Port Scanning

NC Host Scanning Based on open port

for i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445; done

for i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445; done 2>&1 | grep -Ev "^nc"

TCP Connect scanning using netcat

nc -nvv -w 1 -z <TARGET IP> 3388-3390

UDP scanning using netcat

nc -nv -u -z -w 1 <TARGET IP> 160-162

Nmap Stealth Scan

sudo nmap -sS <TARGET IP>

Nmap Connect Scan

nmap -sT <TARGET IP>

Nmap UDP scan

sudo nmap -sU <TARGET IP>

Nmap combination scan

sudo nmap -sS -sU <TARGET IP>

Nmap Network Sweeping

nmap -sn X.X.X.1-254

Nmap OS Fingerprinting

sudo nmap -O <TARGET IP>

Nmap scan for the top 20 port and save to greppable format

nmap -sT -A --top-ports=20 X.X.X.1-254 -oG top-port-sweep.txt

Nmap Banner Grabbing/Service Enumeration

nmap -sV -sT -A <TARGET IP>

Nmap Scripting Engine (NSE) /usr/share/nmap/scripts

The smb-os-discovery script attempts to connect to the SMB service on a target system and determine its operating system

nmap <TARGET IP> --script=smb-os-discovery

Nmap DNS Zone Transfering

nmap --script=dns-zone-transfer -p 53 ns1.example.com

Nmap NSE view help

nmap --script-help <script name>

# ex. nmap --script-help dns-zone-transfer

Masscan on a class C subnet, masscan options, including --rate to specify the desired rate of packet transmission, -e to specify the raw network interface to use, and --router-ip to specify the IP address for the appropriate gateway:

sudo masscan -p80 X.X.X.0/24 --rate=1000 -e tap0 --router-ip <TARGET GATEWAY>

Port scanning SMB via PowerShell

Test-NetConnection -Port 445 <TARGET IP>

Automating the PowerShell portscanning

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<TARGET IP>", $_)) "TCP port $_ is open"} 2>$null