✅ Best commands for Port Scanning — For OSCP, pentests, bug bounties
Learn several techniques to scan hosts, bypass firewalls and scan the whole IPv4 universe.
In a penetration testing engagement, scanning is a very important phase in which we get to know better the potential vulnerabilities of the machines inside the scope. If you miss some UDP or TCP port with vulnerabilities to exploit, your probability to success will be much lower, so pay a lot of attention to this phase.
Host scanning
FAST-LIGHT SCAN
nmap --top-ports 10 --open $IPHeavy scan (slow)
nmap -p- -sV --reason --dns-server ns $IPUnicornscan. Very fast especially for UDP ports:
us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3Other methods:
nmap -sS -T4 -iL hosts_up.txt
nmap -sS -sV -T4 $IP
hping3 --scan known $IP/24
nc -nvz $IP 1-1024nmap tuning options
--max-retries
--max-scan-delay
--defeat-rst-ratelimitbanner grabbing
nc -nv $IP 22
nmap -sV $IPVulnerability scanners
Nmap NSE script engine (Open Source)
nuclei (Open Source)
openvas (Open Source)
nessus (Commercial with free trial)
nexpose (Commercial with free trial)
qualys (Commercial)
Import to msfconsole
db_import ./nmap_target_network.xmlTraceroute
traceroute $IP
hping3 --traceroute $IPFIREWALKING
tracepath -n -p 53 $IP
traceroute -n -M default -p 53 $IPDraw network diagram
zenmapAdvanced scanning
Firewall bypass
nmap -f --mtu=512 $IPIPv6 scanning
nmap -6 $IPIdle scanning: Scans through a zombie host
nmap -sI $IPDecoy scanning: Sends several decoy IPs
nmap -D $IPFTP bounce scan:
nmap -b $FTP_SERVERMassive scanning in class A or IPv4 using masscan: https://github.com/robertdavidgraham/masscan
masscan -p80,8000-8100 10.0.0.0/8Banner checking with masscan
masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200Another post you will like:
