Scanning
A reference guide of concise command suggestions for machine discovery and enumeration.
Host Discovery
Nmap
# Ping sweep
nmap -sn 10.10.10.0/24
# If ICMP is blocked
nmap -Pn -p 80,443 10.10.10.0/24
ARP Scan
# Host discovery
arping -I eth0 10.10.10.0/24
nmap -PR -sn TARGETS
Netdiscover
netdiscover -r 10.10.10.0/24
Broadcast Ping
ping -b 10.10.10.255
Masscan
masscan 192.168.1.0/24 -p1-65535 --rate=1000
Host Scanning
Initial Scan
nmap $IP -T4 -F -oA nmap.init
Full Port + Scripts + Versions
nmap $IP -p- -sV -sC -oA ctf.scan
Aggressive Detection
nmap $IP -sC -sV -A -oA nmap.aggro
UDP Scan
nmap $IP -sU -p- -oA nmap.udp
OS Detection
nmap $IP -O -oA nmap.os
Nmap Scripts
# List all scripts of a class
ls /usr/share/nmap/scripts/http*
# Run a specific script class
nmap $IP --script=http-*
Living Off The Land
Python
import socket
target = "example.com"
ports = range(1, 1025)
for port in ports:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
result = s.connect_ex((target, port))
if result == 0:
print(f"Port {port} is open.")
s.close()
Inline:
python -c 'import socket; target="example.com"; ports=range(1,1025); [print(f"Port {port} is open.") for port in ports if not socket.create_connection((target, port), timeout=1).close()]'
Bash
#!/bin/bash
target="example.com"
for port in {1..1024}; do
(echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."
done
Inline:
target="example.com"; for port in {1..1024}; do (echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."; done
PowerShell
$target = "example.com"
1..1024 | ForEach-Object {
$port = $_
$TCPClient = New-Object System.Net.Sockets.TcpClient
Try {
$TCPClient.Connect($target, $port)
$TCPClient.Close()
Write-Host "Port $port is open."
} Catch {}
}
Inline:
$target="example.com"; 1..1024 | % { $port=$_; $TCPClient=New-Object System.Net.Sockets.TcpClient; Try{$TCPClient.Connect($target, $port); $TCPClient.Close(); Write-Host "Port $port is open."}Catch{}}
Netcat
#!/bin/bash
target="example.com"
for port in {1..1024}; do
nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."
done
Inline:
target="example.com"; for port in {1..1024}; do nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."; done
Back Burner: Unusual Nmap Scans
Stealth & Obscure Modes
# FIN scan
nmap -sF $IP -oA nmap.fin
# NULL scan
nmap -sN $IP -oA nmap.null
# Xmas scan
nmap -sX $IP -oA nmap.xmass
Advanced Techniques
# Zombie scan
nmap -sI $ZOMBIE_IP $IP -oA nmap.zom
# FTP bounce
nmap -b FTP_SERVER $IP -oA nmap.ftpb
Web Enumeration
Gobuster
# Directory scan
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
# File scan
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
# Subdomain scan
gobuster dns -d domain.org -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30
Wfuzz
# Directories
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"
# Files
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"
Dirbuster
dirbuster $IP
# GUI usage: enter http://$IP:$PORT, select wordlist in file browser.
API Discovery (Pattern-based)
# Use pattern matching to fuzz likely versioned endpoints (v1, v2, etc.)
gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern