Scanning Hosts
Scanning all hosts
Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed.
TCP
# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>
# Nmap ports alive custom
nmap -p- --open --min-rate=<seconds> -vvv -T3 -n -Pn <IP> -oG allPorts
# Nmap port recon with nmap scripts
nmap -p21,22,8080,9999 -sC -sV -n -Pn <IP> -oG targeted
# Nmap quick regex
nmap -A -p- --open -T4 -n -Pn <IP> -oG nmap_scan
# Nmap TCP, UDP scan
nmap -p- -sX -sU <domain.com> --scanflags PSH
# Nmap Window TCP scan
nmap -v -p- <domain.com> -sWUDP
SCTP Scan
Revealing Internal IP Addresses
Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. You can use tcpdump used to identify packets received from private addresses during testing. In this case, the eth2 interface in Kali Linux is addressable from the public Internet (If you are behind a NAT of a Firewall this kind of packets are probably going to be filtered).
Last updated