Exploit Notes
Exploit Notes

Exploits related to Reconnaissance

Others

Email Analysis
Google Dorks
IMINT (Image Intelligence) and GEOINT (Geospatial Intelligence)
OSINT (Open Source Intelligence)
Person Investigation
Port Scan
Reconnaissance
Social Engineering
Subdomain Discovery

Port Scan

Last modified: 2023-02-25

Network Reconnaissance

Port Scanning is a port mapping on the network. It is often executing when reconnaissance.

Nmap

Nmap is still the most commonly used tool when scanning ports of the target system.
But in recent years, some other tools, such as masscan or rustscan, are also becoming popular because the tools scan faster than nmap.

Basic Scan

It's recommened to do as stealth scan (SYN scan) by adding the option "-sS".
Also it’s prefered to add “-T2” flag.

sudo nmap -sS <target-ip>

# OS version detection (-V)
# Default NSE (-C)
sudo nmap -sSVC <target-ip>
# All detection
sudo nmap -sS -A <target-ip>

Skipping the host discovery

sudo nmap -sS -Pn <target-ip>

Scanning all ports.

sudo nmap -sS -p- <target-ip> --min-rate 1000
sudo nmap -sS -p 1-65535 <target-ip> --min-rate 1000

Scanning the specific range ports.

sudo nmap -sS -p 1000-1500 <target-ip>

Scannning top ports.

sudo nmap -sS --top-ports 100 <target-ip>

First 1000 ports.

sudo nmap -sS -p-1000 <target-ip>

UDP Scan

Sometimes you need the UDP scan.

nmap -sU --top-ports 25 <target-ip>
nmap -sU --top-ports 50 --open <target-ip>

Other Scan Techniques

FIN scan

# FIN scan
nmap -sF <target-ip>
# Xmas scan
nmap -sX <target-ip>

Firewall Bypass

# Fragmented packets
nmap -f <target-ip>

# Specify MTU (Maximum Transmission Unit)
nmap --mtu 16 <target-ip>
nmap --mtu 24 <target-ip>

# Decoy
nmap -D RND:3 <target-ip>

Nmap Scripting Engine (NSE)

nmap -sC <target-ip>
nmap --script vuln <target-ip>

Using Proxychains

First start Tor service.

sudo service tor start
sudo service tor status

To execute the nmap with proxychains, add the proxychains command before the nmap command.

sudo proxychains nmap -sS <target-ip>

Port Knocking

Port knocking is a method of establishing a connection to a networked computer that has no open ports.

for i in <port_1> <port_2> <port_3>;do nmap -Pn -p $i --host-timeout 201 --max-retries 0 <target-ip>;done

# or we can use `curl` command for knocking ports.
# -m: max time in seconds
curl <ip>:<port1> -m 1
curl <ip>:<port2> -m 1
curl <ip>:<port3> -m 1

After that, check if ports opened.

nmap <target-ip>

Massscan

Masscan is a TCP port scanner. It is faster than nmap.

masscan <target-ip>/16
masscan <target-ip>/24

# -p: Ports
masscan <target-ip>/16 -p 80,443
masscan <target-ip>/16 -p 22-80
masscan <target-ip>/16 -p 0-65535
# --top-ports
masscan <target-ip>/16 --top-ports 100

RustScan

RustScan is the modern port scanner. It is faster than nmap.

# -a: Addresses
# --ulimit: Limit system resource amounts
rustscan -a <target-ip-1>,<target-ip-2> --ulimit 5000
rustscan -a 'hosts.txt' --ulimit 5000

# CIDR
rustscan -a 192.168.0.0/30

# -p: Ports
rustscan -a <target-ip> -p 22,80

We can also use the Nmap arguments as below.

rustscan -a <target-ip> -- -sS -A

References

Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.