{"id":94,"date":"2017-07-09T10:43:56","date_gmt":"2017-07-09T08:43:56","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=94"},"modified":"2024-09-02T13:04:53","modified_gmt":"2024-09-02T11:04:53","slug":"nmap","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=94","title":{"rendered":"Network and port&nbsp;scans"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">General notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>By default, nmap uses only IPv4 for scan\u00adning. Try to per\u00adform scans twice, one with\u00adout and one with the \u20116 para\u00adme\u00adter.<br><code>nmap -6 -sT -sC fc:00:...%eth0<\/code><\/li>\n\n\n\n<li>Run nmap as root, because some scans (e.g. which require incom\u00adplete hand\u00adshakes) are not pos\u00adsi\u00adble in userspace.<\/li>\n\n\n\n<li>How does nmap detects if a host is up? It does the fol\u00adlow\u00ading and if at least one test returns a response, the host is con\u00adsid\u00adered as online.&nbsp;<ul class=\"wp-block-list\">\n<li><span class=\"caps\">ARP<\/span> request (if the tar\u00adget is in the same Eth\u00ader\u00adnet subnet)<\/li>\n\n\n\n<li><span class=\"caps\">ICMP<\/span> echo request<\/li>\n\n\n\n<li><span class=\"caps\">TCP<\/span> <span class=\"caps\">SYN<\/span> to port&nbsp;443<\/li>\n\n\n\n<li><span class=\"caps\">TCP<\/span> <span class=\"caps\">ACK<\/span> to port&nbsp;80<\/li>\n\n\n\n<li><span class=\"caps\">ICMP<\/span> time\u00adstamp request<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>You can use <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=333\" data-type=\"post\" data-id=\"333\">ipt\u00ada\u00adbles<\/a> to mea\u00adsure the traf\u00adfic to \/ from the tar\u00adget (e.g. to opti\u00admize a port scan before to be more silent.)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">NC<\/span> \/ Netcat<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Try net\u00adcat first on inter\u00adest\u00ading ports or nar\u00adrow port ranges to be more silent<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network scan<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Choose a port which is prob\u00ada\u00adbly open on sys\u00adtems on this net\u00adwork. E.g. 445 for Win\u00addows hosts or 22 for Lin\u00adux&nbsp;hosts.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for i in $(seq 1 254); do nc -zv -w 1 10.10.10.$i 445; done<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Port scan<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For <span class=\"caps\">TCP<\/span>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -nvv -w 1 -z 10.11.1.220 3388-3390 2&gt;&amp;1 | grep open<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For <span class=\"caps\">UDP<\/span>: (This will need more time because if a fire\u00adwall is in our way, the <span class=\"caps\">ICMP<\/span> mes\u00adsages could be fil\u00adtered out and nc then would wait a moment for a time out before mov\u00ading to the next&nbsp;port.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -nvv -u -w 1 -z 10.11.1.220 3388-3390 2&gt;&amp;1 | grep open<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">SNMP<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If <span class=\"caps\">SNMP<\/span> is avail\u00adable, a list of open ports can be retrieved as well. <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2116\" data-type=\"post\" data-id=\"2116\">See the <span class=\"caps\">SNMP<\/span> article.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Masscan<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Scan very&nbsp;fast:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">masscan -e tun0 -p 1-65535 --rate 2000 $victim\nmasscan -e tun0 -p U:1-65535 --rate 2000 $victim<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Network sweeping<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Scan\u00adning a whole sub\u00adnet. The fol\u00adlow\u00ading scans from 192.168.5.0 until 192.168.5.255.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap 192.168.5.0\/24<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading is more effi\u00adcient, skip\u00adping spe\u00adcial addresses.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This nota\u00adtion can also be used oth\u00ader seg\u00adments, like 192.168.1\u201310.1\u2013254. IPv6 address\u00ades can be defined the same way <em>but cur\u00adrent\u00adly not with a range<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To scan and out\u00adput in a grep friend\u00adly way, use \u2011oG like&nbsp;here<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sn 10.10.10.0\/24 -oG \/tmp\/t\ngrep Up \/tmp\/t | cut -d\" \" -f2<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show only open ports in a network<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap 10.11.1.1-254 -p2233 --open<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Host sweep\u00ading with PowerShell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1..225 | % { echo \"10.10.10.$_\"; ping -n 1 -w 100 10.10.10.