Port & Services Scanning

For TCP Scan - Nmap

TCP Scan :

nmap -Pn -v -sS -A -T4 XXIPXXX
nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/Documents/XXXX XXIPXXX
nmap -sC -sV -vv -oA quick ip
nmap -sV -sC -T4 -p- -oA nmap ip
nmap -sS -p4555 -sV --reason ip
nmap -sS -T4 -sV -oA 00-tcp-top100/top-100 --stats-every 60s --max-retries 3 --defeat-rst-ratelimit --top-ports 100 --script banner --reason solidstate.htb
nmap -sS --min-rate 5000 --max-retries 1 -p- ip
nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip

MassScan

masscan -p1-65535 ip --rate=1000 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports ip

Full TCP Scan

nmap -sC -sV -p- -vv -oA full ip
nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip

For UDP Scan

nmap -sU -sV -p- XXIPXXX
nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA  /root/Documents/XXXX XXIPXXX
nmap -sU -sV -vv -oA quick_udp ip

Port Knocking

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x ip; done

Port 445, 139 Scan Scripts

nmap -p445 --script smb-protocols $IP
nmap -p445 --script smb-vuln-ms17-010 $IP
nmap $IP -sV -Pn -vv -p 139,445 --script=smb-vuln* --script-args=unsafe=1
nmap $IP --script=msrpc-enum
nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns ip
nmap --script vuln -p445 ip

python usermap_script.py ip 445 ip 1234
python usermap_script.py ip 139 ip 1234
https://github.com/amriunix/CVE-2007-2447

FTP Port 21 Scan Scripts

nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $IP

SNMP Port 161

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x

MYSQL PORT 3306

nmap -sV -Pn -vv  $IP -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

Oracle Port 1521/1560

nmap --script=oracle-sid-brute  $IP
nmap --script=oracle-brute  $IP
tnscmd10g version -h $IP

Finger Port 79

finger-user-enum
finger-user-enum.pl -U /usr/share/seclist/username/name/name.txt -t

POP3 Port 110

telnet INSERTIPADDRESS 110
USER [username]
PASS [password]
To list messages
RETR [message number]

telnet ip
user user
pass pw
RETR 2

SSH PORT 22

nmap -p22 -n -sV --script ssh2-enum-algos ip
PreviousWeb Application Directory bruteforcing / fingerprintingNextWeb Application

Last updated