Scanning

Host Discovery

ARP

arp-scan

Active:

$ sudo arp-scan -l [-s <SPOOFED_IP>] -v
$ sudo arp-scan -I eth0 192.168.0.0/24

netdiscover

Passive:

$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -p

Active, sending 20 requests per IP:

$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -c 20

Hunt for Subnets

Take 10.0.0.0/8 as an example:

$ sudo nmap -n -sn 10.0-255.0-255.1 -oA subnets/gateways -PE [--min-rate 10000 --min-hostgroup 10000]
$ grep 'Up' subnets/gateways.gnmap | cut -d' ' -f2 > subnets/ranges.txt

$ sed -i subnets/ranges.txt -e 's/$/\/24/'

Ping Sweep

Bash:

$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 $NET.$i > /dev/null && echo "$NET.$i" | tee -a sweep.txt &); done
Or
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 "$NET.$i" | grep 'bytes from' | cut -d' ' -f4 | cut -d':' -f1 | tee -a sweep.txt &); done

$ sort -u -t'.' -k4,4n sweep.txt > hosts/targets.txt && rm sweep.txt

Batch:

Cmd > set "NET=10.5.5" && for /L %i in (1,1,255) do @ping -n 1 -w 200 %NET%.%i > nul && echo %NET%.%i > sweep.txt

PowerShell (option 1):

PS > echo "[*] Scanning in progress...";1..254 |ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='10.10.100.$_' and Timeout=50 and ResolveAddressNames='false' and StatusCode=0" |select ProtocolAddress* |Out-File -Append -FilePath .\sweep.txt};echo "[+] Live hosts:"; Get-Content -Path .\sweep.txt | ? { $_ -match "10.10.100" }; echo "[*] Done.";del .\sweep.txt

PowerShell (option 2):

PS > $NET="192.168.0";for($i=1;$i -lt 255;$i++){$command="ping -n 1 -w 100 $NET.$i > nul 2>&1 && echo $NET.$i";start-process -nonewwindow cmd -argumentlist "/c $command" -redirectstandardoutput "tmp$i.txt"};cat tmp*.txt > sweep.txt
PS > rm tmp*.txt

Nmap:

$ sudo nmap -n -sn -iL subnets/ranges.txt -oA hosts/pingsweep -PS22,443 -PA21,80 -PE -PP
$ grep 'Up' hosts/pingsweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > hosts/targets.txt

RMI Sweep

Remote Management Interfaces:

PortService

22

SSH

3389

RDP

2222

SSH?

5900

VNC

5985

WinRM

5986

WinRM over SSL/TLS

Nmap:

$ sudo nmap -n -Pn -iL subnets/ranges.txt -oA hosts/rmisweep -p22,3389,2222,5900,5985,5986 [--min-rate 1280 --min-hostgroup 256]
$ grep 'open' hosts/rmisweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n >> hosts/targets.txt

Services

Raw Identification

$ nc -nv 10.10.13.37 4444 [-C]

Nmap XML Parsers

parsenmap.rb

$ git clone https://github.com/R3dy/parsenmap-rb ~/tools/parsenmap-rb && cd ~/tools/parsenmap-rb
$ bundle install && ln -s ~/tools/parsenmap-rb/parsenmap.rb /usr/local/bin/parsenmap.rb && cd -
$ parsenmap.rb --help

Examine version scan:

$ parsenmap.rb services/alltcp-versions.xml > services/alltcp-versions.csv

Split version scan by service names:

$ parsenmap.py -i services/alltcp-versions.xml

nmaptocsv

$ git clone https://github.com/maaaaz/nmaptocsv ~/tools/nmaptocsv && cd ~/tools/nmaptocsv
$ python3 -m pip install -r requirements.txt csvkit && ln -s ~/tools/nmaptocsv/nmaptocsv.py /usr/local/bin/nmaptocsv.py && cd -
$ nmaptocsv.py --help

Examine version scan:

$ nmaptocsv.py -x services/alltcp-versions.xml -d',' -f ip-fqdn-port-protocol-service-version-os > services/alltcp-versions.csv

Ports

Scan with echo:

$ IP="0.0.0.0"; for p in $(seq 1 49151); do (timeout 1 bash -c "echo '.' >/dev/tcp/$IP/$p && echo OPEN:$p" >> hosts/ports.txt &) 2>/dev/null; done
$ sort -u -t':' -k1,1n hosts/ports.txt > hosts/echo-ports.txt && rm hosts/ports.txt

Scan with nc:

$ seq 1 49151 | xargs -n1 | xargs -P0 -I {} nc -nzv -w1 0.0.0.0 {} 2>&1 | grep -vE "timed out|now in progress|Connection refused"
$ for i in `prips 192.168.1.0/24`; do proxy nc -nvzw1 $i 445 |& grep open | tee -a 445.txt; sleep $(($MIN+RANDOM % ($MAX-$MIN))); done

Scan with PowerShell:

