✅ Scanning

In a penetration testing engagement, scanning is a very important phase in which we get to know better the potential vulnerabilities of the machines inside the scope. If you miss some UDP or TCP port with vulnerabilities to exploit, your probability to success will be much lower, so pay a lot of attention to this phase.

Host scanning


nmap --top-ports 10 --open $IP

Heavy scan (slow)

nmap -p- -sV --reason --dns-server ns $IP

Unicornscan. Very fast especially for UDP ports:

us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3

Other methods:

nmap -sS -T4 -iL hosts_up.txt
nmap -sS -sV -T4 $IP
hping3 --scan known $IP/24
nc -nvz $IP 1-1024

nmap tuning options


banner grabbing

nc -nv $IP 22
nmap -sV $IP

Vulnerability scanners

  • openvas
  • nessus
  • nexpose
  • qualys

Import to msfconsole

db_import ./nmap_target_network.xml


traceroute $IP
hping3 --traceroute $IP


tracepath -n -p 53 $IP
traceroute -n -M default -p 53 $IP

Draw network diagram



Advanced scanning

Firewall bypass

nmap -f --mtu=512 $IP

IPv6 scanning

nmap -6 $IP

Idle scanning: Scans through a zombie host

nmap -sI $IP

Decoy scanning: Sends several decoy IPs

nmap -D $IP

FTP bounce scan:

nmap -b $FTP_SERVER

Massive scanning in class A or IPv4 using masscan: https://github.com/robertdavidgraham/masscan

masscan -p80,8000-8100

Banner checking with masscan

masscan -p80 --banners --source-ip

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?