Sometimes when doing lateral movement in a penetration testing engagement, we don't want to use nmap to keep a low footprint. There it comes netcat to the rescue which it is already installed in many Linux systems.

With this command we can easily perform a port scanning for the most used ports:

nc -n -v -z -w 1 192.168.1.1 20 21 22 23 25 80 443 8080 8081

If you are willing to scan all 65535 TCP ports, take your time, it takes around 1 second per port as specified with -w 1 flag:

More tricks in the Enumeration penetration testing post:

Learn Pentesting like a Pro

🥷 Enumeration Cheat Sheet for the 25 most used protocols: From DNS to ElasticSearch

#1: DNS Enumeration nmap -T4 -sS -p 53 $IP/24 Enumerate ALL DNS records! Maybe hidden hosts in network recon dig -t all target1 target2 target3 @$DNSSERVER DNS recon (brute force subdomains): dnsrecon -d $IP -t brt -D /usr/share/wordlists/dnsmap.txt dnsenum $DOMAIN fierce -dns $DOMAIN -wordlist dictionary.txt…

Read more

2 years ago · pentesting.academy