Port Scan

Powershell

Test-NetConnection

PS C:\Users\jamie\Desktop> Test-NetConnection -Port 1433 192.168.210.15

$d='DC1';$p=53,88,135,389,445,3268,3269,636,9389;$u=53,88,389;$p|%{if(Test-NetConnection $d -Port $_){"TCP $_-Open"}else{"TCP $_-Closed"}};$u|%{try{$c=[net.sockets.udpclient]::new();$c.Connect($d,$_);$null=$c.Send((,0),1);"UDP $_-Open"}catch{"UDP $_-Closed"}finally{$c.Close()}}

Test-TcpPort

Scanning without Nmap

# Find IPs
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done    

# Find Ports
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

NetScan - From Windows Host

SoftPerfect Network Scanner : fast, flexible, advancedwww.softperfect.com

Fscan

GitHub - shadow1ng/fscan: 一款内网综合扫描工具，方便一键自动化、全方位漏扫扫描。GitHub

./fscan -h 172.17.0.0/24

./fscan -h 172.17.0.2 -p 1-65535

Naabu

GitHub - projectdiscovery/naabu: A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentestsGitHub

naabu -host target.com
naabu -host target.com | httpx -silent

Masscan

masscan <target-ip> /16 
masscan <target-ip> /24

-p: Ports

masscan <target-ip> /16 -p 80,443 

masscan <target-ip> /16 -p 22-80 

masscan <target-ip> /16 -p 0-65535

--top-ports

masscan <target-ip> /16 --top-ports 100

Nmap

Nmap binary:

static-binaries/binaries/linux/x86_64/nmap at master · andrew-d/static-binariesGitHub

For Windows - Zenmap

Download the Free Nmap Security Scanner for Linux/Mac/Windowsnmap.org

nmap -sV --open -oA nibbles_initial_scan 10.129.42.190

nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190

nmap -sV --script=http-enum -oA nibbles_nmap_http_enum 10.129.42.190 

List of common ports:

Common Ports

nmap -Pn -sC -sV --top-ports=1000 [IP]

Fast scan

nmap -F [IP]

# Threads 5
nmap -sC -sV [IP] -T5

Host file

nmap -iL targets.txt

Nmap options

Nmap Option	Description
10.10.10.0/24	Target network range.
-sn	Disables port scanning.
-Pn	Disables ICMP Echo Requests
-n	Disables DNS Resolution.
-PE	Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace	Shows all packets sent and received.
--reason	Displays the reason for a specific result.
--disable-arp-ping	Disables ARP Ping Requests.
--top-ports=<num>	Scans the specified top ports that have been defined as most frequent.
-p-	Scan all ports.
-p22-110	Scan all ports between 22 and 110.
-p22,25	Scans only the specified ports 22 and 25.
-F	Scans top 100 ports.
-sS	Performs an TCP SYN-Scan.
-sA	Performs an TCP ACK-Scan.
-sU	Performs an UDP Scan.
-sV	Scans the discovered services for their versions.
-sC	Perform a Script Scan with scripts that are categorized as "default".
--script <script>	Performs a Script Scan by using the specified scripts.
-O	Performs an OS Detection Scan to determine the OS of the target.
-A	Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5	Sets the number of random Decoys that will be used to scan the target.
-e	Specifies the network interface that is used for the scan.
-S 10.10.10.200	Specifies the source IP address for the scan.
-g	Specifies the source port for the scan.
--dns-server <ns>	DNS resolution is performed by using a specified name server.

Output Options

Nmap Option	Description
-oA filename	Stores the results in all available formats starting with the name of "filename".
-oN filename	Stores the results in normal format with the name "filename".
-oG filename	Stores the results in "grepable" format with the name of "filename".
-oX filename	Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option	Description
--max-retries <num>	Sets the number of retries for scans of specific ports.
--stats-every=5s	Displays scan's status every 5 seconds.
-v/-vv	Displays verbose output during the scan.
--initial-rtt-timeout 50ms	Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms	Sets the specified time value as maximum RTT timeout.
--min-rate 300	Sets the number of packets that will be sent simultaneously.
-T <0-5>	Specifies the specific timing template.

Open port

nmap 10.129.2.0/24 -F -oN tnet.default
cat tnet.default | grep "/tcp" | wc -l

IDS/IPS Detection

IDS IPS AV Evasion

UDP

sudo nmap 10.129.2.28 -F -sU

Convert XML Result to HTML

xsltproc target.xml -o target.html

Vulnerability

GitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub

GitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Update nse scripts: sudo nmap --script-updatedb

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

Admin interface:

Default CredentialsWeb login

CMS :

CMS

Find NSE script

$ locate -r nse$|grep nfs
/usr/share/nmap/scripts/nfs-ls.nse
/usr/share/nmap/scripts/nfs-showmount.nse
/usr/share/nmap/scripts/nfs-statfs.nse

Nmap - NSE

• safe:- Won't affect the target

• intrusive:- Not safe: likely to affect the target

• vuln:- Scan for vulnerabilities

• exploit:- Attempt to exploit a vulnerability

• auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

• brute:- Attempt to bruteforce credentials for running services

• discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

Resources

Recon series #4: Port scanning methods for revealing hidden servicesYesWeHack

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.

• The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.

• Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.