# Port Scan

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

## Powershell

### Test-NetConnection

`PS C:\Users\jamie\Desktop> Test-NetConnection -Port 1433 192.168.210.15`

```powershell
$d='DC1';$p=53,88,135,389,445,3268,3269,636,9389;$u=53,88,389;$p|%{if(Test-NetConnection $d -Port $_){"TCP $_-Open"}else{"TCP $_-Closed"}};$u|%{try{$c=[net.sockets.udpclient]::new();$c.Connect($d,$_);$null=$c.Send((,0),1);"UDP $_-Open"}catch{"UDP $_-Closed"}finally{$c.Close()}}
```

<figure><img src="/files/DtH7ZGXDVWaLFz6Wi2LQ" alt=""><figcaption></figcaption></figure>

### Test-TcpPort

<figure><img src="/files/uNr2EGzfr81RkYOjBy53" alt=""><figcaption></figcaption></figure>

{% embed url="<https://gist.github.com/daem0nc0re/1ec218d44311e8e8377ede1b3fb2e135>" %}

## Scanning without Nmap

```
# Find IPs
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done    

# Find Ports
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done
```

## NetScan - From Windows Host

{% embed url="<https://www.softperfect.com/products/networkscanner/>" %}

## Rustscan

```
rustscan -a 192.168.75.0/24 --ulimit 5000
```

## Fscan

{% embed url="<https://github.com/shadow1ng/fscan?tab=readme-ov-file>" %}

```
./fscan -h 172.17.0.0/24

./fscan -h 172.17.0.2 -p 1-65535
```

<figure><img src="/files/OpWEoDZYhykM5FdHSdSP" alt=""><figcaption></figcaption></figure>

## Naabu

{% embed url="<https://github.com/projectdiscovery/naabu>" %}

```
naabu -host target.com
naabu -host target.com | httpx -silent
```

## Masscan

```
masscan <target-ip> /16 
masscan <target-ip> /24
```

-p: Ports

```
masscan <target-ip> /16 -p 80,443 

masscan <target-ip> /16 -p 22-80 

masscan <target-ip> /16 -p 0-65535
```

\--top-ports

```
masscan <target-ip> /16 --top-ports 100
```

## Nmap

Nmap binary:

{% embed url="<https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap>" %}

For Windows - Zenmap

{% embed url="<https://nmap.org/download.html#windows>" %}

```shell-session
nmap -sV --open -oA nibbles_initial_scan 10.129.42.190
```

```shell-session
nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190
```

```shell-session
nmap -sV --script=http-enum -oA nibbles_nmap_http_enum 10.129.42.190 
```

List of common ports:

{% content-ref url="/pages/fTaX4C0iticozvnz38VP" %}
[Common Ports](/0xss0rz/pentest/protocols/common-ports.md)
{% endcontent-ref %}

```
nmap -Pn -sC -sV --top-ports=1000 [IP]
```

### Fast scan

```
nmap -F [IP]

# Threads 5
nmap -sC -sV [IP] -T5
```

### Host file

```
nmap -iL targets.txt
```

### Nmap options&#x20;

| **Nmap Option**      | **Description**                                                        |
| -------------------- | ---------------------------------------------------------------------- |
| `10.10.10.0/24`      | Target network range.                                                  |
| `-sn`                | Disables port scanning.                                                |
| `-Pn`                | Disables ICMP Echo Requests                                            |
| `-n`                 | Disables DNS Resolution.                                               |
| `-PE`                | Performs the ping scan by using ICMP Echo Requests against the target. |
| `--packet-trace`     | Shows all packets sent and received.                                   |
| `--reason`           | Displays the reason for a specific result.                             |
| `--disable-arp-ping` | Disables ARP Ping Requests.                                            |
| `--top-ports=<num>`  | Scans the specified top ports that have been defined as most frequent. |
| `-p-`                | Scan all ports.                                                        |
| `-p22-110`           | Scan all ports between 22 and 110.                                     |
| `-p22,25`            | Scans only the specified ports 22 and 25.                              |
| `-F`                 | Scans top 100 ports.                                                   |
| `-sS`                | Performs an TCP SYN-Scan.                                              |
| `-sA`                | Performs an TCP ACK-Scan.                                              |
| `-sU`                | Performs an UDP Scan.                                                  |
| `-sV`                | Scans the discovered services for their versions.                      |
| `-sC`                | Perform a Script Scan with scripts that are categorized as "default".  |
| `--script <script>`  | Performs a Script Scan by using the specified scripts.                 |
| `-O`                 | Performs an OS Detection Scan to determine the OS of the target.       |
| `-A`                 | Performs OS Detection, Service Detection, and traceroute scans.        |
| `-D RND:5`           | Sets the number of random Decoys that will be used to scan the target. |
| `-e`                 | Specifies the network interface that is used for the scan.             |
| `-S 10.10.10.200`    | Specifies the source IP address for the scan.                          |
| `-g`                 | Specifies the source port for the scan.                                |
| `--dns-server <ns>`  | DNS resolution is performed by using a specified name server.          |

