# Scanning * * * * * ## Host Discovery ### ARP * * * #### arp-scan Active: ``` $ sudo arp-scan -l [-s ] -v $ sudo arp-scan -I eth0 192.168.0.0/24 ``` #### netdiscover Passive: ``` $ sudo netdiscover -i eth0 -r 192.168.0.0/24 -p ``` Active, sending 20 requests per IP: ``` $ sudo netdiscover -i eth0 -r 192.168.0.0/24 -c 20 ``` ### Hunt for Subnets * Take `10.0.0.0/8` as an example: ``` $ sudo nmap -n -sn 10.0-255.0-255.1 -oA subnets/gateways -PE [--min-rate 10000 --min-hostgroup 10000] $ grep 'Up' subnets/gateways.gnmap | cut -d' ' -f2 > subnets/ranges.txt $ sed -i subnets/ranges.txt -e 's/$/\/24/' ``` ### Ping Sweep Bash: ``` $ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 $NET.$i > /dev/null && echo "$NET.$i" | tee -a sweep.txt &); done Or $ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 "$NET.$i" | grep 'bytes from' | cut -d' ' -f4 | cut -d':' -f1 | tee -a sweep.txt &); done $ sort -u -t'.' -k4,4n sweep.txt > hosts/targets.txt && rm sweep.txt ``` Batch: ``` Cmd > set "NET=10.5.5" && for /L %i in (1,1,255) do @ping -n 1 -w 200 %NET%.%i > nul && echo %NET%.%i > sweep.txt ``` PowerShell (option 1): ``` PS > echo "[*] Scanning in progress...";1..254 |ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='10.10.100.$_' and Timeout=50 and ResolveAddressNames='false' and StatusCode=0" |select ProtocolAddress* |Out-File -Append -FilePath .\sweep.txt};echo "[+] Live hosts:"; Get-Content -Path .\sweep.txt | ? { $_ -match "10.10.100" }; echo "[*] Done.";del .\sweep.txt ``` PowerShell (option 2): ``` PS > $NET="192.168.0";for($i=1;$i -lt 255;$i++){$command="ping -n 1 -w 100 $NET.$i > nul 2>&1 && echo $NET.$i";start-process -nonewwindow cmd -argumentlist "/c $command" -redirectstandardoutput "tmp$i.txt"};cat tmp*.txt > sweep.txt PS > rm tmp*.txt ``` Nmap: ``` $ sudo nmap -n -sn -iL subnets/ranges.txt -oA hosts/pingsweep -PS22,443 -PA21,80 -PE -PP $ grep 'Up' hosts/pingsweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > hosts/targets.txt ``` ### RMI Sweep Remote Management Interfaces: | Port | Service | | ---- | ------------------ | | 22 | SSH | | 3389 | RDP | | 2222 | SSH? | | 5900 | VNC | | 5985 | WinRM | | 5986 | WinRM over SSL/TLS | Nmap: ``` $ sudo nmap -n -Pn -iL subnets/ranges.txt -oA hosts/rmisweep -p22,3389,2222,5900,5985,5986 [--min-rate 1280 --min-hostgroup 256] $ grep 'open' hosts/rmisweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n >> hosts/targets.txt ``` ## Services ### Raw Identification ``` $ nc -nv 10.10.13.37 4444 [-C] ``` ### Nmap XML Parsers #### parsenmap.rb * ``` $ git clone https://github.com/R3dy/parsenmap-rb ~/tools/parsenmap-rb && cd ~/tools/parsenmap-rb $ bundle install && ln -s ~/tools/parsenmap-rb/parsenmap.rb /usr/local/bin/parsenmap.rb && cd - $ parsenmap.rb --help ``` Examine version scan: ``` $ parsenmap.rb services/alltcp-versions.xml > services/alltcp-versions.csv ``` Split version scan by service names: ``` $ parsenmap.py -i services/alltcp-versions.xml ``` #### nmaptocsv * ``` $ git clone https://github.com/maaaaz/nmaptocsv ~/tools/nmaptocsv && cd ~/tools/nmaptocsv $ python3 -m pip install -r requirements.txt csvkit && ln -s ~/tools/nmaptocsv/nmaptocsv.py /usr/local/bin/nmaptocsv.py && cd - $ nmaptocsv.py --help ``` Examine version scan: ``` $ nmaptocsv.py -x services/alltcp-versions.xml -d',' -f ip-fqdn-port-protocol-service-version-os > services/alltcp-versions.csv ``` ### Ports Scan with `echo`: ``` $ IP="0.0.0.0"; for p in $(seq 1 49151); do (timeout 1 bash -c "echo '.' >/dev/tcp/$IP/$p && echo OPEN:$p" >> hosts/ports.txt &) 2>/dev/null; done $ sort -u -t':' -k1,1n hosts/ports.txt > hosts/echo-ports.txt && rm hosts/ports.txt ``` Scan with `nc`: ``` $ seq 1 49151 | xargs -n1 | xargs -P0 -I {} nc -nzv -w1 0.0.0.0 {} 2>&1 | grep -vE "timed out|now in progress|Connection refused" $ for i in `prips 192.168.1.0/24`; do proxy nc -nvzw1 $i 445 |& grep open | tee -a 445.txt; sleep $(($MIN+RANDOM % ($MAX-$MIN))); done ``` Scan with PowerShell: ```powershell $computers = @("PC01", "PC02", "PC03") foreach ($comp in $computers) { try { $tcpClient = New-Object System.Net.Sockets.TcpClient $tcpClient.Connect($comp, 445) if ($tcpClient.Connected) { Write-Host "[+] ${comp}:445: OK" } else { Write-Host "[-] ${comp}:445: FAIL" } $tcpClient.Close() } catch { Write-Host "Error occurred while checking port on $comp" } } ``` Top TCP ports: | Port | Service | | -------------------------------------------- | -------------------------------- | | 21 | FTP | | 22,2222 | SSH | | 23 | Telnet | | 25 | SMTP | | 53 | DNS | | 80,8080 | HTTP | | 88 | KDC | | 111 | SUNRPC | | 135 | MSRPC | | 137 | NetBIOS | | 139,445 | SMB over NetBIOS,SMB over TCP/IP | | 389,636 | LDAP,LDAP over SSL/TLS | | 443,8443 | SSL/TLS | | 593 | HTTP RPC Endpoint Mapper | | 623 | IPMI | | 873 | RSYNC | | 1090,1098,1099,4444,11099,47001,47002,10999 | Java RMI | | 1433 | MS SQL | | 1521 | Oracle | | 1947 | HASP License Manager | | 2049 | NFS | | 2375 | Docker | | 3268,3269 | Microsoft Global Catalog | | 3306 | MySQL/MariaDB | | 3389 | RDP | | 4786 | Cisco Smart Install | | 4848 | GlassFish | | 4899 | Radmin Server | | 4990 | Atlassian Crowd | | 5432 | PostgreSQL | | 5555,5556 | HP Data Protector | | 5900 | VNC | | 5985,5986 | WinRM,WinRM over SSL/TLS | | 6066 | Apache Spark | | 6379 | Redis | | 7000-7004,8000-8003,9000-9003,9503,7070,7071 | WebLogic | | 8081,8082 | JFrog Artifactory | | 8088 | Apache Hadoop | | 8383 | Zoho Manageengine Desktop | | 8500 | Hashicorp Consul | | 8686,9012,50500 | JMX | | 8880 | IBM WebSphere | | 8888 | Tornado | | 8983 | Apache Solr | | 9000 | Portainer | | 9100 | TCP/IP Printing | | 9200 | Elasticsearch | | 9389 | Active Directory Web Services | | 11111,4444,4445 | jBoss | | 27017 | MongoDB | | 45000,45001 | JDWP | TCP one-liner: ``` ports_tcp="21,22,23,25,53,80,88,111,135,137,139,389,443,445,593,623,636,873,1090,1098,1099,1433,1521,1947,2049,2222,2375,3268,3269,3306,3389,4444,4445,4786,4848,4899,4990,5432,5555,5556,5900,5985,5986,6066,6379,7000,7001,7002,7003,7004,7070,7071,8000,8001,8002,8003,8080,8081,8082,8088,8383,8443,8500,8686,8880,8888,8983,9000,9001,9002,9003,9012,9100,9200,9389,9503,10999,11099,11111,27017,45000,45001,47001,47002,50500" ``` Top UDP ports: | Port | Service | | ---- | ---------- | | 53 | DNS | | 67 | DHCP | | 69 | TFTP | | 88 | KDC | | 123 | NTP | | 137 | NetBIOS | | 161 | SNMP | | 500 | IKE | | 623 | IPMI | | 3391 | RD Gateway | UDP one-liner: ``` ports_udp="53,67,69,88,123,137,161,500,623,3391" ``` #### Nmap * Flag `-A`: ``` nmap -A ... == nmap -sC -sV -O --traceroute ... ``` Host discovery flag: ``` nmap -sn ... == nmap -PS443 -PA80 -PE -PP ... -PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP protocol ping ``` Search for Nmap NSE scripts: ``` $ find /usr/share/nmap/scripts/ -type f | grep smb Or $ sudo nmap --script-updatedb $ cat /usr/share/nmap/scripts/script.db | grep smb ``` Configure Nmap to run as unprivileged user by setting Linux capabilities: ``` $ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip `which nmap` $ nmap --privileged ... ``` Grep only numbers to get a comma-separated list of ports: ``` $ cat nmap/initial.nmap | egrep -o '^[0-9]{1,5}' | awk -F/ '{ print $1 }' ORS=','; echo ``` Define which NSE scripts were ran: ``` $ grep '|_' services/alltcp-versions.nmap | cut -d'_' -f2 | cut -d' ' -f1 | sort -u | grep ':' ``` Look at HTTP titles: ``` $ grep -i 'http-title' services/alltcp-versions.nmap ``` Fast port discovery with Masscan + versions and scripts with Nmap (TCP): ``` $ sudo masscan --rate 1000 -e tun0 -p1-65535,U:0-65535 127.0.0.1 > masscan/ports $ ports=`cat masscan/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr "\n" ',' | sed 's/,$//'` $ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports ``` Fast port discovery with Nmap + versions and scripts with Nmap (TCP & UDP): ``` $ sudo nmap -n -Pn --min-rate 1000 -T4 127.0.0.1 -p- -v --open | tee nmap/ports_tcp $ ports_tcp=`cat nmap/ports_tcp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'` $ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports_tcp $ sudo nmap -n -Pn -sU [--max-retries 1] 127.0.0.1 -v --open | tee nmap/ports_udp $ ports_udp=`cat nmap/ports_udp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'` $ sudo nmap -n -Pn -sVCU [--reason] -oA nmap/udp 127.0.0.1 -p$ports_udp ``` Fast UDP: ``` $ sudo nmap -iL hosts.txt -oA report_udp -sUVC --script-timeout 500 -p53,69,161,500,4500,623,5351,443,55777 ``` Nmap a single host helper (full TCP), output is placed in CWD: {% code title="nmap\_single\_host.sh" %} ```bash #!/usr/bin/env bash # Usage: ./nmap_single_host.sh IP="$1" OUT="${IP//./-}" quick_ports_scan="sudo nmap -n -Pn --min-rate 1000 -T4 $IP -p1-65535 --open -v | tee ${OUT}_alltcp_sweep.txt" echo -e "\033[0;31m########## \033[1;32m${quick_ports_scan}\033[0;31m ##########\033[0m" eval ${quick_ports_scan} ports_tcp=`cat "${OUT}_alltcp_sweep.txt" | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'` versions_and_scripts_scan="sudo nmap -Pn -sVC -O -oA ${OUT} $IP -p$ports_tcp" echo -e "\033[0;31m########## \033[1;32m${versions_and_scripts_scan}\033[0;31m ##########\033[0m" eval ${versions_and_scripts_scan} ``` {% endcode %} Visualizes a grepable Nmap output in terminal (run the scan with `--open`): {% code title="nmap\_visualize.sh" %} ```bash #!/bin/bash # Usage: ./nmap_visualize.sh INPUT=$1 IFS=$'\n' for line in `grep "Ports:" $INPUT`; do echo $line | cut -d ' ' -f 2 for j in `echo $line | grep -oE "Ports\:.