$computers = @("PC01", "PC02", "PC03")
foreach ($comp in $computers)
{
    try
    {
        $tcpClient = New-Object System.Net.Sockets.TcpClient
        $tcpClient.Connect($comp, 445)
        if ($tcpClient.Connected) { Write-Host "[+] ${comp}:445: OK" }
        else { Write-Host "[-] ${comp}:445: FAIL" }
        $tcpClient.Close()
    }
    catch
    {
        Write-Host "Error occurred while checking port on $comp"
    }
}

Top TCP ports:

PortService

21

FTP

22,2222

SSH

23

Telnet

25

SMTP

53

DNS

80,8080

HTTP

88

KDC

111

SUNRPC

135

MSRPC

137

NetBIOS

139,445

SMB over NetBIOS,SMB over TCP/IP

389,636

LDAP,LDAP over SSL/TLS

443,8443

SSL/TLS

593

HTTP RPC Endpoint Mapper

623

IPMI

873

RSYNC

1090,1098,1099,4444,11099,47001,47002,10999

Java RMI

1433

MS SQL

1521

Oracle

1947

HASP License Manager

2049

NFS

2375

Docker

3268,3269

Microsoft Global Catalog

3306

MySQL/MariaDB

3389

RDP

4786

Cisco Smart Install

4848

GlassFish

4990

Atlassian Crowd

5432

PostgreSQL

5555,5556

HP Data Protector

5900

VNC

5985,5986

WinRM,WinRM over SSL/TLS

6066

Apache Spark

6379

Redis

7000-7004,8000-8003,9000-9003,9503,7070,7071

WebLogic

8081,8082

JFrog Artifactory

8088

Apache Hadoop

8383

Zoho Manageengine Desktop

8500

Hashicorp Consul

8686,9012,50500

JMX

8880

IBM WebSphere

8888

Tornado

8983

Apache Solr

9000

Portainer

9100

TCP/IP Printing

9200

Elasticsearch

9389

Active Directory Web Services

11111,4444,4445

jBoss

27017

MongoDB

45000,45001

JDWP

TCP one-liner:

ports_tcp="21,22,23,25,53,80,88,111,135,137,139,389,443,445,593,623,636,873,1090,1098,1099,1433,1521,1947,2049,2222,2375,3268,3269,3306,3389,4444,4445,4786,4848,4990,5432,5555,5556,5900,5985,5986,6066,6379,7000,7001,7002,7003,7004,7070,7071,8000,8001,8002,8003,8080,8081,8082,8088,8383,8443,8500,8686,8880,8888,8983,9000,9001,9002,9003,9012,9100,9200,9389,9503,10999,11099,11111,27017,45000,45001,47001,47002,50500"

Top UDP ports:

PortService

53

DNS

67

DHCP

69

TFTP

88

KDC

123

NTP

137

NetBIOS

161

SNMP

500

IKE

623

IPMI

3391

RD Gateway

UDP one-liner:

ports_udp="53,67,69,88,123,137,161,500,623,3391"

Nmap

Flag -A:

nmap -A ... == nmap -sC -sV -O --traceroute ...

Host discovery flag:

nmap -sn ... == nmap -PS443 -PA80 -PE -PP ...
-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP protocol ping

Search for Nmap NSE scripts:

$ find /usr/share/nmap/scripts/ -type f | grep smb
Or
$ sudo nmap --script-updatedb
$ cat /usr/share/nmap/scripts/script.db | grep smb

Configure Nmap to run as unprivileged user by setting Linux capabilities:

$ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip `which nmap`
$ nmap --privileged ...

Grep only numbers to get a comma-separated list of ports:

$ cat nmap/initial.nmap | egrep -o '^[0-9]{1,5}' | awk -F/ '{ print $1 }' ORS=','; echo

Define which NSE scripts were ran:

$ grep '|_' services/alltcp-versions.nmap | cut -d'_' -f2 | cut -d' ' -f1 | sort -u | grep ':'

Look at HTTP titles:

$ grep -i 'http-title' services/alltcp-versions.nmap

Fast port discovery with Masscan + versions and scripts with Nmap (TCP):

$ sudo masscan --rate 1000 -e tun0 -p1-65535,U:0-65535 127.0.0.1 > masscan/ports
$ ports=`cat masscan/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports

Fast port discovery with Nmap + versions and scripts with Nmap (TCP & UDP):

$ sudo nmap -n -Pn --min-rate 1000 -T4 127.0.0.1 -p- -v --open | tee nmap/ports_tcp
$ ports_tcp=`cat nmap/ports_tcp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports_tcp

$ sudo nmap -n -Pn -sU [--max-retries 1] 127.0.0.1 -v --open | tee nmap/ports_udp
$ ports_udp=`cat nmap/ports_udp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVCU [--reason] -oA nmap/udp 127.0.0.1 -p$ports_udp

Fast UDP:

$ sudo nmap -iL hosts.txt -oA report_udp -sUVC --script-timeout 500 -p53,69,161,500,4500,623,5351,443,55777

