NC Host Scanning Based on open port
for i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445; done
for i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445; done 2>&1 | grep -Ev "^nc"
TCP Connect scanning using netcat
nc -nvv -w 1 -z <TARGET IP> 3388-3390
UDP scanning using netcat
nc -nv -u -z -w 1 <TARGET IP> 160-162
Nmap Stealth Scan
sudo nmap -sS <TARGET IP>
Nmap Connect Scan
nmap -sT <TARGET IP>
Nmap UDP scan
sudo nmap -sU <TARGET IP>
Nmap combination scan
sudo nmap -sS -sU <TARGET IP>
Nmap Network Sweeping
nmap -sn X.X.X.1-254
Nmap OS Fingerprinting
sudo nmap -O <TARGET IP>
Nmap scan for the top 20 port and save to greppable format
nmap -sT -A --top-ports=20 X.X.X.1-254 -oG top-port-sweep.txt
Nmap Banner Grabbing/Service Enumeration
nmap -sV -sT -A <TARGET IP>
Nmap Scripting Engine (NSE) /usr/share/nmap/scripts
The smb-os-discovery script attempts to connect to the SMB service on a target system and determine its operating system
nmap <TARGET IP> --script=smb-os-discovery
Nmap DNS Zone Transfering
nmap --script=dns-zone-transfer -p 53 ns1.example.com
Nmap NSE view help
nmap --script-help <script name># ex. nmap --script-help dns-zone-transfer
nmap --script-help <script name>
# ex. nmap --script-help dns-zone-transfer
Masscan on a class C subnet, masscan options, including --rate to specify the desired rate of packet transmission, -e to specify the raw network interface to use, and --router-ip to specify the IP address for the appropriate gateway:
sudo masscan -p80 X.X.X.0/24 --rate=1000 -e tap0 --router-ip <TARGET GATEWAY>
Port scanning SMB via PowerShell
Test-NetConnection -Port 445 <TARGET IP>
Automating the PowerShell portscanning
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<TARGET IP>", $_)) "TCP port $_ is open"} 2>$null