External/Internal
Nmap
For Nmap Docker
Nmap to Markdown: Nmap2md
Network Discovery with scripts
sudo nmap -sS -Pn -sV -v --top-ports 8000 --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 300ms --max-retries 2 -oA SYN_8K_ports --script default,discovery,broadcast --open-only -iL ip_hostname.txtICMP
This is the easiest and fastest way to discover if a host is up or not. You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response. You can do that using a simple pingor using fpingfor ranges. You could also use nmap to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).
ping -c 1 199.66.11.4 # 1 echo request to a host
fping -g 199.66.11.0/24 # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requestssudo nmap -PE -PP -PM --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 30ms --max-retries 2 -A -oA HostDiscoveryMultpleICMP NetworkUDP Port Discovery
You could also try to check for some UDP port open to decide if you should pay more attention to a host. As UDP services usually don't respond with any data to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number:
nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probableThe nmap line proposed before will test the top 1000 UDP ports in every host inside the /24 range but even only this will take >20min. If need fastest results you can use udp-proto-scanner: ./udp-proto-scanner.pl 199.66.11.53/24 This will send these UDP probes to their expected port (for a /24 range this will just take 1 min): DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.
Nmap Docker
Using the https://hub.docker.com/r/instrumentisto/nmap
docker run --rm -it -v "<LOCAL_FOLDER>\nmap:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT_NAME> <DOMAIN/S>Using a list of domains/IPs
Ensure that the local file with a domain list exists, so make sure that the <DOMAIN_LIST.txt> file is located in <LOCAL_FOLDER>.
docker run --rm -it -v "<LOCAL_FOLDER>:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT NAME> -iL /nmap/<DOMAIN_LIST.txt>Masscan
Scan Networks
# Locally
sudo masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e cscotun0 --open-only --max-rate 10000 --oX output-file.xml
# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xmlHTTP Port Discovery
This is just a TCP port discovery useful when you want to focus on discovering HTTP services:
# Locally
sudo masscan -p80,443,8000-8100,8443 <199.66.11.0/24> --open-only -oX output-file.xml
# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan <199.66.11.0/24> -p80,443,8000-8100,8443 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xmlScan Specific Hosts
Masscan only accepts IP addresses and does not support hostnames in its input list. If your input file contains hostnames (like example.com), that will cause an error, as Masscan cannot resolve them automatically.
You’ll need to resolve the hostnames into IP addresses before running the Masscan scan. Here’s how you can do that: Resolve Hostnames to IPs
Run the Scan
# Locally
sudo masscan -iL <hosts.txt> -p 21,22,23,25,100-700,3389,8080 --banners --open-only --max-rate 100 -oX <output-file.xml>
# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan -iL <HOSTS.txt> -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xmlZmap
zmap -p 445 -o output-file 172.16.0.0/16 10.32.0.0/16 10.200.0.0/16sn1per
Repository: https://github.com/1N3/Sn1per
Info: Automated Pentest Recon Scanner
DISCOVER
Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
sudo sniper -t <CIDR> -m discover -w <WORSPACE_ALIAS>
sudo sniper -t www.domain.com -m discover -w workspace_nameAIRSTRIKE
Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
sudo sniper -f /full/path/to/targets.txt -m airstrike
sudo sniper -t domain.com | <CIDR> -m discover -w domain && sudo sniper -f /usr/share/sniper/loot/domain/lyse/domains/targets.txt -m airstrike
HackerTarget Tools
Repo: https://hackertarget.com/ip-tools/
Info: The following are a collection of online IP Tools that can be used to quickly get information about IP Addresses, Web Pages and DNS records.
These tools are placed here to be a quick reference whether you are assessing your organizations systems, or popping boxes on a penetration testing engagement.
Last updated