# Active Recon ## Port Scanning Set the ip address as a variable ``` export ip=192.168.17.141 ``` Netcat port scanning ``` nc -nvv -w 1 -z $ip 3388-3390 ``` Discover active IPs using ARP on the netword ``` arp-scan $ip/24 ``` Discover who else is on the network ``` netdiscover ``` Discover IP MAC and MAC vendors from ARP ``` netdiscover -r $ip/24 ``` ### Nmap Find hosts alive ``` nmap -sP $ip/24 ``` Stealth scan using SYN ``` nmap -sS $ip ``` Stealth scan using FIN ``` nmap -sF $ip ``` Banner Grabbing ``` nmap -sV -sT $ip ``` OS Figerprinting ``` nmap -O $ip ``` Regular Scan ``` nmap $ip/24 ``` Enumeration Scan ``` nmap -p 1-65535 -sV -sS -A -T4 $ip/24 ``` Output to a file ``` nmap -oN nmap ``` Enumeration Scan All Ports TCP / UDP and output to a txt file ``` nmap -oN nmap.txt -v -sU -sS -p- -A -T4 $ip ``` Quick Scan ``` nmap -T4 -F $ip/24 ``` Quick Scan Plus ``` nmap -sV -T4 -O -F --version-light $ip/24 ``` Quick Traceroute ``` nmap -sn --traceroute $ip ``` Intense Scan ``` nmap -T4 -A -v $ip ``` Instense Scan Plus UDP ``` nmap -sS -sU -t4 -A -v $ip/24 ``` Intense Scan ALL TCP Ports ``` nmap -p 1-65535 -T4 -A -v $ip/24 ``` Intense Scan - No Ping ``` nmap -T4 -A -v -Pn $ip/24 ``` Ping scan ``` nmap -sn $ip/24 ``` Slow Comprehensive Scan ``` nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24 ``` Scan with Active connect in order to weed out any spoofed ports designed to troll you ``` nmap -p1-65535 -A -T5 -sT $ip ``` Run the default scripts and normal port scan against all the found ports ``` nmap -sC $ip ``` Run all nmap scan scripts against found ports ``` nmap -Pn -sV -O -pT:{TCP ports found},U:{UDP ports found} --script *vuln* $ip ``` Port scan with file report ``` nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/nmap $ip ``` ### AMAP Identify unknown services ``` amap -d $ip ``` ### HackTheBox #### IppSec ``` nmap -sC -sV -oA $ip ``` #### Cyber Mentor ``` nmap -T4 -A -p- $ip ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://666isildur.gitbook.io/ethical-hacking/ctf-oscp-methodology/information-gathering/active-recon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.