Penetration Testing Wiki

In a penetration testing engagement, scanning is a very important phase in which we get to know better the potential vulnerabilities of the machines inside the scope. If you miss some UDP or TCP port with vulnerabilities to exploit, your probability to success will be much lower, so pay a lot of attention to this phase.

Host scanning


nmap --top-ports 10 --open $IP

Heavy scan (slow)

nmap -p- -sV --reason --dns-server ns $IP

Unicornscan. Very fast especially for UDP ports:

us -mT -Iv $IP:a -r 3000 -R 3 && us -mU -Iv $IP:a -r 3000 -R 3

Other methods:

nmap -sS -T4 -iL hosts_up.txt
nmap -sS -sV -T4 $IP
hping3 --scan known $IP/24
nc -nvz $IP 1-1024

nmap tuning options


banner grabbing

nc -nv $IP 22
nmap -sV $IP

Vulnerability scanners

  • openvas
  • nessus
  • nexpose
  • qualys

Import to msfconsole

db_import ./nmap_target_network.xml


traceroute $IP
hping3 --traceroute $IP


tracepath -n -p 53 $IP
traceroute -n -M default -p 53 $IP

Draw network diagram


Advanced scanning

Firewall bypass

nmap -f --mtu=512 $IP

IPv6 scanning

nmap -6 $IP

Idle scanning: Scans through a zombie host

nmap -sI $IP

Decoy scanning: Sends several decoy IPs

nmap -D $IP

FTP bounce scan:

nmap -b $FTP_SERVER

Massive scanning in class A or IPv4 using masscan:

masscan -p80,8000-8100

Banner checking with masscan

masscan -p80 --banners --source-ip