Port Scan

ko-fi

Powershell

Test-NetConnection

PS C:\Users\jamie\Desktop> Test-NetConnection -Port 1433 192.168.210.15

$d='DC1';$p=53,88,135,389,445,3268,3269,636,9389;$u=53,88,389;$p|%{if(Test-NetConnection $d -Port $_){"TCP $_-Open"}else{"TCP $_-Closed"}};$u|%{try{$c=[net.sockets.udpclient]::new();$c.Connect($d,$_);$null=$c.Send((,0),1);"UDP $_-Open"}catch{"UDP $_-Closed"}finally{$c.Close()}}

Test-TcpPort

Scanning without Nmap

# Find IPs
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done    

# Find Ports
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

NetScan - From Windows Host

LogoSoftPerfect Network Scanner : fast, flexible, advancedwww.softperfect.com

Fscan

LogoGitHub - shadow1ng/fscan: 一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。GitHub
./fscan -h 172.17.0.0/24

./fscan -h 172.17.0.2 -p 1-65535

Naabu

LogoGitHub - projectdiscovery/naabu: A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentestsGitHub
naabu -host target.com
naabu -host target.com | httpx -silent

Masscan

masscan <target-ip> /16 
masscan <target-ip> /24

-p: Ports

masscan <target-ip> /16 -p 80,443 

masscan <target-ip> /16 -p 22-80 

masscan <target-ip> /16 -p 0-65535

--top-ports

masscan <target-ip> /16 --top-ports 100

Nmap

Nmap binary:

Logostatic-binaries/binaries/linux/x86_64/nmap at master · andrew-d/static-binariesGitHub

For Windows - Zenmap

LogoDownload the Free Nmap Security Scanner for Linux/Mac/Windowsnmap.org
nmap -sV --open -oA nibbles_initial_scan 10.129.42.190
nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190
nmap -sV --script=http-enum -oA nibbles_nmap_http_enum 10.129.42.190

List of common ports:

Common Ports
nmap -Pn -sC -sV --top-ports=1000 [IP]

Fast scan

nmap -F [IP]

# Threads 5
nmap -sC -sV [IP] -T5

Host file

nmap -iL targets.txt

Nmap options

Nmap Option

Description

10.10.10.0/24

Target network range.

-sn

Disables port scanning.

-Pn

Disables ICMP Echo Requests

-n

Disables DNS Resolution.

-PE

Performs the ping scan by using ICMP Echo Requests against the target.

--packet-trace

Shows all packets sent and received.

--reason

Displays the reason for a specific result.

--disable-arp-ping

Disables ARP Ping Requests.

--top-ports=<num>

Scans the specified top ports that have been defined as most frequent.

-p-

Scan all ports.

-p22-110

Scan all ports between 22 and 110.

-p22,25

Scans only the specified ports 22 and 25.

-F

Scans top 100 ports.

-sS

Performs an TCP SYN-Scan.

-sA

Performs an TCP ACK-Scan.

-sU

Performs an UDP Scan.

-sV

Scans the discovered services for their versions.

-sC

Perform a Script Scan with scripts that are categorized as "default".

--script <script>

Performs a Script Scan by using the specified scripts.

-O

Performs an OS Detection Scan to determine the OS of the target.

-A

Performs OS Detection, Service Detection, and traceroute scans.

-D RND:5

Sets the number of random Decoys that will be used to scan the target.

-e

Specifies the network interface that is used for the scan.

-S 10.10.10.200

Specifies the source IP address for the scan.

-g

Specifies the source port for the scan.

--dns-server <ns>

DNS resolution is performed by using a specified name server.

Output Options

Nmap Option

Description

-oA filename

Stores the results in all available formats starting with the name of "filename".

-oN filename

Stores the results in normal format with the name "filename".

-oG filename

Stores the results in "grepable" format with the name of "filename".

-oX filename

Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option

Description

--max-retries <num>

Sets the number of retries for scans of specific ports.

--stats-every=5s

Displays scan's status every 5 seconds.

-v/-vv

Displays verbose output during the scan.

--initial-rtt-timeout 50ms

Sets the specified time value as initial RTT timeout.

--max-rtt-timeout 100ms

Sets the specified time value as maximum RTT timeout.

--min-rate 300

Sets the number of packets that will be sent simultaneously.

-T <0-5>

Specifies the specific timing template.

Open port

nmap 10.129.2.0/24 -F -oN tnet.default
cat tnet.default | grep "/tcp" | wc -l

IDS/IPS Detection

IDS IPS AV Evasion

UDP

sudo nmap 10.129.2.28 -F -sU

Convert XML Result to HTML

xsltproc target.xml -o target.html

Vulnerability

LogoGitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub
LogoGitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Update nse scripts: sudo nmap --script-updatedb

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

Admin interface:

Default CredentialsWeb login

CMS :

CMS

Find NSE script

$ locate -r nse$|grep nfs
/usr/share/nmap/scripts/nfs-ls.nse
/usr/share/nmap/scripts/nfs-showmount.nse
/usr/share/nmap/scripts/nfs-statfs.nse

Nmap - NSE

  • safe:- Won't affect the target

  • intrusive:- Not safe: likely to affect the target

  • vuln:- Scan for vulnerabilities

  • exploit:- Attempt to exploit a vulnerability

  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

  • brute:- Attempt to bruteforce credentials for running services

  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

Resources

LogoRecon series #4: Port scanning methods for revealing hidden servicesYesWeHack

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

  • Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.

  • The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.

  • Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fi

buymeacoffee

PreviousProtocolsNextIDS IPS AV Evasion

Last updated