# Scanning

* <https://bitvijays.github.io/LFF-IPS-P1-IntelligenceGathering.html#identifying-alive-ip-addresses>
* <https://livebook.manning.com/book/penetrating-enterprise-networks/chapter-2/>
* <https://www.offensive-security.com/offsec/pythonizing-nmap/>
* <https://github.com/gh0x0st/pythonizing_nmap>
* <https://github.com/lmsecure/LMS.NetMap>

## Host Discovery

### ARP

* <http://edublog.bitcrack.net/2016/09/scanning-network-using-netdiscover-arp.html>
* <https://null-byte.wonderhowto.com/how-to/use-abuse-address-resolution-protocol-arp-locate-hosts-network-0150333/>
* <https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations/>

#### arp-scan

Active:

```
$ sudo arp-scan -l [-s <SPOOFED_IP>] -v
$ sudo arp-scan -I eth0 192.168.0.0/24
```

#### netdiscover

Passive:

```
$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -p
```

Active, sending 20 requests per IP:

```
$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -c 20
```

### Hunt for Subnets

* <https://hub.packtpub.com/optimize-scans/>

Take `10.0.0.0/8` as an example:

```
$ sudo nmap -n -sn 10.0-255.0-255.1 -oA subnets/gateways -PE [--min-rate 10000 --min-hostgroup 10000]
$ grep 'Up' subnets/gateways.gnmap | cut -d' ' -f2 > subnets/ranges.txt

$ sed -i subnets/ranges.txt -e 's/$/\/24/'
```

### Ping Sweep

Bash:

```
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 $NET.$i > /dev/null && echo "$NET.$i" | tee -a sweep.txt &); done
Or
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 "$NET.$i" | grep 'bytes from' | cut -d' ' -f4 | cut -d':' -f1 | tee -a sweep.txt &); done

$ sort -u -t'.' -k4,4n sweep.txt > hosts/targets.txt && rm sweep.txt
```

Batch:

```
Cmd > set "NET=10.5.5" && for /L %i in (1,1,255) do @ping -n 1 -w 200 %NET%.%i > nul && echo %NET%.%i > sweep.txt
```

PowerShell (option 1):

```
PS > echo "[*] Scanning in progress...";1..254 |ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='10.10.100.$_' and Timeout=50 and ResolveAddressNames='false' and StatusCode=0" |select ProtocolAddress* |Out-File -Append -FilePath .\sweep.txt};echo "[+] Live hosts:"; Get-Content -Path .\sweep.txt | ? { $_ -match "10.10.100" }; echo "[*] Done.";del .\sweep.txt
```

PowerShell (option 2):

```
PS > $NET="192.168.0";for($i=1;$i -lt 255;$i++){$command="ping -n 1 -w 100 $NET.$i > nul 2>&1 && echo $NET.$i";start-process -nonewwindow cmd -argumentlist "/c $command" -redirectstandardoutput "tmp$i.txt"};cat tmp*.txt > sweep.txt
PS > rm tmp*.txt
```

Nmap:

```
$ sudo nmap -n -sn -iL subnets/ranges.txt -oA hosts/pingsweep -PS22,443 -PA21,80 -PE -PP
$ grep 'Up' hosts/pingsweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > hosts/targets.txt
```

### RMI Sweep

Remote Management Interfaces:

| Port | Service            |
| ---- | ------------------ |
| 22   | SSH                |
| 3389 | RDP                |
| 2222 | SSH?               |
| 5900 | VNC                |
| 5985 | WinRM              |
| 5986 | WinRM over SSL/TLS |

Nmap:

```
$ sudo nmap -n -Pn -iL subnets/ranges.txt -oA hosts/rmisweep -p22,3389,2222,5900,5985,5986 [--min-rate 1280 --min-hostgroup 256]
$ grep 'open' hosts/rmisweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n >> hosts/targets.txt
```

