> For the complete documentation index, see [llms.txt](https://infosecsanyam261.gitbook.io/tryharder/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infosecsanyam261.gitbook.io/tryharder/untitled/port-and-services-scanning.md). # Port & Services Scanning ### For TCP Scan - Nmap ``` TCP Scan : nmap -Pn -v -sS -A -T4 XXIPXXX nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/Documents/XXXX XXIPXXX nmap -sC -sV -vv -oA quick ip nmap -sV -sC -T4 -p- -oA nmap ip nmap -sS -p4555 -sV --reason ip nmap -sS -T4 -sV -oA 00-tcp-top100/top-100 --stats-every 60s --max-retries 3 --defeat-rst-ratelimit --top-ports 100 --script banner --reason solidstate.htb nmap -sS --min-rate 5000 --max-retries 1 -p- ip nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip ``` ### MassScan ``` masscan -p1-65535 ip --rate=1000 -e tun0 > ports ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//') nmap -Pn -sV -sC -p$ports ip ``` ### Full TCP Scan ``` nmap -sC -sV -p- -vv -oA full ip nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip ``` ### For UDP Scan ``` nmap -sU -sV -p- XXIPXXX nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA /root/Documents/XXXX XXIPXXX nmap -sU -sV -vv -oA quick_udp ip ``` ### Port Knocking ``` for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x ip; done ``` ### Port 445, 139 Scan Scripts ``` nmap -p445 --script smb-protocols $IP nmap -p445 --script smb-vuln-ms17-010 $IP nmap $IP -sV -Pn -vv -p 139,445 --script=smb-vuln* --script-args=unsafe=1 nmap $IP --script=msrpc-enum nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns ip nmap --script vuln -p445 ip python usermap_script.py ip 445 ip 1234 python usermap_script.py ip 139 ip 1234 https://github.com/amriunix/CVE-2007-2447 ``` ### FTP Port 21 Scan Scripts ``` nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $IP ``` ### SNMP Port 161 ``` nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x ``` ### MYSQL PORT 3306 ``` nmap -sV -Pn -vv $IP -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 ``` ### Oracle Port 1521/1560 ``` nmap --script=oracle-sid-brute $IP nmap --script=oracle-brute $IP tnscmd10g version -h $IP ``` ### Finger Port 79 ``` finger-user-enum finger-user-enum.pl -U /usr/share/seclist/username/name/name.txt -t ``` ### POP3 Port 110 ``` telnet INSERTIPADDRESS 110 USER [username] PASS [password] To list messages RETR [message number] telnet ip user user pass pw RETR 2 ``` SSH PORT 22 ``` nmap -p22 -n -sV --script ssh2-enum-algos ip ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://infosecsanyam261.gitbook.io/tryharder/untitled/port-and-services-scanning.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.