use the -p option to identify a port and then T: for only TCP or U: for only UDP, or neither to do both. Additionally, you can scan a range of ports or separate ports using the same syntax used for identifying multiple hosts. For example, here we’ll scan 53, 80, 110, 443 and 143:

nmap -p 53,80,110,143,443

DO OS detection using the -A option:

nmap -A

For true remote OS detection, use -O with —osscan-guess:

mmap -v -O —osscan-guess

We can also output to a text file, using the -o option (or of course > filename but -o is more elegant here unless you’re parsing elsewhere in the line):

mmap -v -o ~/Desktop/nmapresults.txt -O —osscan-guess

Next, we’ll look at trying to bypass pesky annoyances like stageful packet inspection on firewalls. First, check whether there is actually a firewall using -s:

nmap -sA

Scan even if the host is protected by a firewall:

nmap -PN

Just check to see if some devices are up even if behind a firewall:

nmap -sP

Run a scan using Syn and ACK scans, run mmap along with the either -PS or -PA options (shown respectively):

nmap -PS 443
nmap -PA 443

Try to determine why ports are in a specific state:

nmap —reason

Show all sent/recvd packets:

nmap —packet-trace

Try to read the header of remote ports to determine a version number of the software:

nmap -sV

Security Scanning
Next, we can look at actually using nmap to test the attacking waters a little bit. First, we’ll try and spoof another MAC address, using the —spoof-mac options. We’ll use the 0 position after that option to indicate that we’re randomly generating a Mac, although we could use a real MAC in place of the 0:

nmap -v -sT —spoof-mac 0

Next, let’s try to add a decoy, which allows us to spoof some IPs and use that as decoys so our target doesn’t suspect our IP as one that’s actually scanning them (note that our IP we’re testing from is

nmap -n -,,,

Then, send some crazy packets (not an official term like magic packets, just my own term for throwing a curve ball at things and testing for the viability of syn-flood or Xmas packet attacking):

nmap -sX

Configure a custom mtu:

nmap —mtu 64

Fragment your packets:

nmap -f

Note: None of Apple’s servers were damaged in the writing of this article. I did a find/replace at the end, when I realized I didn’t want all of you hitting

January 24th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Network Infrastructure, Ubuntu, Unix, VMware

Tags: , , , , , , , ,

You can delete an IP address from the arp table using the arp command along with the -d option followed by an address.  For example, to delete IP

arp -d

If you’re not sure which IP address you’re looking for then you can look at the arp table to check the IP against the MAC address by using the -a option along with arp.  For example:

arp -a

To delete all of the entries in an arp table (they do regenerate after all) you can use the -d option in conjunction with the -a option:

arp -d -a

If you then want to manually add an entry into the arp table you can use the -s option followed first by the IP address and then by the MAC address, as follows (assuming an IP of and a MAC of 00-00-00-00-00-00):

arp -s 00-00-00-00-00-00

In some cases I’ve had to revert to using hostnames instead of MAC addresses.  To do so, first define the hostname in /etc/hosts, adding a line that has the IP followed by the name of the server, as follows:

Then simply use the name instead of the MAC address with the -s option, as follows:

arp -s

July 16th, 2009

Posted In: Mac OS X, Ubuntu, Unix, VMware

Tags: , , , , ,

So arp can display the table for name to Ethernet address resolution.  That’s pretty easy, just run arp with a -a flag and it will show you all the other systems in your arp table.  the table is managed dynamically.  But what if you wanted to set one in there statically.  Well, you could use the arp with a -s flag followed by the host name and then the ethernet address you want to assign for that host name.  If you point a host name to an invalid address then you’ve poisoned your arp cache.

December 1st, 2006

Posted In: Mac OS X, Mac Security

Tags: , , ,