## Services

### Raw Identification

```
$ nc -nv 10.10.13.37 4444 [-C]
```

### Nmap XML Parsers

#### parsenmap.rb

* <https://github.com/R3dy/parsenmap>

```
$ git clone https://github.com/R3dy/parsenmap-rb ~/tools/parsenmap-rb && cd ~/tools/parsenmap-rb
$ bundle install && ln -s ~/tools/parsenmap-rb/parsenmap.rb /usr/local/bin/parsenmap.rb && cd -
$ parsenmap.rb --help
```

Examine version scan:

```
$ parsenmap.rb services/alltcp-versions.xml > services/alltcp-versions.csv
```

Split version scan by service names:

```
$ parsenmap.py -i services/alltcp-versions.xml
```

#### nmaptocsv

* <https://github.com/maaaaz/nmaptocsv>

```
$ git clone https://github.com/maaaaz/nmaptocsv ~/tools/nmaptocsv && cd ~/tools/nmaptocsv
$ python3 -m pip install -r requirements.txt csvkit && ln -s ~/tools/nmaptocsv/nmaptocsv.py /usr/local/bin/nmaptocsv.py && cd -
$ nmaptocsv.py --help
```

Examine version scan:

```
$ nmaptocsv.py -x services/alltcp-versions.xml -d',' -f ip-fqdn-port-protocol-service-version-os > services/alltcp-versions.csv
```

### Ports

Scan with `echo`:

```
$ IP="0.0.0.0"; for p in $(seq 1 49151); do (timeout 1 bash -c "echo '.' >/dev/tcp/$IP/$p && echo OPEN:$p" >> hosts/ports.txt &) 2>/dev/null; done
$ sort -u -t':' -k1,1n hosts/ports.txt > hosts/echo-ports.txt && rm hosts/ports.txt
```

Scan with `nc`:

```
$ seq 1 49151 | xargs -n1 | xargs -P0 -I {} nc -nzv -w1 0.0.0.0 {} 2>&1 | grep -vE "timed out|now in progress|Connection refused"
$ for i in `prips 192.168.1.0/24`; do proxy nc -nvzw1 $i 445 |& grep open | tee -a 445.txt; sleep $(($MIN+RANDOM % ($MAX-$MIN))); done
```

Scan with PowerShell:

```powershell
$computers = @("PC01", "PC02", "PC03")
foreach ($comp in $computers)
{
    try
    {
        $tcpClient = New-Object System.Net.Sockets.TcpClient
        $tcpClient.Connect($comp, 445)
        if ($tcpClient.Connected) { Write-Host "[+] ${comp}:445: OK" }
        else { Write-Host "[-] ${comp}:445: FAIL" }
        $tcpClient.Close()
    }
    catch
    {
        Write-Host "Error occurred while checking port on $comp"
    }
}
```

Top TCP ports:

