Scanning

Penetration Testing Wiki

In a penetration testing engagement, scanning is a very important phase in which we get to know better the potential vulnerabilities of the machines inside the scope. If you miss some UDP or TCP port with vulnerabilities to exploit, your probability to success will be much lower, so pay a lot of attention to this phase.

Host scanning

FAST-LIGHT SCAN

nmap --top-ports 10 --open $IP

Heavy scan (slow)

nmap -p- -sV --reason --dns-server ns $IP

Unicornscan. Very fast especially for UDP ports:

us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3

Other methods:

nmap -sS -T4 -iL hosts_up.txt
nmap -sS -sV -T4 $IP
hping3 --scan known $IP/24
nc -nvz $IP 1-1024

nmap tuning options

--max-retries
--max-scan-delay
--defeat-rst-ratelimit

banner grabbing

nc -nv $IP 22
nmap -sV $IP

Vulnerability scanners

  • openvas
  • nessus
  • nexpose
  • qualys

Import to msfconsole

db_import ./nmap_target_network.xml

Traceroute

traceroute $IP
hping3 --traceroute $IP

FIREWALKING

tracepath -n -p 53 $IP
traceroute -n -M default -p 53 $IP

Draw network diagram

zenmap

https://app.diagrams.net/

Advanced scanning

Firewall bypass

nmap -f --mtu=512 $IP

IPv6 scanning

nmap -6 $IP

Idle scanning: Scans through a zombie host

nmap -sI $IP

Decoy scanning: Sends several decoy IPs

nmap -D $IP

FTP bounce scan:

nmap -b $FTP_SERVER

Massive scanning in class A or IPv4 using masscan: https://github.com/robertdavidgraham/masscan

masscan -p80,8000-8100 10.0.0.0/8

Banner checking with masscan

masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200