TwitterGitHubBlog

Scanning

Host Discovery

ARP

arp-scan

Active:

$ sudo arp-scan -l [-s <SPOOFED_IP>] -v
$ sudo arp-scan -I eth0 192.168.0.0/24

netdiscover

Passive:

Active, sending 20 requests per IP:

Hunt for Subnets

Take 10.0.0.0/8 as an example:

Ping Sweep

Bash:

Batch:

PowerShell (option 1):

PowerShell (option 2):

Nmap:

RMI Sweep

Remote Management Interfaces:

Port
Service

22

SSH

3389

RDP

2222

SSH?

5900

VNC

5985

WinRM

5986

WinRM over SSL/TLS

Nmap:

Services

Raw Identification

Nmap XML Parsers

parsenmap.rb

Examine version scan:

Split version scan by service names:

nmaptocsv

Examine version scan:

Ports

Scan with echo:

Scan with nc:

Scan with PowerShell:

Top TCP ports:

Port
Service

21

FTP

22,2222

SSH

23

Telnet

25

SMTP

53

DNS

80,8080

HTTP

88

KDC

111

SUNRPC

135

MSRPC

137

NetBIOS

139,445

SMB over NetBIOS,SMB over TCP/IP

389,636

LDAP,LDAP over SSL/TLS

443,8443

SSL/TLS

593

HTTP RPC Endpoint Mapper

623

IPMI

873

RSYNC

1090,1098,1099,4444,11099,47001,47002,10999

Java RMI

1433

MS SQL

1521

Oracle

1947

HASP License Manager

2049

NFS

2375

Docker

3268,3269

Microsoft Global Catalog

3306

MySQL/MariaDB

3389

RDP

4786

Cisco Smart Install

4848

GlassFish

4899

Radmin Server

4990

Atlassian Crowd

5432

PostgreSQL

5555,5556

HP Data Protector

5900

VNC

5985,5986

WinRM,WinRM over SSL/TLS

6066

Apache Spark

6379

Redis

7000-7004,8000-8003,9000-9003,9503,7070,7071

WebLogic

8081,8082

JFrog Artifactory

8088

Apache Hadoop

8383

Zoho Manageengine Desktop

8500

Hashicorp Consul

8686,9012,50500

JMX

8880

IBM WebSphere

8888

Tornado

8983

Apache Solr

9000

Portainer

9100

TCP/IP Printing

9200

Elasticsearch

9389

Active Directory Web Services

11111,4444,4445

jBoss

27017

MongoDB

45000,45001

JDWP

TCP one-liner:

Top UDP ports:

Port
Service

53

DNS

67

DHCP

69

TFTP

88

KDC

123

NTP

137

NetBIOS

161

SNMP

500

IKE

623

IPMI

3391

RD Gateway

UDP one-liner:

Nmap

Flag -A:

Host discovery flag:

Search for Nmap NSE scripts:

Configure Nmap to run as unprivileged user by setting Linux capabilities:

Grep only numbers to get a comma-separated list of ports:

Define which NSE scripts were ran:

Look at HTTP titles:

Fast port discovery with Masscan + versions and scripts with Nmap (TCP):

Fast port discovery with Nmap + versions and scripts with Nmap (TCP & UDP):

Fast UDP:

Nmap a single host helper (full TCP), output is placed in CWD:

Visualizes a grepable Nmap output in terminal (run the scan with --open):

A tuned initial recon in a large range (stolen from here):

Masscan

RustScan

Scan Nmap top 1000 TCP ports:

Naabu

Invoke-Portscan

PowerShell_IPv4 Scanner

Hunt for Gateways & NICs

Search for gateways and dual-homed hosts.

gateway-finder-imp

tracebuster

cornershot

NetBIOS

nbtscan

nbname (MSF)

nextnet

RPC via IOXIDResolver

PingCastle

Double click > scanner > oxidbindings > all.

SharpOxidResolver

Tools

AutoRecon

legion

nmapAutomator

Install:

Run:

Last updated