| Port                                         | Service                          |
| -------------------------------------------- | -------------------------------- |
| 21                                           | FTP                              |
| 22,2222                                      | SSH                              |
| 23                                           | Telnet                           |
| 25                                           | SMTP                             |
| 53                                           | DNS                              |
| 80,8080                                      | HTTP                             |
| 88                                           | KDC                              |
| 111                                          | SUNRPC                           |
| 135                                          | MSRPC                            |
| 137                                          | NetBIOS                          |
| 139,445                                      | SMB over NetBIOS,SMB over TCP/IP |
| 389,636                                      | LDAP,LDAP over SSL/TLS           |
| 443,8443                                     | SSL/TLS                          |
| 593                                          | HTTP RPC Endpoint Mapper         |
| 623                                          | IPMI                             |
| 873                                          | RSYNC                            |
| 1090,1098,1099,4444,11099,47001,47002,10999  | Java RMI                         |
| 1433                                         | MS SQL                           |
| 1521                                         | Oracle                           |
| 1947                                         | HASP License Manager             |
| 2049                                         | NFS                              |
| 2375                                         | Docker                           |
| 3268,3269                                    | Microsoft Global Catalog         |
| 3306                                         | MySQL/MariaDB                    |
| 3389                                         | RDP                              |
| 4786                                         | Cisco Smart Install              |
| 4848                                         | GlassFish                        |
| 4899                                         | Radmin Server                    |
| 4990                                         | Atlassian Crowd                  |
| 5432                                         | PostgreSQL                       |
| 5555,5556                                    | HP Data Protector                |
| 5900                                         | VNC                              |
| 5985,5986                                    | WinRM,WinRM over SSL/TLS         |
| 6066                                         | Apache Spark                     |
| 6379                                         | Redis                            |
| 7000-7004,8000-8003,9000-9003,9503,7070,7071 | WebLogic                         |
| 8081,8082                                    | JFrog Artifactory                |
| 8088                                         | Apache Hadoop                    |
| 8383                                         | Zoho Manageengine Desktop        |
| 8500                                         | Hashicorp Consul                 |
| 8686,9012,50500                              | JMX                              |
| 8880                                         | IBM WebSphere                    |
| 8888                                         | Tornado                          |
| 8983                                         | Apache Solr                      |
| 9000                                         | Portainer                        |
| 9100                                         | TCP/IP Printing                  |
| 9200                                         | Elasticsearch                    |
| 9389                                         | Active Directory Web Services    |
| 11111,4444,4445                              | jBoss                            |
| 27017                                        | MongoDB                          |
| 45000,45001                                  | JDWP                             |

TCP one-liner:

```
ports_tcp="21,22,23,25,53,80,88,111,135,137,139,389,443,445,593,623,636,873,1090,1098,1099,1433,1521,1947,2049,2222,2375,3268,3269,3306,3389,4444,4445,4786,4848,4899,4990,5432,5555,5556,5900,5985,5986,6066,6379,7000,7001,7002,7003,7004,7070,7071,8000,8001,8002,8003,8080,8081,8082,8088,8383,8443,8500,8686,8880,8888,8983,9000,9001,9002,9003,9012,9100,9200,9389,9503,10999,11099,11111,27017,45000,45001,47001,47002,50500"
```

Top UDP ports:

| Port | Service    |
| ---- | ---------- |
| 53   | DNS        |
| 67   | DHCP       |
| 69   | TFTP       |
| 88   | KDC        |
| 123  | NTP        |
| 137  | NetBIOS    |
| 161  | SNMP       |
| 500  | IKE        |
| 623  | IPMI       |
| 3391 | RD Gateway |

UDP one-liner:

```
ports_udp="53,67,69,88,123,137,161,500,623,3391"
```

#### Nmap

* <https://www.infosecmatter.com/why-does-nmap-need-root-privileges/>

Flag `-A`:

```
nmap -A ... == nmap -sC -sV -O --traceroute ...
```

Host discovery flag:

```
nmap -sn ... == nmap -PS443 -PA80 -PE -PP ...
-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP protocol ping
```

Search for Nmap NSE scripts:

```
$ find /usr/share/nmap/scripts/ -type f | grep smb
Or
$ sudo nmap --script-updatedb
$ cat /usr/share/nmap/scripts/script.db | grep smb
```

Configure Nmap to run as unprivileged user by setting Linux capabilities:

```
$ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip `which nmap`
$ nmap --privileged ...
```

Grep only numbers to get a comma-separated list of ports:

```
$ cat nmap/initial.nmap | egrep -o '^[0-9]{1,5}' | awk -F/ '{ print $1 }' ORS=','; echo
```

Define which NSE scripts were ran:

```
$ grep '|_' services/alltcp-versions.nmap | cut -d'_' -f2 | cut -d' ' -f1 | sort -u | grep ':'
```

Look at HTTP titles:

```
$ grep -i 'http-title' services/alltcp-versions.nmap
```

