Scanning

From wiki.exploitpedia.org

Host scanning

  • FAST-LIGHT SCAN
$nmap $IP --top-ports 10 --open


  • Heavy scan (slow)
$nmap $IP -p- -sV --reason --dns-server ns


  • Unicornscan. Very fast especially UDP
$us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3


  • Other methods:
$nmap -sS -T4 -iL hosts_up.txt
$nmap -sS -sV -T4 target
$hping3 --scan known $IP/24
$nc -nvz $IP 1-1024


nmap tuning options

--max-retries
--max-scan-delay
--defeat-rst-ratelimit

$nc -nv $IP 22
$nmap -sV $IP


Vulnerability scanners

  • openvas
  • nessus
  • nexpose
  • qualys

Import to msfconsole

msf>db_import ./nmap_target_network.xml


Traceroute

$traceroute $IP
$hping3 --traceroute $IP


FIREWALKING

$tracepath -n -p 53 $IP
$traceroute -n -M default -p 53 $IP


Draw network diagram

$zenmap


Advanced scanning

Firewall bypass

$nmap -f --mtu=512 $IP


IPv6 scanning

$nmap -6 $IP


Idle scanning: Scans through a zombie host

$nmap -sI


Decoy scanning: Sends several decoy IPs

$nmap -D


FTP bounce scan

$nmap -b <FTP>


Massive scanning in class A or IPv4:

root #masscan -p80,8000-8100 10.0.0.0/8

Banner checking:

root #masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200