search
Page cover

right-from-bracketExternal/Internal

hashtag
Nmap

circle-check

For Nmap Docker

circle-check

Nmap to Markdown: Nmap2mdarrow-up-right

hashtag
Network Discovery with scripts

sudo nmap -sS -Pn -sV -v --top-ports 8000 --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 300ms --max-retries 2 -oA SYN_8K_ports --script default,discovery,broadcast --open-only -iL ip_hostname.txt
circle-info

--script=default: Runs a set of default scripts that are commonly used for network discovery and general scanning. It includes basic checks for services, OS detection, and some vulnerability checks.

  • broadcast category: These scripts are designed for discovering hosts and services by broadcasting requests across the network.

  • discovery category: These scripts are more specific to discovering information about the network.

-sV: Detects the version of services running on open ports.

--open-only report only open ports, not closed ports.

hashtag
ICMP

This is the easiest and fastest way to discover if a host is up or not. You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response. You can do that using a simple pingor using fpingfor ranges. You could also use nmap to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
sudo nmap -PE -PP -PM --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 30ms --max-retries 2 -A -oA HostDiscoveryMultpleICMP Network
circle-info

-PE Use ICMP Echo Request

-PP Use ICMP Timestamp Request

-PM Use ICMP Netmask Request

hashtag
UDP Port Discovery

You could also try to check for some UDP port open to decide if you should pay more attention to a host. As UDP services usually don't respond with any data to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number:

The nmap line proposed before will test the top 1000 UDP ports in every host inside the /24 range but even only this will take >20min. If need fastest results you can use udp-proto-scannerarrow-up-right: ./udp-proto-scanner.pl 199.66.11.53/24 This will send these UDP probes to their expected port (for a /24 range this will just take 1 min): DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.

hashtag
Nmap Docker

Using the https://hub.docker.com/r/instrumentisto/nmaparrow-up-right

hashtag
Using a list of domains/IPs

Ensure that the local file with a domain list exists, so make sure that the <DOMAIN_LIST.txt> file is located in <LOCAL_FOLDER>.

hashtag
Masscan

hashtag
Scan Networks

circle-info

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

hashtag
HTTP Port Discovery

This is just a TCP port discovery useful when you want to focus on discovering HTTP services:

circle-info

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

hashtag
Scan Specific Hosts

Masscan only accepts IP addresses and does not support hostnames in its input list. If your input file contains hostnames (like example.com), that will cause an error, as Masscan cannot resolve them automatically.

You’ll need to resolve the hostnames into IP addresses before running the Masscan scan. Here’s how you can do that: Resolve Hostnames to IPs

hashtag
Run the Scan

circle-info

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

hashtag
Zmap

hashtag
sn1per

Repository: https://github.com/1N3/Sn1perarrow-up-right

Info: Automated Pentest Recon Scanner

hashtag
DISCOVER

Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.

hashtag
AIRSTRIKE

Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.

sn1per in Airstrike mode

hashtag
HackerTarget Tools

Repo: https://hackertarget.com/ip-tools/arrow-up-right

Info: The following are a collection of online IP Tools that can be used to quickly get information about IP Addresses, Web Pages and DNS records.

These tools are placed here to be a quick reference whether you are assessing your organizations systems, or popping boxes on a penetration testing engagement.

PreviousNetwork Host Scan/DiscoveryNextInternal only

Last updated