Fast port discovery with Masscan + versions and scripts with Nmap (TCP):

```
$ sudo masscan --rate 1000 -e tun0 -p1-65535,U:0-65535 127.0.0.1 > masscan/ports
$ ports=`cat masscan/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports
```

Fast port discovery with Nmap + versions and scripts with Nmap (TCP & UDP):

```
$ sudo nmap -n -Pn --min-rate 1000 -T4 127.0.0.1 -p- -v --open | tee nmap/ports_tcp
$ ports_tcp=`cat nmap/ports_tcp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports_tcp

$ sudo nmap -n -Pn -sU [--max-retries 1] 127.0.0.1 -v --open | tee nmap/ports_udp
$ ports_udp=`cat nmap/ports_udp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVCU [--reason] -oA nmap/udp 127.0.0.1 -p$ports_udp
```

Fast UDP:

```
$ sudo nmap -iL hosts.txt -oA report_udp -sUVC --script-timeout 500 -p53,69,161,500,4500,623,5351,443,55777
```

Nmap a single host helper (full TCP), output is placed in CWD:

{% code title="nmap\_single\_host.sh" %}

```bash
#!/usr/bin/env bash

# Usage: ./nmap_single_host.sh <IP>

IP="$1"
OUT="${IP//./-}"

quick_ports_scan="sudo nmap -n -Pn --min-rate 1000 -T4 $IP -p1-65535 --open -v | tee ${OUT}_alltcp_sweep.txt"
echo -e "\033[0;31m########## \033[1;32m${quick_ports_scan}\033[0;31m ##########\033[0m"
eval ${quick_ports_scan}

ports_tcp=`cat "${OUT}_alltcp_sweep.txt" | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`

versions_and_scripts_scan="sudo nmap -Pn -sVC -O -oA ${OUT} $IP -p$ports_tcp"
echo -e "\033[0;31m########## \033[1;32m${versions_and_scripts_scan}\033[0;31m ##########\033[0m"
eval ${versions_and_scripts_scan}
```

{% endcode %}

Visualizes a grepable Nmap output in terminal (run the scan with `--open`):

{% code title="nmap\_visualize.sh" %}

```bash
#!/bin/bash

# Usage: ./nmap_visualize.sh <NMAP_OUT.GNMAP>

INPUT=$1
IFS=$'\n'

for line in `grep "Ports:" $INPUT`; do
	echo $line | cut -d ' ' -f 2
	for j in `echo $line | grep -oE "Ports\:.*" | cut -d " " -f 2- | sed 's/, /\n/g'`; do
		PORT=`echo $j | cut -d "/" -f 1,3`
		SERVICE=`echo $j | cut -d "/" -f 7`
		if [ -z "$SERVICE"  ]
		then
			SERVICE=`echo $j | cut -d "/" -f 5`
		fi
		echo "  |___$PORT ( $SERVICE )"
	done
	echo ""
done

unset $IFS
```

{% endcode %}

A tuned initial recon in a large range (stolen from [here](https://redsiege.com/blog/2022/07/beyondt4/)):

```
$ sudo nmap -vv -n -Pn --min-rtt-timeout 275ms --max-rtt-timeout 350ms --max-retries 0 --max-scan-delay 0 --min-hostgroup 128 -iL ranges.txt -oA tuned -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443
```

#### Masscan

* <https://github.com/robertdavidgraham/masscan>

```
$ sudo masscan [-e eth0] --rate 1000 -iL hosts.txt --open -p$ports --resume paused.conf >> masscan.out
$ mkdir services && for p in `echo $ports | tr ',' ' '`; do grep "port $p/tcp" masscan.out | awk -F' ' '{print $6}' | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > "services/port$p.txt"; done
```

#### RustScan

* <https://github.com/RustScan/RustScan/wiki/Usage>

```
$ sudo rustscan -b 1000 -t 2000 -u 5000 -a hosts.txt -r $ports -g --no-config --scan-order "Random" > rustscan.out
```