#### Output Options

| **Nmap Option** | **Description**                                                                   |
| --------------- | --------------------------------------------------------------------------------- |
| `-oA filename`  | Stores the results in all available formats starting with the name of "filename". |
| `-oN filename`  | Stores the results in normal format with the name "filename".                     |
| `-oG filename`  | Stores the results in "grepable" format with the name of "filename".              |
| `-oX filename`  | Stores the results in XML format with the name of "filename".                     |

#### Performance Options

| **Nmap Option**              | **Description**                                              |
| ---------------------------- | ------------------------------------------------------------ |
| `--max-retries <num>`        | Sets the number of retries for scans of specific ports.      |
| `--stats-every=5s`           | Displays scan's status every 5 seconds.                      |
| `-v/-vv`                     | Displays verbose output during the scan.                     |
| `--initial-rtt-timeout 50ms` | Sets the specified time value as initial RTT timeout.        |
| `--max-rtt-timeout 100ms`    | Sets the specified time value as maximum RTT timeout.        |
| `--min-rate 300`             | Sets the number of packets that will be sent simultaneously. |
| `-T <0-5>`                   | Specifies the specific timing template.                      |

### Open port

```
nmap 10.129.2.0/24 -F -oN tnet.default
cat tnet.default | grep "/tcp" | wc -l
```

### IDS/IPS Detection

{% content-ref url="/pages/cZ0LhLAnE23O04w2V9bX" %}
[IDS IPS AV Evasion](/0xss0rz/pentest/protocols/ids-ips-av-evasion.md)
{% endcontent-ref %}

### UDP

```shell-session
sudo nmap 10.129.2.28 -F -sU
```

### Convert XML Result to HTML

```shell-session
xsltproc target.xml -o target.html
```

<figure><img src="/files/5s98OK4zh6vlJna6OUH5" alt=""><figcaption></figcaption></figure>

### Vulnerability

{% embed url="<https://github.com/scmanjarrez/CVEScannerV2>" %}

{% embed url="<https://github.com/vulnersCom/nmap-vulners>" %}

Update nse scripts: `sudo nmap --script-updatedb`

```shell-session
sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
```

#### Admin interface:

{% content-ref url="/pages/qqzJ1keOOlfL6KlhTMDd" %}
[Default Credentials](/0xss0rz/pentest/brute-force/default-credentials.md)
{% endcontent-ref %}

{% content-ref url="/pages/GvVuJGtralR60UPtAjnt" %}
[Web login](/0xss0rz/pentest/brute-force/web-login.md)
{% endcontent-ref %}

#### CMS :

{% content-ref url="/pages/BNYnMWR6ycmbnuzzgqLK" %}
[CMS](/0xss0rz/pentest/web-attacks/cms.md)
{% endcontent-ref %}

## Find NSE script

```
$ locate -r nse$|grep nfs
/usr/share/nmap/scripts/nfs-ls.nse
/usr/share/nmap/scripts/nfs-showmount.nse
/usr/share/nmap/scripts/nfs-statfs.nse
```

## Nmap - NSE

* `safe`:- Won't affect the target
* `intrusive`:- Not safe: likely to affect the target<br>
* `vuln`:- Scan for vulnerabilities
* `exploit`:- Attempt to exploit a vulnerability
* `auth`:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
* `brute`:- Attempt to bruteforce credentials for running services
* `discovery`:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

## Resources

{% embed url="<https://www.yeswehack.com/learn-bug-bounty/recon-port-scanning-attack-vectors>" %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="/files/a876wNYE568SJIfTZVxL" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\
  The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.
* [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\
  A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
* [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\
  The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/port-scan.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.