d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Nmap
  • Common options
  • TCP
  • UDP
  • Useful stuff
  • Nmap scripts
  • nmapAutomator
  • netcat (nc)
  • TCP
  • UDP
  • Port knocking
  • Simple bash port scanner
Edit on GitHub
  1. Enumeration

Port scanning

PreviousNetwork discoveryNextWebserver scanning

Last updated 3 years ago

Nmap

The Network Mapper - Free Security Scanner

  • Standalone

  • XSL Bootstrap

Common options

option
description

-p

Port ranges (default: most common 1000 ports), -p- all ports (1-65536)

-sV

Version scanning, enforces full TCP connection

-sC

Script scanning

-O

OS detection

-A

Aggressive scan options, combines: -O, -sV, -sC, --traceroute

-T<0-5>

Set timing template (higher is faster), aka paranoid|sneaky|polite|normal|aggressive|insane (default: 3, aka normal)

-oA

Basename (Output to all formats)

-sU

UDP scan

-Pn

Skip host discovery, use this option if the host is blocking ping probes.

-v -vv

Increase verbosity

-d -dd

Debug, even more verbose

--max-retries

set to 1 or 0 to considerably speed up scan (but gets a bit less accurate)

Note: There are a ton of other options, like more exotic scan types, spoofing IP or MAC addresses, etc.

TCP

Note: Nmap can only perform TCP SYN scans (-sS), when running as privileged user (root or sudoer), otherwise it falls back to full TCP 3-way handshakes (-sT) per default.

Examples

Light scan

sudo nmap --top-ports 10 --open -oA nmap_light <ip>

Default scan

sudo nmap -sV -oA nmap_default <ip>

Heavy scan

sudo nmap -p- -sV -sC --reason -oA nmap_heavy <ip>

Scan for "safe" vulns

sudo nmap --script "vuln and safe" -oA nmap_vuln <ip>

Scan for SMB vulns

sudo nmap -p 139,445 --script smb-vuln*  -oA nmap_vuln_smb <ip>

UDP

sudo nmap -sU -oA nmap_udp <ip>

Useful stuff

Get open ports comma separated

grep -oP '\d{1,5}/open' nmap.gnmap | cut -d  "/" -f 1 | paste -s -d ','

Nmap scripts

banner plus

Quicker scanning and smarter identification

vulners

NSE script based on Vulners.com API

nmapAutomator

A script that you can run in the background!

./nmapAutomator <ip> All

netcat (nc)

TCP/IP swiss army knife

TCP

Connect scan (only validates if ports are open)

nc -nvv -w 1 -z <ip> <port-range>

UDP

nc -nv -u -z -w 1 <ip> <port-range>

No response means port is open, otherwise a ICMP packet port unreachable is sent back. BUT: Response may get dropped (firewalls, routers, ...) -> false positive

Port knocking

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports.

knockd
/etc/knockd.conf

Actually knock to a port

nmap -Pn -sT --host_timeout 201 --max-retries 0 -p <port> <ip>

or

echo "" > /dev/tcp/<ip>/<port>

Simple bash port scanner

for i in {1..65535}; do (echo > /dev/tcp/<ip>/$i) >/dev/null 2>&1 && echo $i is open; done

--

Nmap
static-tools/nmap at master · ZephrFish/static-tools · GitHub
GitHub - honze-net/nmap-bootstrap-xsl: A Nmap XSL implementation with Bootstrap.
GitHub - scan-tools/banner-plus.nse
GitHub - vulnersCom/nmap-vulners
GitHub - 21y4d/nmapAutomator
The GNU Netcat -- Official homepage
Wikipedia