> For the complete documentation index, see [llms.txt](https://hackzzz.gitbook.io/welcome/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hackzzz.gitbook.io/welcome/everything-about-and-notes/network-pentesting/scanning-hosts.md). # Scanning Hosts ## Scanning all hosts Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed. ### TCP ```bash # Nmap fast scan for the most 1000tcp ports used nmap -sV -sC -O -T4 -n -Pn -oA fastscan # Nmap fast scan for all the ports nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan # Nmap fast scan for all the ports slower to avoid failures due to -T4 nmap -sV -sC -O -p- -n -Pn -oA fullscan # Nmap ports alive custom nmap -p- --open --min-rate= -vvv -T3 -n -Pn -oG allPorts # Nmap port recon with nmap scripts nmap -p21,22,8080,9999 -sC -sV -n -Pn -oG targeted # Nmap quick regex nmap -A -p- --open -T4 -n -Pn -oG nmap_scan # Nmap TCP, UDP scan nmap -p- -sX -sU --scanflags PSH # Nmap Window TCP scan nmap -v -p- -sW ``` ### UDP ```bash # Check if any of the most common udp services is running udp-proto-scanner.pl # Nmap fast check if any of the 100 most common UDP services is running nmap -sU -sV --version-intensity 0 -n -F -T4 # Nmap check if any of the 100 most common UDP services is running and launch defaults scripts nmap -sU -sV -sC -n -F -T4 # Nmap "fast" top 1000 UDP ports nmap -sU -sV --version-intensity 0 -n -T4 # You could use nmap to test all the UDP ports, but that will take a lot of time ``` ### SCTP Scan ```bash # Nmap fast SCTP scan nmap -T4 -sY -n -oA SCTFastScan # Nmap all SCTP scan nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan ``` ### Revealing Internal IP Addresses Misconfigured routers, firewalls, and network devices sometimes **respond** to network probes **using nonpublic source addresses**. You can use *tcpdump* used to **identify packets** received from **private addresses** during testing. In this case, the *eth2* interface in Kali Linux is **addressable** from the **public Internet** (If you are **behind** a **NAT** of a **Firewall** this kind of packets are probably going to be **filtered**). ```bash tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64 IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://hackzzz.gitbook.io/welcome/everything-about-and-notes/network-pentesting/scanning-hosts.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.