Port Scan

ko-fi

Powershell

Test-NetConnection

PS C:\Users\jamie\Desktop> Test-NetConnection -Port 1433 192.168.210.15

$d='DC1';$p=53,88,135,389,445,3268,3269,636,9389;$u=53,88,389;$p|%{if(Test-NetConnection $d -Port $_){"TCP $_-Open"}else{"TCP $_-Closed"}};$u|%{try{$c=[net.sockets.udpclient]::new();$c.Connect($d,$_);$null=$c.Send((,0),1);"UDP $_-Open"}catch{"UDP $_-Closed"}finally{$c.Close()}}

Test-TcpPort

Scanning without Nmap

NetScan - From Windows Host

LogoSoftPerfect Network Scanner : fast, flexible, advancedwww.softperfect.com

Fscan

LogoGitHub - shadow1ng/fscan: 一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。GitHub

Naabu

LogoGitHub - projectdiscovery/naabu: A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentestsGitHub

Masscan

-p: Ports

--top-ports

Nmap

Nmap binary:

Logostatic-binaries/binaries/linux/x86_64/nmap at master · andrew-d/static-binariesGitHub

For Windows - Zenmap

LogoDownload the Free Nmap Security Scanner for Linux/Mac/Windowsnmap.org

List of common ports:

Common Ports

Fast scan

Host file

Nmap options

Nmap Option

Description

10.10.10.0/24

Target network range.

-sn

Disables port scanning.

-Pn

Disables ICMP Echo Requests

-n

Disables DNS Resolution.

-PE

Performs the ping scan by using ICMP Echo Requests against the target.

--packet-trace

Shows all packets sent and received.

--reason

Displays the reason for a specific result.

--disable-arp-ping

Disables ARP Ping Requests.

--top-ports=<num>

Scans the specified top ports that have been defined as most frequent.

-p-

Scan all ports.

-p22-110

Scan all ports between 22 and 110.

-p22,25

Scans only the specified ports 22 and 25.

-F

Scans top 100 ports.

-sS

Performs an TCP SYN-Scan.

-sA

Performs an TCP ACK-Scan.

-sU

Performs an UDP Scan.

-sV

Scans the discovered services for their versions.

-sC

Perform a Script Scan with scripts that are categorized as "default".

--script <script>

Performs a Script Scan by using the specified scripts.

-O

Performs an OS Detection Scan to determine the OS of the target.

-A

Performs OS Detection, Service Detection, and traceroute scans.

-D RND:5

Sets the number of random Decoys that will be used to scan the target.

-e

Specifies the network interface that is used for the scan.

-S 10.10.10.200

Specifies the source IP address for the scan.

-g

Specifies the source port for the scan.

--dns-server <ns>

DNS resolution is performed by using a specified name server.

Output Options

Nmap Option

Description

-oA filename

Stores the results in all available formats starting with the name of "filename".

-oN filename

Stores the results in normal format with the name "filename".

-oG filename

Stores the results in "grepable" format with the name of "filename".

-oX filename

Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option

Description

--max-retries <num>

Sets the number of retries for scans of specific ports.

--stats-every=5s

Displays scan's status every 5 seconds.

-v/-vv

Displays verbose output during the scan.

--initial-rtt-timeout 50ms

Sets the specified time value as initial RTT timeout.

--max-rtt-timeout 100ms

Sets the specified time value as maximum RTT timeout.

--min-rate 300

Sets the number of packets that will be sent simultaneously.

-T <0-5>

Specifies the specific timing template.

Open port

IDS/IPS Detection

IDS IPS AV Evasion

UDP

Convert XML Result to HTML

Vulnerability

LogoGitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub
LogoGitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Update nse scripts: sudo nmap --script-updatedb

Admin interface:

Default CredentialsWeb login

CMS :

CMS

Find NSE script

Nmap - NSE

  • safe:- Won't affect the target

  • intrusive:- Not safe: likely to affect the target

  • vuln:- Scan for vulnerabilities

  • exploit:- Attempt to exploit a vulnerability

  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

  • brute:- Attempt to bruteforce credentials for running services

  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

Resources

LogoRecon series #4: Port scanning methods for revealing hidden servicesYesWeHack

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

  • Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.

  • The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.

  • Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fi

buymeacoffee

PreviousProtocolsNextIDS IPS AV Evasion

Last updated