Active Recon

Port Scanning

Set the ip address as a variable

export ip=192.168.17.141

Netcat port scanning

nc -nvv -w 1 -z $ip 3388-3390

Discover active IPs using ARP on the netword

arp-scan $ip/24

Discover who else is on the network

netdiscover

Discover IP MAC and MAC vendors from ARP

netdiscover -r $ip/24

Nmap

Find hosts alive

nmap -sP $ip/24

Stealth scan using SYN

nmap -sS $ip

Stealth scan using FIN

nmap -sF $ip

Banner Grabbing

nmap -sV -sT $ip

OS Figerprinting

nmap -O $ip

Regular Scan

nmap $ip/24

Enumeration Scan

nmap -p 1-65535 -sV -sS -A -T4 $ip/24

Output to a file

nmap -oN nmap

Enumeration Scan All Ports TCP / UDP and output to a txt file

nmap -oN nmap.txt -v -sU -sS -p- -A -T4 $ip

Quick Scan

nmap -T4 -F $ip/24

Quick Scan Plus

nmap -sV -T4 -O -F --version-light $ip/24

Quick Traceroute

nmap -sn --traceroute $ip

Intense Scan

nmap -T4 -A -v $ip

Instense Scan Plus UDP

nmap -sS -sU -t4 -A -v $ip/24

Intense Scan ALL TCP Ports

nmap -p 1-65535 -T4 -A -v $ip/24

Intense Scan - No Ping

nmap -T4 -A -v -Pn $ip/24

Ping scan

nmap -sn $ip/24

Slow Comprehensive Scan

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24

Scan with Active connect in order to weed out any spoofed ports designed to troll you

nmap -p1-65535 -A -T5 -sT $ip

Run the default scripts and normal port scan against all the found ports

nmap -sC $ip

Run all nmap scan scripts against found ports

nmap -Pn -sV -O -pT:{TCP ports found},U:{UDP ports found} --script *vuln* $ip

Port scan with file report

nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/nmap $ip

AMAP

Identify unknown services

amap -d $ip <port>

HackTheBox

IppSec

nmap -sC -sV -oA <filename> $ip

Cyber Mentor

nmap -T4 -A -p- $ip