In a penetration testing engagement, scanning is a very important phase in which we get to know better the potential vulnerabilities of the machines inside the scope. If you miss some UDP or TCP port with vulnerabilities to exploit, your probability to success will be much lower, so pay a lot of attention to this phase.
Host scanning
FAST-LIGHT SCAN
nmap --top-ports 10 --open $IP
Heavy scan (slow)
nmap -p- -sV --reason --dns-server ns $IP
Unicornscan. Very fast especially for UDP ports:
us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3
Other methods:
nmap -sS -T4 -iL hosts_up.txt nmap -sS -sV -T4 $IP hping3 --scan known $IP/24 nc -nvz $IP 1-1024
nmap tuning options
--max-retries --max-scan-delay --defeat-rst-ratelimit
banner grabbing
nc -nv $IP 22 nmap -sV $IP
Vulnerability scanners
- openvas
- nessus
- nexpose
- qualys
Import to msfconsole
db_import ./nmap_target_network.xml
Traceroute
traceroute $IP hping3 --traceroute $IP
FIREWALKING
tracepath -n -p 53 $IP traceroute -n -M default -p 53 $IP
Draw network diagram
zenmap
Advanced scanning
Firewall bypass
nmap -f --mtu=512 $IP
IPv6 scanning
nmap -6 $IP
Idle scanning: Scans through a zombie host
nmap -sI $IP
Decoy scanning: Sends several decoy IPs
nmap -D $IP
FTP bounce scan:
nmap -b $FTP_SERVER
Massive scanning in class A or IPv4 using masscan: https://github.com/robertdavidgraham/masscan
masscan -p80,8000-8100 10.0.0.0/8
Banner checking with masscan
masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200