$_ | select-string ttl }<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Single client scanning<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Scan the most inter\u00adest\u00ading 1000 ports (~ 71 <span class=\"caps\">KB<\/span> of traffic)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap 10.10.10.10<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Scan all ports (~ 4,5 <span class=\"caps\">MB<\/span> of traffic)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -p 1-65535 10.10.10.10<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Net\u00adcat can be used as prim\u00adi\u00adtive port scan\u00adner which could be inter\u00adest\u00ading on a tar\u00adget where it is installed already.<\/p>\n\n\n\n<div class=\"page\" title=\"Page 181\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>nc -nvv -w 1 -z $victim 1-1500\nfor port in $(seq 1 1500); do nc -nvv -w1 -z $victim $port 2&gt;&amp;1 | grep succeeded; done<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Reading IPs from&nbsp;file<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s pos\u00adsi\u00adble to load a file which con\u00adtains the tar\u00adget IPs (sep\u00ada\u00adrat\u00aded via any white&nbsp;space).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -i retrieved_dhcp_host_ips.txt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Random scanning<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Nmap can gen\u00ader\u00adate ran\u00addom <span class=\"caps\">IP<\/span> ranges to scan for surveys.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -iR 2 192.168.5.0\/24<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Detect hosts<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Nmap has sev\u00ader\u00adal meth\u00adods to detect hosts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Good goto&nbsp;line:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -PS21,22,23,25,53,80,110,111,135,137,139,143,443,445,502,993,995,1433,1432,1723,3306,3389,590,8080 -PE -iL hosts.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a host list via the host dis\u00adcov\u00adery pack\u00adets which the hosts send by them\u00adselfs; that means that this method is passive.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sL 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a list of active hosts. This uses an addi\u00adtion\u00adal <span class=\"caps\">ICMP<\/span> echo request for each report\u00aded&nbsp;host.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sn 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a list of active hosts which are active on giv\u00aden ports. Nmap sends a <span class=\"caps\">TCP<\/span> <span class=\"caps\">SYN<\/span> pack\u00adet to each port to ini\u00adti\u00adate the three way hand\u00adshake. (If a serv\u00ader reponds, nmap clos\u00ades it with a <span class=\"caps\">RST<\/span> pack\u00adet so that no con\u00adnec\u00adtion will be created.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For exam\u00adple, use \u2011<span class=\"caps\">PS22<\/span>,111 to detect Lin\u00adux servers or <span class=\"caps\">PS-137<\/span>\u2013139,45,3389 to detect Win\u00addows Sys\u00adtems. Or add a port from a ser\u00advice you\u2019re expect\u00ading in the network.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -PS22-23,80,443 192.168.5.0\/24<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If a fire\u00adwall blocks this, use the <span class=\"caps\">PA<\/span> option which sends a <span class=\"caps\">TCP<\/span> <span class=\"caps\">ACK<\/span>. State\u00adfull fire\u00adwalls often don\u2019t accept new <span class=\"caps\">SYN<\/span> pack\u00adets from the inter\u00adnet, but an incom\u00adming <span class=\"caps\">ACK<\/span> packe seems to be from a exist\u00ading con\u00adnec\u00adtion. The ser\u00advice will respond a <span class=\"caps\">RST<\/span>, but that does\u00adn\u2019t mat\u00adter because it proves that the ser\u00advice is&nbsp;alive.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -PA80 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader alter\u00adna\u00adtive is using an <span class=\"caps\">UDP<\/span>&nbsp;ping.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -PU80 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader alter\u00adna\u00adtive is the <span class=\"caps\">SCTP<\/span> <span class=\"caps\">INIT<\/span> ping, which shows also the <span class=\"caps\">MAC<\/span> address\u00ades. (Root priv\u00adi\u00adleges are need\u00aded for&nbsp;this!)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -PY80 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader alter\u00adna\u00adtive with the <span class=\"caps\">IP<\/span> pro\u00adto\u00adcol&nbsp;ping.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -PO80 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader option for Eth\u00ader\u00adnet net\u00adworks is the <span class=\"caps\">ARP<\/span> Ping option. Obvi\u00adous\u00adly, this works only in the local net\u00adwork until the next gateway.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -PR 192.168.5.1-254<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List IPs of a net\u00adwork, mark online ones<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sL 10.10.64.0\/27 | awk '\/Nmap scan report\/{print $NF}'<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Detect hosts via a zombie<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Nmap can use a zom\u00adbie serv\u00ader which per\u00adforms the scan from his per\u00adspec\u00adtive. The zom\u00adbie has to be idle because the <span class=\"caps\">IP<\/span> <span class=\"caps\">ID<\/span> field must not change between a scan. There\u00adfore, scan a poten\u00adtial zom\u00adbie first&nbsp;with<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -v -O zombie.andreas-klingler.de<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">and note the <em><span class=\"caps\">IP<\/span> <span class=\"caps\">ID<\/span> Sequence Gen\u00ader\u00ada\u00adtion<\/em> out\u00adput to decide if this could be a zom\u00adbie or not. After this, scan as follows.