Scanning Hosts

Scanning all hosts

Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed.

TCP

# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP> 
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP> 
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>
# Nmap ports alive custom
nmap -p- --open --min-rate=<seconds> -vvv -T3 -n -Pn <IP> -oG allPorts
# Nmap port recon with nmap scripts
nmap -p21,22,8080,9999 -sC -sV -n -Pn <IP> -oG targeted
# Nmap quick regex
nmap -A -p- --open -T4 -n -Pn <IP> -oG nmap_scan
# Nmap TCP, UDP scan 
nmap -p- -sX -sU <domain.com> --scanflags PSH
# Nmap Window TCP scan
nmap -v -p- <domain.com> -sW

UDP

# Check if any of the most common udp services is running
udp-proto-scanner.pl <IP> 
# Nmap fast check if any of the 100 most common UDP services is running
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
nmap -sU -sV -sC -n -F -T4 <IP> 
# Nmap "fast" top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time

SCTP Scan

# Nmap fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>
# Nmap all SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>

Revealing Internal IP Addresses

Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. You can use tcpdump used to identify packets received from private addresses during testing. In this case, the eth2 interface in Kali Linux is addressable from the public Internet (If you are behind a NAT of a Firewall this kind of packets are probably going to be filtered).

tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64

PreviousHost Discovery NextSniffing

Last updated 1 year ago

Scanning all hosts

Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed.

TCP

# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP> 
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP> 
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>
# Nmap ports alive custom
nmap -p- --open --min-rate=<seconds> -vvv -T3 -n -Pn <IP> -oG allPorts
# Nmap port recon with nmap scripts
nmap -p21,22,8080,9999 -sC -sV -n -Pn <IP> -oG targeted
# Nmap quick regex
nmap -A -p- --open -T4 -n -Pn <IP> -oG nmap_scan
# Nmap TCP, UDP scan 
nmap -p- -sX -sU <domain.com> --scanflags PSH
# Nmap Window TCP scan
nmap -v -p- <domain.com> -sW

UDP

# Check if any of the most common udp services is running
udp-proto-scanner.pl <IP> 
# Nmap fast check if any of the 100 most common UDP services is running
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
nmap -sU -sV -sC -n -F -T4 <IP> 
# Nmap "fast" top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time

SCTP Scan

# Nmap fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>
# Nmap all SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>

Revealing Internal IP Addresses

tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64