Port scanning
Nmap
The Network Mapper - Free Security Scanner Nmap
Common options
-p
Port ranges (default: most common 1000 ports), -p- all ports (1-65536)
-sV
Version scanning, enforces full TCP connection
-sC
Script scanning
-O
OS detection
-A
Aggressive scan options, combines: -O, -sV, -sC, --traceroute
-T<0-5>
Set timing template (higher is faster), aka paranoid|sneaky|polite|normal|aggressive|insane (default: 3, aka normal)
-oA
Basename (Output to all formats)
-sU
UDP scan
-Pn
Skip host discovery, use this option if the host is blocking ping probes.
-v
-vv
Increase verbosity
-d
-dd
Debug, even more verbose
--max-retries
set to 1 or 0 to considerably speed up scan (but gets a bit less accurate)
Note: There are a ton of other options, like more exotic scan types, spoofing IP or MAC addresses, etc.
TCP
Note: Nmap can only perform TCP SYN scans (-sS
), when running as privileged user (root or sudoer), otherwise it falls back to full TCP 3-way handshakes (-sT
) per default.
Examples
Light scan
Default scan
Heavy scan
Scan for "safe" vulns
Scan for SMB vulns
UDP
Useful stuff
Get open ports comma separated
Nmap scripts
banner plus
Quicker scanning and smarter identification
GitHub - scan-tools/banner-plus.nse
vulners
NSE script based on Vulners.com API
GitHub - vulnersCom/nmap-vulners
nmapAutomator
A script that you can run in the background!
netcat (nc)
TCP/IP swiss army knife
The GNU Netcat -- Official homepage
TCP
Connect scan (only validates if ports are open)
UDP
No response means port is open, otherwise a ICMP packet port unreachable
is sent back.
BUT: Response may get dropped (firewalls, routers, ...) -> false positive
Port knocking
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports.
-- Wikipedia
Actually knock to a port
or
Simple bash port scanner
Last updated