Hacking Notes
  • What is this?
  • Reconnaissance 🗣
    • Information Gathering 🗣
  • Enumeration 🎯
    • Host Discovery 🛎
    • DNS Enumeration
    • OS Discovery 🖥
    • Port Scanning 📟
    • WAF Evasion
  • Web 📱
    • Unrestricted File Upload
    • Templates Injections ✖️
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation 💀
    • Port Forwarding and Tunneling
    • Transfering Files 📤
    • Reverse Shell 🔙
    • Crypto 101 👁
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • 🖥️AD Attacks
Powered by GitBook
On this page
  • TCP Scanning
  • Nmap
  • Masscan
  • Bash Port Scanner
  • UDP Scanning

Was this helpful?

  1. Enumeration 🎯

Port Scanning 📟

The best option to identify Ports, Protocols, and Services (PPS) on a target would be to scan all ports (65535) of the remote system.

TCP Scanning

Nmap

Simply Scan

nmap -p- --open T5 -v -n IP
nmap --top-ports 5000 --open -T5 -v -n IP

Complex Scan

nmap -sV -A --script=default,vuln -p PORTS IP

Masscan

Masscan is the fastest port scanner, it can scan the whole internet in 6 minutes.

sudo masscan -p[PORTS] [IP/MASK] --rate=1000 -e [IFACE] --router-ip [GATEWAY]

Bash Port Scanner

This one is created by @s4vitar:

#!/bin/bash
# Usage ./portScanner.sh IP

trap ctrl_c INT
function ctrl_c(){
  echo -e "\n\n[*] Exiting....\n"
  tput cnorm; exit 0
}
for port in $(seq 1 65535);do
  timeout 0.1 bash -c "echo '' < /dev/tcp/$1/$port" 2>/dev/null && echo "Port $port - OPEN" &
done; wait
tput cnorm

Another bash port scanner, but this time more simply.

for port in {1..65535}; do timeout 0.1 bash -c "echo >/dev/tcp/10.10.10.10/$port" && echo "port $port is open"; done;

UDP Scanning

Pentesters often forgot to scan for open UDP ports, although UDP scanning can be unrealiable, there are plenty of attack vectors lurking behind open UDP ports.

sudo nmap -sU IP

Hint: You can launch a syn scan and udp scan at same time:

sudo nmap -sS -sU IP

PreviousOS Discovery 🖥NextWAF Evasion

Last updated 3 years ago

Was this helpful?