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -Pn -p22,80,143 -sI &lt;zombie_ip&gt; $victim<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Determine the <span class=\"caps\">OS<\/span> and version numbers<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine the&nbsp;<span class=\"caps\">OS<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -v -O $target<br>nmap -v --osscan-guess $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or try to get infor\u00adma\u00adtion about the ver\u00adsion num\u00adbers of active ser\u00advices. This can be fur\u00adther extend\u00aded via an addi\u00adtion\u00adal <em>-A<\/em> switch.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sV [-A] $victim<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Detect protocols<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine which pro\u00adto\u00adcols the attacked client supports.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sO $victim<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">FTP<\/span> <span class=\"caps\">BOUNCE<\/span> attack<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">FTP<\/span> serv\u00ader can talk direct\u00adly to each oth\u00ader. This fea\u00adture can be used to per\u00adform port scans from thiry-par\u00adty <span class=\"caps\">FTP<\/span> servers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Check if a <span class=\"caps\">FTP<\/span> serv\u00ader is prone to this attack by scan\u00adning with nmap (para\u00adme\u00adter \u2011sC). This will return \u201cftp-bounce: bounce work\u00ading!\u201d if the tar\u00adget is vul\u00adner\u00ada\u00adble. Then, per\u00adform the scan from the first <span class=\"caps\">FTP<\/span> serv\u00ader to the sec\u00adond like follows:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">proxychains4 -q nmap -p23 -Pn -v -b anonymous:dsfsd@$victim 10.2.2.23<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Detect open ports between two systems<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cre\u00adate nc lis\u00adten\u00ader in a bash loop for a cer\u00adtain&nbsp;range.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Fast inter\u00adnal scanning<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Small script to scan from an inter\u00adnal host to see which ports are open outbound.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">!\/bin\/bash<br>host=10.5.5.11<br>for port in {1..65535}; do<br>timeout .1 bash -c \"echo &gt;\/dev\/tcp\/$host\/$port\" &amp;&amp;<br>echo \"port $port is open\" done<br>echo \"Done\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With Pow\u00ader\u00adShell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1..2048 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\"10.10.10.10\",$_)) \"Port $_ is open\" } 2&gt;$null }<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Nmap options<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ignore hosts which seems to be inac\u00adtive:<\/strong> With the \u2011Pn option, nmap skips the ini\u00adtial check if a host is alive before per\u00adform\u00ading any fur\u00adther checks. This means that the entire net\u00adwork is probed, also for IPs which seems not to be used at the moment.<\/li>\n\n\n\n<li>Set the scan speed with \u2011T X \u2014 nmap will wait X sec\u00adonds between packets&nbsp;<ul class=\"wp-block-list\">\n<li>0 = 5 minutes<\/li>\n\n\n\n<li>1 = 15 seconds<\/li>\n\n\n\n<li>2 = 0,4 seconds<\/li>\n\n\n\n<li>3 = auto\u00admat\u00adic \/ default<\/li>\n\n\n\n<li>4 = more aggresive<\/li>\n\n\n\n<li>5 = extrem\u00adly aggre\u00adsive, can over\u00adload and miss packets.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Add tracer\u00adoute<\/strong>: With <strong>\u2013tracer\u00adoute<\/strong>, tracer\u00adoute is exe\u00adcut\u00aded for every host which is&nbsp;alive.<\/li>\n\n\n\n<li><strong>No <span class=\"caps\">DNS<\/span> res\u00ado\u00adlu\u00adtion<\/strong>: Speed up the scan with <strong>-n<\/strong>.<\/li>\n\n\n\n<li>Com\u00adplete <span class=\"caps\">DNS<\/span> res\u00ado\u00adlu\u00adtion: Force reverse <span class=\"caps\">DNS<\/span> res\u00ado\u00adlu\u00adtion for all pos\u00adsi\u00adble hosts with\u00adin the giv\u00aden range with <strong>-R<\/strong>. This includes offline hosts also. This could return inter\u00adest\u00ading <span class=\"caps\">DNS<\/span> entries from hosts which are cur\u00adrent\u00adly offline.<\/li>\n\n\n\n<li>Use spec\u00adi\u00adfied <span class=\"caps\">DNS<\/span> servers: Use only giv\u00aden <span class=\"caps\">DNS<\/span> servers with <strong>\u2013dns-servers srv1,srv2<\/strong>. In some net\u00adworks, it could be that only some local <span class=\"caps\">DNS<\/span> servers can resolve all address\u00ades because there are not exposed to the pub\u00adlic <span class=\"caps\">DNS<\/span> sys\u00adtem. In this case, try to fig\u00adure out which <span class=\"caps\">DNS<\/span> servers in the inter\u00adest\u00ading net\u00adwork are online and add these to the real scan&nbsp;run.