# External/Internal

## Nmap

{% hint style="success" %}
For [Nmap Docker](#nmap-docker)
{% endhint %}

{% hint style="success" %}
Nmap to Markdown: [Nmap2md](https://app.gitbook.com/o/5S34jejP8cj7fWWt6R2a/s/-Lt8335BPUBXjq3iC572/pentest-book/parsing-reporting/parsing#nmap2md)
{% endhint %}

### Network Discovery with scripts

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo nmap -sS -Pn -sV -v --top-ports 8000 --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 300ms --max-retries 2 -oA SYN_8K_ports --script default,discovery,broadcast --open-only -iL ip_hostname.txt
```

{% endcode %}

{% hint style="info" %}
**`--script=default:`** Runs a set of default scripts that are commonly used for network discovery and general scanning. It includes basic checks for services, OS detection, and some vulnerability checks.

* **`broadcast`** category: These scripts are designed for discovering hosts and services by broadcasting requests across the network.
* **`discovery`** category: These scripts are more specific to discovering information about the network.

**`-sV`**: Detects the version of services running on open ports.

**`--open-only`** report only open ports, not closed ports.
{% endhint %}

### ICMP <a href="#icmp" id="icmp"></a>

This is the **easiest** and **fastest** way to discover if a host is up or not. You could try to send some **ICMP** packets and **expect responses**. The easiest way is just sending an **echo request** and expect from the response. You can do that using a simple `ping`or using `fping`for **ranges**. You could also use **nmap** to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).

{% code overflow="wrap" lineNumbers="true" %}

```bash
ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
```

{% endcode %}

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo nmap -PE -PP -PM --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 30ms --max-retries 2 -A -oA HostDiscoveryMultpleICMP Network
```

{% endcode %}

{% hint style="info" %}
**`-PE`** Use ICMP Echo Request

**`-PP`** Use ICMP Timestamp Request

**`-PM`** Use ICMP Netmask Request
{% endhint %}

### UDP Port Discovery <a href="#udp-port-discovery" id="udp-port-discovery"></a>

You could also try to check for some **UDP port open** to decide if you should **pay more attention** to a **host.** As UDP services usually **don't respond** with **any data** to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number:

{% code overflow="wrap" lineNumbers="true" %}

```bash
nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable
```

{% endcode %}

The nmap line proposed before will test the **top 1000 UDP ports** in every host inside the **/24** range but even only this will take **>20min**. If need **fastest results** you can use [**udp-proto-scanner**](https://github.com/portcullislabs/udp-proto-scanner): `./udp-proto-scanner.pl 199.66.11.53/24` This will send these **UDP probes** to their **expected port** (for a /24 range this will just take 1 min): *DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.*

***

### Nmap Docker

Using the <https://hub.docker.com/r/instrumentisto/nmap>

{% code overflow="wrap" lineNumbers="true" %}

```bash
docker run --rm -it -v "<LOCAL_FOLDER>\nmap:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT_NAME> <DOMAIN/S>
```

{% endcode %}

#### Using a list of domains/IPs

Ensure that the local file with a domain list exists, so make sure that the `<DOMAIN_LIST.txt>` file is located in `<LOCAL_FOLDER>`.

{% code overflow="wrap" lineNumbers="true" %}

```bash
docker run --rm -it -v "<LOCAL_FOLDER>:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT NAME> -iL /nmap/<DOMAIN_LIST.txt>
```

{% endcode %}

***

## Masscan

### Scan Networks

{% code overflow="wrap" lineNumbers="true" %}

```bash
# Locally
sudo masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e cscotun0 --open-only --max-rate 10000 --oX output-file.xml

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml
```

{% endcode %}

{% hint style="info" %}
**`--banners`** specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

**`--open-only`** report only open ports, not closed ports.

**`-oX` / `-oG`:** Use `-oX` for an XML output or `-oG` for a grepable output
{% endhint %}

### HTTP Port Discovery <a href="#http-port-discovery" id="http-port-discovery"></a>

This is just a TCP port discovery useful when you want to **focus on discovering HTTP** **services**:

{% code overflow="wrap" lineNumbers="true" %}

```bash
# Locally
sudo masscan -p80,443,8000-8100,8443 <199.66.11.0/24> --open-only -oX output-file.xml

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan <199.66.11.0/24> -p80,443,8000-8100,8443 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml
```

{% endcode %}

{% hint style="info" %}
**`--banners`** specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

**`--open-only`** report only open ports, not closed ports.

**`-oX` / `-oG`:** Use `-oX` for an XML output or `-oG` for a grepable output
{% endhint %}

### Scan Specific Hosts

**Masscan** only accepts **IP addresses** and does not support **hostnames** in its input list. If your input file contains hostnames (like `example.com`), that will cause an error, as Masscan cannot resolve them automatically.

You’ll need to resolve the hostnames into IP addresses before running the Masscan scan. Here’s how you can do that: [Resolve Hostnames to IPs](https://pcastagnaro.gitbook.io/pentest-bug-bounty-resources/pentest-bounty-resources/networking/network-host-scan-discovery/..#resolve-hostnames-to-ips-linux-example)

#### Run the Scan

{% code overflow="wrap" lineNumbers="true" %}

```bash
# Locally
sudo masscan -iL <hosts.txt> -p 21,22,23,25,100-700,3389,8080 --banners --open-only --max-rate 100 -oX <output-file.xml>

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan -iL <HOSTS.txt> -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml
```

{% endcode %}

{% hint style="info" %}
**`--banners`** specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

**`--open-only`** report only open ports, not closed ports.

**`-oX` / `-oG`:** Use `-oX` for an XML output or `-oG` for a grepable output
{% endhint %}

***

## Zmap

{% code overflow="wrap" lineNumbers="true" %}

```bash
zmap -p 445 -o output-file 172.16.0.0/16 10.32.0.0/16 10.200.0.0/16
```

{% endcode %}

***

## sn1per

**Repository:** <https://github.com/1N3/Sn1per>

**Info:** Automated Pentest Recon Scanner

### **DISCOVER**

Parses all hosts on a subnet/CIDR (ie. `192.168.0.0/16`) and initiates a sniper scan against each host. Useful for internal network scans.

```
sudo sniper -t <CIDR> -m discover -w <WORSPACE_ALIAS>
sudo sniper -t www.domain.com -m discover -w workspace_name
```

### **AIRSTRIKE**

Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run `./sn1per /full/path/to/targets.txt` airstrike to begin scanning.

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo sniper -f /full/path/to/targets.txt -m airstrike
sudo sniper -t domain.com | <CIDR> -m discover -w domain && sudo sniper -f /usr/share/sniper/loot/domain/lyse/domains/targets.txt -m airstrike
```

{% endcode %}

![sn1per in Airstrike mode](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-Luf-hGfDhOPlqAd_yD1%2F-Luf00tKFANQhn6Mb-LY%2Fimage.png?alt=media\&token=e7b6bebe-f4b0-4f32-aeb7-8812086368c3)

***

## HackerTarget Tools

**Repo:** <https://hackertarget.com/ip-tools/>

**Info:** The following are a collection of online IP Tools that can be used to quickly get information about IP Addresses, Web Pages and DNS records.

These tools are placed here to be a quick reference whether you are assessing your organizations systems, or popping boxes on a penetration testing engagement.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pcastagnaro.gitbook.io/pentest-bug-bounty-resources/pentest-bounty-resources/networking/network-host-scan-discovery/external-internal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.