# Scanning Hosts ## Scanning all hosts Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed. ### TCP ```bash # Nmap fast scan for the most 1000tcp ports used nmap -sV -sC -O -T4 -n -Pn -oA fastscan # Nmap fast scan for all the ports nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan # Nmap fast scan for all the ports slower to avoid failures due to -T4 nmap -sV -sC -O -p- -n -Pn -oA fullscan # Nmap ports alive custom nmap -p- --open --min-rate= -vvv -T3 -n -Pn -oG allPorts # Nmap port recon with nmap scripts nmap -p21,22,8080,9999 -sC -sV -n -Pn -oG targeted # Nmap quick regex nmap -A -p- --open -T4 -n -Pn -oG nmap_scan # Nmap TCP, UDP scan nmap -p- -sX -sU --scanflags PSH # Nmap Window TCP scan nmap -v -p- -sW ``` ### UDP ```bash # Check if any of the most common udp services is running udp-proto-scanner.pl # Nmap fast check if any of the 100 most common UDP services is running nmap -sU -sV --version-intensity 0 -n -F -T4 # Nmap check if any of the 100 most common UDP services is running and launch defaults scripts nmap -sU -sV -sC -n -F -T4 # Nmap "fast" top 1000 UDP ports nmap -sU -sV --version-intensity 0 -n -T4 # You could use nmap to test all the UDP ports, but that will take a lot of time ``` ### SCTP Scan ```bash # Nmap fast SCTP scan nmap -T4 -sY -n -oA SCTFastScan # Nmap all SCTP scan nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan ``` ### Revealing Internal IP Addresses Misconfigured routers, firewalls, and network devices sometimes **respond** to network probes **using nonpublic source addresses**. You can use *tcpdump* used to **identify packets** received from **private addresses** during testing. In this case, the *eth2* interface in Kali Linux is **addressable** from the **public Internet** (If you are **behind** a **NAT** of a **Firewall** this kind of packets are probably going to be **filtered**). ```bash tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64 IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hackzzz.gitbook.io/welcome/everything-about-and-notes/network-pentesting/scanning-hosts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.