search

Scanning Hosts

hashtag
Scanning all hosts

Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed.

hashtag
TCP

# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP> 
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP> 
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>
# Nmap ports alive custom
nmap -p- --open --min-rate=<seconds> -vvv -T3 -n -Pn <IP> -oG allPorts
# Nmap port recon with nmap scripts
nmap -p21,22,8080,9999 -sC -sV -n -Pn <IP> -oG targeted
# Nmap quick regex
nmap -A -p- --open -T4 -n -Pn <IP> -oG nmap_scan
# Nmap TCP, UDP scan 
nmap -p- -sX -sU <domain.com> --scanflags PSH
# Nmap Window TCP scan
nmap -v -p- <domain.com> -sW

hashtag
UDP

hashtag
SCTP Scan

hashtag
Revealing Internal IP Addresses

Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. You can use tcpdump used to identify packets received from private addresses during testing. In this case, the eth2 interface in Kali Linux is addressable from the public Internet (If you are behind a NAT of a Firewall this kind of packets are probably going to be filtered).

PreviousHost DiscoveryNextSniffing

Last updated