Scan Nmap top 1000 TCP ports:

* <https://github.com/RustScan/RustScan/wiki/Config-File>

```
$ sudo wget https://gist.github.com/snovvcrash/8b85b900bd928493cd1ae33b2df318d8/raw/fe8628396616c4bf7a3e25f2c9d1acc2f36af0c0/rustscan-ports-top1000.toml -O /root/.rustscan.toml
$ sudo rustscan -a 10.10.13.37 --top
```

#### Naabu

* <https://github.com/projectdiscovery/naabu/releases>

```
$ sudo naabu [-interface eth0] -iL hosts.txt -s s -rate 1000 -p - -silent [-nmap-cli 'sudo nmap -v -Pn -sVC -O -oA naabutest']
$ sudo naabu -host 10.10.13.37 -top-ports 1000
```

#### Invoke-Portscan

* <https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1>
* <https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Portscan/>
* <https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/portscan.ps1>

```
PS > Invoke-Portscan -Hosts 127.0.0.0/24 -sn -noProgressMeter -oA sweep
PS > Invoke-Portscan -Hosts 127.0.0.0/24 -T 4 -TopPorts 25 -oA top25
PS > Invoke-Portscan -HostFile .\hosts.txt -Ports 22,80,443,445
```

#### PowerShell\_IPv4 Scanner

* <https://github.com/BornToBeRoot/PowerShell_IPv4NetworkScanner>
* <https://github.com/BornToBeRoot/PowerShell_IPv4PortScanner>

## Hunt for Gateways & NICs

* <https://s3cur3th1ssh1t.github.io/On-how-to-access-protected-networks/>

Search for gateways and dual-homed hosts.

### gateway-finder-imp

* <https://github.com/whitel1st/gateway-finder-imp>

```
$ python3 gateway-finder-imp.py -d 8.8.8.8 -m de:ad:be:af:de:ad -i eth0
$ python3 gateway-finder-imp.py -D file_with_dst_IPs.txt -M file_with_nex_hop_MACs.txt -i eth0 -p 80 443 22 23 8080
```

### tracebuster

* <https://github.com/s0i37/net/blob/main/tracebuster.py>

```
$ python3 tracebuster.py 4 udp 192.168.1.0/24 53 2>/dev/null
```

### cornershot

* <https://github.com/zeronetworks/cornershot>
* <https://zeronetworks.com/blog/adversary-resilience-via-least-privilege-networking-part-1/>

### NetBIOS

#### nbtscan

```
$ sudo nbtscan -r 10.10.10.0/24
```

#### nbname (MSF)

```
msf > use auxiliary/scanner/netbios/nbname
msf > set RHOSTS file:hosts.txt
msf > run
```

#### nextnet

* <https://github.com/hdm/nextnet>

```
$ ./nextnet -rate 1000 192.168.1.0/24 | grep nets
```

### RPC via IOXIDResolver

#### PingCastle

* <https://github.com/vletoux/pingcastle/releases>

Double click > `scanner` > `oxidbindings` > `all`.

#### SharpOxidResolver

* <https://github.com/S3cur3Th1sSh1t/SharpOxidResolver/releases>

```
Cmd > .\OxidResolver.exe  # query all domain computers
Cmd > .\OxidResolver.exe <IP/HOSTNAME>
```

## Tools

### AutoRecon

* <https://github.com/Tib3rius/AutoRecon>

### legion

* <https://github.com/carlospolop/legion>

### nmapAutomator

* <https://github.com/21y4d/nmapAutomator>

Install:

```
$ git clone https://github.com/21y4d/nmapAutomator ~/tools/nmapAutomator && cd ~/tools/nmapAutomator
$ sudo ln -vs `pwd`/nmapAutomator/nmapAutomator.sh /usr/local/bin/
```

Run:

```
$ nmapAutomator.sh --host 10.1.1.1 --type All
```