Nmap a single host helper (full TCP), output is placed in CWD:

nmap_single_host.sh
#!/usr/bin/env bash

# Usage: ./nmap_single_host.sh <IP>

IP="$1"
OUT="${IP//./-}"

quick_ports_scan="sudo nmap -n -Pn --min-rate 1000 -T4 $IP -p1-65535 --open -v | tee ${OUT}_alltcp_sweep.txt"
echo -e "\033[0;31m########## \033[1;32m${quick_ports_scan}\033[0;31m ##########\033[0m"
eval ${quick_ports_scan}

ports_tcp=`cat "${OUT}_alltcp_sweep.txt" | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`

versions_and_scripts_scan="sudo nmap -Pn -sVC -O -oA ${OUT} $IP -p$ports_tcp"
echo -e "\033[0;31m########## \033[1;32m${versions_and_scripts_scan}\033[0;31m ##########\033[0m"
eval ${versions_and_scripts_scan}

Visualizes a grepable Nmap output in terminal (run the scan with --open):

nmap_visualize.sh
#!/bin/bash

# Usage: ./nmap_visualize.sh <NMAP_OUT.GNMAP>

INPUT=$1
IFS=$'\n'

for line in `grep "Ports:" $INPUT`; do
	echo $line | cut -d ' ' -f 2
	for j in `echo $line | grep -oE "Ports\:.*" | cut -d " " -f 2- | sed 's/, /\n/g'`; do
		PORT=`echo $j | cut -d "/" -f 1,3`
		SERVICE=`echo $j | cut -d "/" -f 7`
		if [ -z "$SERVICE"  ]
		then
			SERVICE=`echo $j | cut -d "/" -f 5`
		fi
		echo "  |___$PORT ( $SERVICE )"
	done
	echo ""
done

unset $IFS

A tuned initial recon in a large range (stolen from here):

$ sudo nmap -vv -n -Pn --min-rtt-timeout 275ms --max-rtt-timeout 350ms --max-retries 0 --max-scan-delay 0 --min-hostgroup 128 -iL ranges.txt -oA tuned -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443

Masscan

$ sudo masscan [-e eth0] --rate 1000 -iL hosts.txt --open -p$ports --resume paused.conf >> masscan.out
$ mkdir services && for p in `echo $ports | tr ',' ' '`; do grep "port $p/tcp" masscan.out | awk -F' ' '{print $6}' | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > "services/port$p.txt"; done

RustScan

$ sudo rustscan -b 1000 -t 2000 -u 5000 -a hosts.txt -r $ports -g --no-config --scan-order "Random" > rustscan.out

Scan Nmap top 1000 TCP ports:

$ sudo wget https://gist.github.com/snovvcrash/8b85b900bd928493cd1ae33b2df318d8/raw/fe8628396616c4bf7a3e25f2c9d1acc2f36af0c0/rustscan-ports-top1000.toml -O /root/.rustscan.toml
$ sudo rustscan -a 10.10.13.37 --top

Naabu

$ sudo naabu [-interface eth0] -iL hosts.txt -s s -rate 1000 -p - -silent [-nmap-cli 'sudo nmap -v -Pn -sVC -O -oA naabutest']
$ sudo naabu -host 10.10.13.37 -top-ports 1000

Invoke-Portscan

PS > Invoke-Portscan -Hosts 127.0.0.0/24 -sn -noProgressMeter -oA sweep
PS > Invoke-Portscan -Hosts 127.0.0.0/24 -T 4 -TopPorts 25 -oA top25
PS > Invoke-Portscan -HostFile .\hosts.txt -Ports 22,80,443,445

PowerShell_IPv4 Scanner

Hunt for Gateways & NICs

Search for gateways and dual-homed hosts.

gateway-finder-imp

$ python3 gateway-finder-imp.py -d 8.8.8.8 -m de:ad:be:af:de:ad -i eth0
$ python3 gateway-finder-imp.py -D file_with_dst_IPs.txt -M file_with_nex_hop_MACs.txt -i eth0 -p 80 443 22 23 8080

tracebuster

$ python3 tracebuster.py 4 udp 192.168.1.0/24 53 2>/dev/null

cornershot

NetBIOS

nbtscan

$ sudo nbtscan -r 10.10.10.0/24

nbname (MSF)

msf > use auxiliary/scanner/netbios/nbname
msf > set RHOSTS file:hosts.txt
msf > run

nextnet

$ ./nextnet -rate 1000 192.168.1.0/24 | grep nets

RPC via IOXIDResolver

PingCastle

Double click > scanner > oxidbindings > all.

SharpOxidResolver

Cmd > .\OxidResolver.exe  # query all domain computers
Cmd > .\OxidResolver.exe <IP/HOSTNAME>

Tools

AutoRecon

legion

nmapAutomator

Install:

$ git clone https://github.com/21y4d/nmapAutomator ~/tools/nmapAutomator && cd ~/tools/nmapAutomator
$ sudo ln -vs `pwd`/nmapAutomator/nmapAutomator.sh /usr/local/bin/

Run:

$ nmapAutomator.sh --host 10.1.1.1 --type All

Last updated