Scanning

Scripting here

Network Sweeping

pingnmapnetdiscover

#!/bin/bash

if [ -z $1 ]; then
    echo "Usage: $0 <SubIP>"
    exit
fi

for ip in $(seq 1 254); do
   ping -c 1 $1.$ip | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done

nmap -sn 192.168.11.0/24

netdiscover -r 192.168.11.0/24

Open Port Scanning

NetcatMasscanNmap

TCP

nc -nv -w 1 -z $ip 1-65535

UDP

nc -nv -w 1 -z -u $ip 1-65535

TCP

sudo masscan -i tun0 $ip -p0-65535 --rate 1000

sudo masscan -p80 192.168.11.0/24

UDP

masscan -pU 53 $ip

Quick scan

nmap --top-port 100 $ip

Grep ports

ports=$(nmap -p- --min-rate 1000 $ip | grep ^[0-9] | cut -d '/' -f1 | tr '\n' ',' | sed s/,$//)

TCP connect scan (-sT) takes much longer to complete than SYN scan (-sS).

SYN Scan

sudo nmap -sS -p- $ip

TCP Connect Scan

sudo nmap -sT -p- $ip

UDP Scan

sudo nmap -sU -p- $ip

Service Enumeration

Common Services

nmap -sC -sV -p$ports $ip

nmap -sC -sV -A -p$ports $ip

OS Fingerprinting

sudo nmap -O $ip

NSE Scripts

vuln

sudo nmap --script=vuln $ip

smb-os-discovery

sudo nmap --script=smb-os-discovery $ip

smb-vul*

sudo nmap --script smb-vul* -p 139,445 $ip

ms-sql-brute

sudo nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt <host>

dns-zone-transfer

sudo nmap --script=dns-zone-transfer -p 53 leecybersec.com

Nmap Cheat Sheet