✅ Best commands for Port Scanning — For OSCP, pentests, bug bounties

Learn several techniques to scan hosts, bypass firewalls and scan the whole IPv4 universe.

In a penetration testing engagement, scanning is a very important phase in which we get to know better the potential vulnerabilities of the machines inside the scope. If you miss some UDP or TCP port with vulnerabilities to exploit, your probability to success will be much lower, so pay a lot of attention to this phase.

Host scanning

FAST-LIGHT SCAN

nmap --top-ports 10 --open $IP

Heavy scan (slow)

nmap -p- -sV --reason --dns-server ns $IP

Unicornscan. Very fast especially for UDP ports:

us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3

Other methods:

nmap -sS -T4 -iL hosts_up.txt
nmap -sS -sV -T4 $IP
hping3 --scan known $IP/24
nc -nvz $IP 1-1024

nmap tuning options

--max-retries
--max-scan-delay
--defeat-rst-ratelimit

banner grabbing

nc -nv $IP 22
nmap -sV $IP

Vulnerability scanners

Import to msfconsole

db_import ./nmap_target_network.xml

Traceroute

traceroute $IP
hping3 --traceroute $IP

FIREWALKING

tracepath -n -p 53 $IP
traceroute -n -M default -p 53 $IP

Draw network diagram

zenmap

https://app.diagrams.net/

Advanced scanning

Firewall bypass

nmap -f --mtu=512 $IP

IPv6 scanning

nmap -6 $IP

Idle scanning: Scans through a zombie host

nmap -sI $IP

Decoy scanning: Sends several decoy IPs

nmap -D $IP

FTP bounce scan:

nmap -b $FTP_SERVER

Massive scanning in class A or IPv4 using masscan: https://github.com/robertdavidgraham/masscan

masscan -p80,8000-8100 10.0.0.0/8

Banner checking with masscan

masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *