Scanning

$ sudo arp-scan -l [-s <SPOOFED_IP>] -v
$ sudo arp-scan -I eth0 192.168.0.0/24

$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -p

$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -c 20

$ sudo nmap -n -sn 10.0-255.0-255.1 -oA subnets/gateways -PE [--min-rate 10000 --min-hostgroup 10000]
$ grep 'Up' subnets/gateways.gnmap | cut -d' ' -f2 > subnets/ranges.txt

$ sed -i subnets/ranges.txt -e 's/$/\/24/'

$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 $NET.$i > /dev/null && echo "$NET.$i" | tee -a sweep.txt &); done
Or
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 "$NET.$i" | grep 'bytes from' | cut -d' ' -f4 | cut -d':' -f1 | tee -a sweep.txt &); done

$ sort -u -t'.' -k4,4n sweep.txt > hosts/targets.txt && rm sweep.txt

Cmd > set "NET=10.5.5" && for /L %i in (1,1,255) do @ping -n 1 -w 200 %NET%.%i > nul && echo %NET%.%i > sweep.txt

PS > echo "[*] Scanning in progress...";1..254 |ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='10.10.100.$_' and Timeout=50 and ResolveAddressNames='false' and StatusCode=0" |select ProtocolAddress* |Out-File -Append -FilePath .\sweep.txt};echo "[+] Live hosts:"; Get-Content -Path .\sweep.txt | ? { $_ -match "10.10.100" }; echo "[*] Done.";del .\sweep.txt

PS > $NET="192.168.0";for($i=1;$i -lt 255;$i++){$command="ping -n 1 -w 100 $NET.$i > nul 2>&1 && echo $NET.$i";start-process -nonewwindow cmd -argumentlist "/c $command" -redirectstandardoutput "tmp$i.txt"};cat tmp*.txt > sweep.txt
PS > rm tmp*.txt

$ sudo nmap -n -sn -iL subnets/ranges.txt -oA hosts/pingsweep -PS22,443 -PA21,80 -PE -PP
$ grep 'Up' hosts/pingsweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > hosts/targets.txt

$ sudo nmap -n -Pn -iL subnets/ranges.txt -oA hosts/rmisweep -p22,3389,2222,5900,5985,5986 [--min-rate 1280 --min-hostgroup 256]
$ grep 'open' hosts/rmisweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n >> hosts/targets.txt

$ nc -nv 10.10.13.37 4444 [-C]

$ git clone https://github.com/R3dy/parsenmap-rb ~/tools/parsenmap-rb && cd ~/tools/parsenmap-rb
$ bundle install && ln -s ~/tools/parsenmap-rb/parsenmap.rb /usr/local/bin/parsenmap.rb && cd -
$ parsenmap.rb --help

$ parsenmap.rb services/alltcp-versions.xml > services/alltcp-versions.csv

$ parsenmap.py -i services/alltcp-versions.xml

$ git clone https://github.com/maaaaz/nmaptocsv ~/tools/nmaptocsv && cd ~/tools/nmaptocsv
$ python3 -m pip install -r requirements.txt csvkit && ln -s ~/tools/nmaptocsv/nmaptocsv.py /usr/local/bin/nmaptocsv.py && cd -
$ nmaptocsv.py --help

$ nmaptocsv.py -x services/alltcp-versions.xml -d',' -f ip-fqdn-port-protocol-service-version-os > services/alltcp-versions.csv

$ IP="0.0.0.0"; for p in $(seq 1 49151); do (timeout 1 bash -c "echo '.' >/dev/tcp/$IP/$p && echo OPEN:$p" >> hosts/ports.txt &) 2>/dev/null; done
$ sort -u -t':' -k1,1n hosts/ports.txt > hosts/echo-ports.txt && rm hosts/ports.txt

$ seq 1 49151 | xargs -n1 | xargs -P0 -I {} nc -nzv -w1 0.0.0.0 {} 2>&1 | grep -vE "timed out|now in progress|Connection refused"
$ for i in `prips 192.168.1.0/24`; do proxy nc -nvzw1 $i 445 |& grep open | tee -a 445.txt; sleep $(($MIN+RANDOM % ($MAX-$MIN))); done

$computers = @("PC01", "PC02", "PC03")
foreach ($comp in $computers)
{
    try
    {
        $tcpClient = New-Object System.Net.Sockets.TcpClient
        $tcpClient.Connect($comp, 445)
        if ($tcpClient.Connected) { Write-Host "[+] ${comp}:445: OK" }
        else { Write-Host "[-] ${comp}:445: FAIL" }
        $tcpClient.Close()
    }
    catch
    {
        Write-Host "Error occurred while checking port on $comp"
    }
}

ports_tcp="21,22,23,25,53,80,88,111,135,137,139,389,443,445,593,623,636,873,1090,1098,1099,1433,1521,1947,2049,2222,2375,3268,3269,3306,3389,4444,4445,4786,4848,4990,5432,5555,5556,5900,5985,5986,6066,6379,7000,7001,7002,7003,7004,7070,7071,8000,8001,8002,8003,8080,8081,8082,8088,8383,8443,8500,8686,8880,8888,8983,9000,9001,9002,9003,9012,9100,9200,9389,9503,10999,11099,11111,27017,45000,45001,47001,47002,50500"

ports_udp="53,67,69,88,123,137,161,500,623,3391"

nmap -A ... == nmap -sC -sV -O --traceroute ...

nmap -sn ... == nmap -PS443 -PA80 -PE -PP ...
-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP protocol ping

$ find /usr/share/nmap/scripts/ -type f | grep smb
Or
$ sudo nmap --script-updatedb
$ cat /usr/share/nmap/scripts/script.db | grep smb

$ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip `which nmap`
$ nmap --privileged ...

$ cat nmap/initial.nmap | egrep -o '^[0-9]{1,5}' | awk -F/ '{ print $1 }' ORS=','; echo

$ grep '|_' services/alltcp-versions.nmap | cut -d'_' -f2 | cut -d' ' -f1 | sort -u | grep ':'

$ grep -i 'http-title' services/alltcp-versions.nmap

$ sudo masscan --rate 1000 -e tun0 -p1-65535,U:0-65535 127.0.0.1 > masscan/ports
$ ports=`cat masscan/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports

$ sudo nmap -n -Pn --min-rate 1000 -T4 127.0.0.1 -p- -v --open | tee nmap/ports_tcp
$ ports_tcp=`cat nmap/ports_tcp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports_tcp

$ sudo nmap -n -Pn -sU [--max-retries 1] 127.0.0.1 -v --open | tee nmap/ports_udp
$ ports_udp=`cat nmap/ports_udp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVCU [--reason] -oA nmap/udp 127.0.0.1 -p$ports_udp

$ sudo nmap -iL hosts.txt -oA report_udp -sUVC --script-timeout 500 -p53,69,161,500,4500,623,5351,443,55777

#!/usr/bin/env bash

# Usage: ./nmap_single_host.sh <IP>

IP="$1"
OUT="${IP//./-}"

quick_ports_scan="sudo nmap -n -Pn --min-rate 1000 -T4 $IP -p1-65535 --open -v | tee ${OUT}_alltcp_sweep.txt"
echo -e "\033[0;31m########## \033[1;32m${quick_ports_scan}\033[0;31m ##########\033[0m"
eval ${quick_ports_scan}

ports_tcp=`cat "${OUT}_alltcp_sweep.txt" | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`

versions_and_scripts_scan="sudo nmap -Pn -sVC -O -oA ${OUT} $IP -p$ports_tcp"
echo -e "\033[0;31m########## \033[1;32m${versions_and_scripts_scan}\033[0;31m ##########\033[0m"
eval ${versions_and_scripts_scan}

#!/bin/bash

# Usage: ./nmap_visualize.sh <NMAP_OUT.GNMAP>

INPUT=$1
IFS=$'\n'

for line in `grep "Ports:" $INPUT`; do
	echo $line | cut -d ' ' -f 2
	for j in `echo $line | grep -oE "Ports\:.*" | cut -d " " -f 2- | sed 's/, /\n/g'`; do
		PORT=`echo $j | cut -d "/" -f 1,3`
		SERVICE=`echo $j | cut -d "/" -f 7`
		if [ -z "$SERVICE"  ]
		then
			SERVICE=`echo $j | cut -d "/" -f 5`
		fi
		echo "  |___$PORT ( $SERVICE )"
	done
	echo ""
done

unset $IFS

$ sudo nmap -vv -n -Pn --min-rtt-timeout 275ms --max-rtt-timeout 350ms --max-retries 0 --max-scan-delay 0 --min-hostgroup 128 -iL ranges.txt -oA tuned -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443

$ sudo masscan [-e eth0] --rate 1000 -iL hosts.txt --open -p$ports --resume paused.conf >> masscan.out
$ mkdir services && for p in `echo $ports | tr ',' ' '`; do grep "port $p/tcp" masscan.out | awk -F' ' '{print $6}' | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > "services/port$p.txt"; done

$ sudo rustscan -b 1000 -t 2000 -u 5000 -a hosts.txt -r $ports -g --no-config --scan-order "Random" > rustscan.out

$ sudo wget https://gist.github.com/snovvcrash/8b85b900bd928493cd1ae33b2df318d8/raw/fe8628396616c4bf7a3e25f2c9d1acc2f36af0c0/rustscan-ports-top1000.toml -O /root/.rustscan.toml
$ sudo rustscan -a 10.10.13.37 --top

$ sudo naabu [-interface eth0] -iL hosts.txt -s s -rate 1000 -p - -silent [-nmap-cli 'sudo nmap -v -Pn -sVC -O -oA naabutest']
$ sudo naabu -host 10.10.13.37 -top-ports 1000

PS > Invoke-Portscan -Hosts 127.0.0.0/24 -sn -noProgressMeter -oA sweep
PS > Invoke-Portscan -Hosts 127.0.0.0/24 -T 4 -TopPorts 25 -oA top25
PS > Invoke-Portscan -HostFile .\hosts.txt -Ports 22,80,443,445

$ python3 gateway-finder-imp.py -d 8.8.8.8 -m de:ad:be:af:de:ad -i eth0
$ python3 gateway-finder-imp.py -D file_with_dst_IPs.txt -M file_with_nex_hop_MACs.txt -i eth0 -p 80 443 22 23 8080

$ python3 tracebuster.py 4 udp 192.168.1.0/24 53 2>/dev/null

$ sudo nbtscan -r 10.10.10.0/24

msf > use auxiliary/scanner/netbios/nbname
msf > set RHOSTS file:hosts.txt
msf > run

$ ./nextnet -rate 1000 192.168.1.0/24 | grep nets

Cmd > .\OxidResolver.exe  # query all domain computers
Cmd > .\OxidResolver.exe <IP/HOSTNAME>

$ git clone https://github.com/21y4d/nmapAutomator ~/tools/nmapAutomator && cd ~/tools/nmapAutomator
$ sudo ln -vs `pwd`/nmapAutomator/nmapAutomator.sh /usr/local/bin/

$ nmapAutomator.sh --host 10.1.1.1 --type All