*" | cut -d " " -f 2- | sed 's/, /\n/g'`; do PORT=`echo $j | cut -d "/" -f 1,3` SERVICE=`echo $j | cut -d "/" -f 7` if [ -z "$SERVICE" ] then SERVICE=`echo $j | cut -d "/" -f 5` fi echo " |___$PORT ( $SERVICE )" done echo "" done unset $IFS ``` {% endcode %} A tuned initial recon in a large range (stolen from [here](https://redsiege.com/blog/2022/07/beyondt4/)): ``` $ sudo nmap -vv -n -Pn --min-rtt-timeout 275ms --max-rtt-timeout 350ms --max-retries 0 --max-scan-delay 0 --min-hostgroup 128 -iL ranges.txt -oA tuned -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443 ``` #### Masscan * ``` $ sudo masscan [-e eth0] --rate 1000 -iL hosts.txt --open -p$ports --resume paused.conf >> masscan.out $ mkdir services && for p in `echo $ports | tr ',' ' '`; do grep "port $p/tcp" masscan.out | awk -F' ' '{print $6}' | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > "services/port$p.txt"; done ``` #### RustScan * ``` $ sudo rustscan -b 1000 -t 2000 -u 5000 -a hosts.txt -r $ports -g --no-config --scan-order "Random" > rustscan.out ``` Scan Nmap top 1000 TCP ports: * ``` $ sudo wget https://gist.github.com/snovvcrash/8b85b900bd928493cd1ae33b2df318d8/raw/fe8628396616c4bf7a3e25f2c9d1acc2f36af0c0/rustscan-ports-top1000.toml -O /root/.rustscan.toml $ sudo rustscan -a 10.10.13.37 --top ``` #### Naabu * ``` $ sudo naabu [-interface eth0] -iL hosts.txt -s s -rate 1000 -p - -silent [-nmap-cli 'sudo nmap -v -Pn -sVC -O -oA naabutest'] $ sudo naabu -host 10.10.13.37 -top-ports 1000 ``` #### Invoke-Portscan * * * ``` PS > Invoke-Portscan -Hosts 127.0.0.0/24 -sn -noProgressMeter -oA sweep PS > Invoke-Portscan -Hosts 127.0.0.0/24 -T 4 -TopPorts 25 -oA top25 PS > Invoke-Portscan -HostFile .\hosts.txt -Ports 22,80,443,445 ``` #### PowerShell\_IPv4 Scanner * * ## Hunt for Gateways & NICs * Search for gateways and dual-homed hosts. ### gateway-finder-imp * ``` $ python3 gateway-finder-imp.py -d 8.8.8.8 -m de:ad:be:af:de:ad -i eth0 $ python3 gateway-finder-imp.py -D file_with_dst_IPs.txt -M file_with_nex_hop_MACs.txt -i eth0 -p 80 443 22 23 8080 ``` ### tracebuster * ``` $ python3 tracebuster.py 4 udp 192.168.1.0/24 53 2>/dev/null ``` ### cornershot * * ### NetBIOS #### nbtscan ``` $ sudo nbtscan -r 10.10.10.0/24 ``` #### nbname (MSF) ``` msf > use auxiliary/scanner/netbios/nbname msf > set RHOSTS file:hosts.txt msf > run ``` #### nextnet * ``` $ ./nextnet -rate 1000 192.168.1.0/24 | grep nets ``` ### RPC via IOXIDResolver #### PingCastle * Double click > `scanner` > `oxidbindings` > `all`. #### SharpOxidResolver * ``` Cmd > .\OxidResolver.exe # query all domain computers Cmd > .\OxidResolver.exe ``` ## Tools ### AutoRecon * ### legion * ### nmapAutomator * Install: ``` $ git clone https://github.com/21y4d/nmapAutomator ~/tools/nmapAutomator && cd ~/tools/nmapAutomator $ sudo ln -vs `pwd`/nmapAutomator/nmapAutomator.sh /usr/local/bin/ ``` Run: ``` $ nmapAutomator.sh --host 10.1.1.1 --type All ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/networks/scanning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.