<\/li>\n\n\n\n<li><strong>Scan also <span class=\"caps\">UDP<\/span><\/strong> by adding <strong>-sU<\/strong>. Cau\u00adtion: Because <span class=\"caps\">UDP<\/span> does\u00adn\u2019t use a con\u00adnec\u00adtion, nmap has to wait for a time\u00adout and try it again to make sure that the pack\u00adet was\u00adn\u2019t sim\u00adply lost. So, this switch should be used speci\u00adficly and not in a wide&nbsp;scan.&nbsp;<ul class=\"wp-block-list\">\n<li>Cau\u00adtion: This scan can be unre\u00adli\u00adable; make sure to scan mul\u00adti\u00adple times to make sure no port was omitted!<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Try exot\u00adic scan types<\/strong> like <strong>-sN<\/strong>, <strong>-sF,<\/strong> <strong>-sX, \u2011sZ<\/strong> or<strong> \u2011sM&nbsp;<\/strong> which can bypass fil\u00adter. (See man\u00adpage for more details.)<\/li>\n\n\n\n<li><strong>Try to scan for proxy <span class=\"caps\">FTP<\/span> servers<\/strong>. Very unusu\u00adal today, but you can nev\u00ader know. See the man\u00adpage for details.<\/li>\n\n\n\n<li><strong>Speed up and scan for few\u00ader ports<\/strong> with the \u2011F options. Scans the most usu\u00adal 100 ports instead of the most usu\u00adal 1000&nbsp;ports.<\/li>\n\n\n\n<li><strong>Play the Romu\u00adlans<\/strong> by adding some decoy attack\u00aders via <strong>-D &lt;ip1&gt;,&lt;ip2&gt;<\/strong>. Nmap will pro\u00adduce also pack\u00adets from this IPs so that an <span class=\"caps\">IDS<\/span> would see a portscan from oth\u00ader sys\u00adtems&nbsp;also.<\/li>\n\n\n\n<li><strong>Use prox\u00adies<\/strong> (<span class=\"caps\">SOCKS<\/span> or <span class=\"caps\">HTTP<\/span>) with <strong>\u2013prox\u00adies &lt;proxy1&gt;<\/strong>. This reduces the speed and it can be nec\u00ades\u00adsary to decrease some oth\u00ader para\u00adme\u00adters like time\u00adouts. See the manpage.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Nmap output options<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Addi\u00adtion\u00adal to the reg\u00adu\u00adlar out\u00adput via <span class=\"caps\">STDOUT<\/span>, nmap can out\u00adput the results also in dif\u00adfer\u00adent&nbsp;ways.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading writes the default out\u00adput which would be gen\u00ader\u00adat\u00aded to <span class=\"caps\">STDOUT<\/span> into a text&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap ... -oN &lt;filename&gt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading writes the results in a <span class=\"caps\">XML<\/span>&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap ... -oX &lt;filename&gt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading cre\u00adates files in all for\u00admats (.txt, .xml and .grepable)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap ... -oA &lt;basename&gt;<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Nmap scripts<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=3889\" data-type=\"post\" data-id=\"3889\">See nmap script page<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">dnmap<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dis\u00adtrib\u00adutes port scanning<\/li>\n\n\n\n<li>One serv\u00ader con\u00adtrolls n clients which per\u00adform the actu\u00adal&nbsp;scans.<\/li>\n\n\n\n<li>See <a href=\"https:\/\/tools.kali.org\/information-gathering\/dnmap\">https:\/\/tools.kali.org\/information-gathering\/dnmap<\/a> for short&nbsp;usage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">zenmap<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span class=\"caps\">UI<\/span> for nmap which makes read\u00ading the out\u00adput easier.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">EyeWitness<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1793\">Cre\u00adate auto\u00admat\u00aded screen\u00adshots from a list of webservers.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Windows<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine a sin\u00adgle port in PowerShell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; Test-NetConnection -Port 123 $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check mul\u00adti\u00adple ports in PowerShell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect(\"10.10.10.10\", $_)) \"TCP port $_ is open\"} 2&gt;$null<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gen\u00ader\u00adal notes <span class=\"caps\">NC<\/span> \/ Net\u00adcat Try net\u00adcat first on inter\u00adest\u00ading ports or nar\u00adrow port ranges to be more silent Net\u00adwork scan Choose a port which is prob\u00ada\u00adbly open on sys\u00adtems on this net\u00adwork. E.g. 445 for Win\u00addows hosts or 22 for Lin\u00adux&nbsp;hosts. for i in $(seq 1 254); do nc \u2011zv \u2011w 1 10.10.10.$i 445;&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,474],"tags":[7,27,98,96,10,97,4],"class_list":["post-94","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-lateral-movement","tag-information-gathering","tag-nmap","tag-os-detection","tag-os-fingerprinting","tag-port-scanning","tag-port-sweeping","tag-tool"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=94"}],"version-history":[{"count":55,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":4199,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions\/4199"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}