Learn Pentesting like a Pro!

Share this post

✅ Best commands for Port Scanning — For OSCP, pentests, bug bounties

pentesting.academy

✅ Best commands for Port Scanning — For OSCP, pentests, bug bounties

Learn several techniques to scan hosts, bypass firewalls and scan the whole IPv4 universe.

pentesting.academy
Jan 13
Share this post

✅ Best commands for Port Scanning — For OSCP, pentests, bug bounties

pentesting.academy
Photo by Kirill Sh on Unsplash

In a penetration testing engagement, scanning is a very important phase in which we get to know better the potential vulnerabilities of the machines inside the scope. If you miss some UDP or TCP port with vulnerabilities to exploit, your probability to success will be much lower, so pay a lot of attention to this phase.

Host scanning

FAST-LIGHT SCAN

nmap --top-ports 10 --open $IP

Heavy scan (slow)

nmap -p- -sV --reason --dns-server ns $IP

Unicornscan. Very fast especially for UDP ports:

us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3

Other methods:

nmap -sS -T4 -iL hosts_up.txt
nmap -sS -sV -T4 $IP
hping3 --scan known $IP/24
nc -nvz $IP 1-1024

nmap tuning options

--max-retries
--max-scan-delay
--defeat-rst-ratelimit

banner grabbing

nc -nv $IP 22
nmap -sV $IP

Vulnerability scanners

  • Nmap NSE script engine (Open Source)

  • nuclei (Open Source)

  • openvas (Open Source)

  • nessus (Commercial with free trial)

  • nexpose (Commercial with free trial)

  • qualys (Commercial)

Import to msfconsole

db_import ./nmap_target_network.xml

Traceroute

traceroute $IP
hping3 --traceroute $IP

FIREWALKING

tracepath -n -p 53 $IP
traceroute -n -M default -p 53 $IP

Draw network diagram

zenmap

https://app.diagrams.net/

Advanced scanning

Firewall bypass

nmap -f --mtu=512 $IP

IPv6 scanning

nmap -6 $IP

Idle scanning: Scans through a zombie host

nmap -sI $IP

Decoy scanning: Sends several decoy IPs

nmap -D $IP

FTP bounce scan:

nmap -b $FTP_SERVER

Massive scanning in class A or IPv4 using masscan: https://github.com/robertdavidgraham/masscan

masscan -p80,8000-8100 10.0.0.0/8

Banner checking with masscan

masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

Like this stuff?! Subscribe for free to receive new posts and updates.

Another post you will like:

Learn Pentesting like a Pro
How to scan a host with RustScan
When performing a penetration test, one of the most crucial parts is scanning and enumeration. Because if you lose any important port at this stage, you are letting go a juicy part of the attack vector to compromise the machine. Nmap is the standard-de-facto for port scanning, however it’s great to know that there are other tools much more modern and plu…
Read more
2 months ago · pentesting.academy
Share this post

✅ Best commands for Port Scanning — For OSCP, pentests, bug bounties

pentesting.academy
Comments
TopNew

No posts

Ready for more?

© 2023 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing