Ports scan
Single host fast ports and services scan using masscan and nmap
target="<HOSTNAME | IP>"
# TCP ports.
masscan --open -p1-65535 $target --rate=1000 > raw_masscan_output.txt
ports=$(cut -d ' ' -f 4 raw_masscan_output.txt | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
nmap -v -Pn -sV -sC -oA $target-TCP -p $ports $target
# UDP ports.
masscan --open -pU:1-65535 $target --rate=1000 > raw_masscan_output.txt
ports=$(cut -d ' ' -f 4 raw_masscan_output.txt | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
nmap -v -Pn -sV -sC -oA $target-UDP -p $ports $target
Basic ports scan
ping + netcat
The ping
and netcat
utilities can be used to quickly enumerate accessible servers and their open ports from a compromised host. Both utilities can be uploaded, if not already available on the compromised host, as standalone binaries. Note that some statically linked version of netcat
may be detected as malicious agent by anti-viral solutions.
The following one-liners can be used to conduct an ICMP
echo sweep using the built-in ping
utility:
# Linux.
# /16 IP range.
prefix="<X.X>" && for i in {0..254}; do echo $prefix.$i/24; for j in {1..254}; do sh -c "ping -c 1 $prefix.$i.$j | grep \"icmp\" &" ; done; done
# /24 IP range.
prefix="<X.X.X>" && for i in {0..254}; do sh -c "ping -c 1 $prefix.$i | grep \"icmp\" &" ; done
netcat
can be used to conduct a basic TCP
or UDP
ports scan, with no banner grabbing or version probing:
# TCP ports.
nc -znv -w 2 <HOSTNAME | IP> <PORT | PORT_RANGE>
# UDP ports.
nc -uznv -w 2 <HOSTNAME | IP> <PORT | PORT_RANGE>
Combining ping
and netcat
, the following bash one-liners can be used to do a ping
sweep followed by a basic port scan using netcat
on the hosts responding to the ICMP
echo requests:
# The IP range shoudl be specified using the prefix and seq number variables.
# For example: specify prefix="10.10.10" and seq 255 to scan the range 10.10.10.0-255.
prefix="<X.X.X>" && for i in `seq <SUBNET | 255>`; do ping -c 1 $prefix.$i &> /dev/null && echo "Scan host: $prefix.$i" && nc -zvn -w 2 $prefix.$i <PORT | PORT_RANGE> 2>&1 | grep "open" ; done
PowerShell
PowerShell can be used to conduct a very slow and basic ports scan using the Net.Sockets.TcpClient
or Test-Netconnection
built-ins.
Note that for each and every inaccessible ports Test-NetConnection
will perform an ICMP
echo request (ping) to the targeted host, tremendously slowing down the ports scanning process.
# Single host.
1..65355 | % { echo ((new-object Net.Sockets.TcpClient).Connect("<IP>",$_)) "[OPEN] Port $_" } 2>$null
$WarningPreference = 'SilentlyContinue'; foreach ($port in 1..65355) { Test-NetConnection -Port $port <IP> | Where { $_.TcpTestSucceeded -eq $True } | Ft RemoteAddress,RemotePort }
# Range /24.
1..255 | % { $ip = <X.X.X.$_>; 1..65355 | % { echo ((new-object Net.Sockets.TcpClient).Connect("$x",$_)) "[OPEN] Port $ip:$_"} 2>$null }
$WarningPreference = 'SilentlyContinue'; foreach ($sub in 1..255) { $ip = <X.X.X.$sub>; foreach ($port in 1..65355) { Test-NetConnection -Port $port $ip | Where { $_.TcpTestSucceeded -eq $True } | Ft RemoteAddress,RemotePort } }
# From a file.
Get-Content <FILE_PATH> | ForEach-Object { foreach ($port in 1..65355) { echo ((new-object Net.Sockets.TcpClient).Connect("$_",$port)) "[OPEN] Port $_ : $port"}} 2>$null
$WarningPreference = 'SilentlyContinue'; Get-Content <FILE_PATH> | ForEach-Object { foreach ($port in 1..65355) { Test-NetConnection -Port $port $_ | Where { $_.TcpTestSucceeded -eq $True } | Ft RemoteAddress,RemotePort }}
# From an input comma separated list.
"<LIST_IP>".Split(",") | ForEach { foreach ($port in 1..65355) { echo ((new-object Net.Sockets.TcpClient).Connect("$_",$port)) "[OPEN] Port $_ : $port"}} 2>$null
The PowerSploit
's Invoke-Portscan
cmdlet, supporting nmap
-like arguments, can be used for a faster ports scan from a compromised host using PowerShell:
Invoke-Portscan -TopPorts 1000 -Hosts "<IP> | <FQDN> | <CIDR> | <RANGE> | <COMMA_LIST_HOSTNAMES" -oA "<FILEOUT>"
Invoke-Portscan -p- -Hosts "<IP> | <FQDN> | <CIDR> | <RANGE> | <COMMA_LIST_HOSTNAMES" -oA "<FILEOUT>"
Invoke-Portscan -f -noProgressMeter -quiet -Pn -p- -iL "<HOSTNAMES_FILE | IP_FILE>" -oA "<FILEOUT>"
# AD enrolled computers into ports scan using Invoke-Portscan.
Get-NetComputer -ComputerName "*" | Out-File -Force -FilePath "<OUTFILE_HOSTNAMES>"
Invoke-Portscan -f -noProgressMeter -quiet -Pn -p "<COMMA_LIST_PORTS>" -iL "<OUTFILE_HOSTNAMES>" -oA "<FILEOUT>"
Asynchronous and stateless ports scan
masscan
or RustScan
(or Unicornscan
, ZMap
, etc.) can be used to conduct fast asynchronous and stateless ports scan on targets supporting high inbound network bandwidth. masscan
/ RustScan
's ports scan speed can be combined with nmap
's services detection probes to rapidly conduct a large network ports and services scan.
Note however that the trade-off for the speed achieved using such tools is less precision, and potentially missed open ports.
masscan
masscan
uses a default rate of 100 packets/second and supports nmap
like options.
# Supports nmap's XML or grepable (gnmap) output file format.
masscan --rate <10000 | RATE> --open [-oL <FILENAME.mscan> | -oX <FILENAME.xml> | -oG <FILENAME.gmap>] -p <PORT | PORT_RANGE | 0-65535> <CIDR | RANGE>
RustScan
rustscan
uses a default rate of 3000 packets/second, which may interfere with the target host(s) operational activity, and scans all TCP
65535 ports.
rustscan [-p <PORT | PORT_RANGE | 0-65535>] -a <IP | HOST | LIST_HOSTS | CIDR | RANGE>
# Set the batch size to <BATCH_SIZE> and the timeout <TIMEOUT> milliseconds.
rustscan -b <BATCH_SIZE> -T <TIMEOUT> -a <IP | HOST | LIST_HOSTS | CIDR | RANGE>
Ports and services scan with nmap
The nmap
("Network Mapper") tool is the most popular, versatile, and robust port scanners to date. It has been actively developed for over a decade, and has numerous features beyond port scanning.
nmap
uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
In addition to the classic command-line nmap
executable, the nmap
suite includes an advanced GUI and results viewer (Zenmap
), a flexible data transfer, redirection, and debugging tool (Ncat
), a utility for comparing scan results (Ndiff
), and a packet generation and response analysis tool (Nping
).
Usage
nmap [<SCAN_TYPE>] [<SCAN_OPTIONS>] (<IP> | <FQDN> | <CIDR> | <RANGE>)
Single host scanning
Using nmap
to scan a single host:
# TCP - all ports.
nmap -v -sS -Pn -A -p- <IP/FQDN>
nmap -v -sT -Pn -A -p- <IP/FQDN>
nmap -v -sS -Pn -A -oA nmap_<FILENAME> -p- <IP/FQDN>
# UDP - Top 1000.
nmap -v -sU -Pn -sV <IP/FQDN>
nmap -v -sU -Pn -sV -oA nmap_<FILENAME> <IP/FQDN>
# NSE Script engine.
# For more information about the nmap scripts to use for a given service refer to the service note (L7/<SERVICE>).
nmap -v -sT -Pn -p <SERVICE_PORT> --script=vuln <IP/FQDN>
Network scanning
Host Discovery
Generate a live hosts list through a nmap
"ping sweep":
ARP
ping for hosts on the same local subnet.ICMP
echo
requests andTCP
probes on ports 80 and 443 otherwise.
nmap -v -sn -T4 -oG <OUTPUT_GNMAP> [<RANGE | CIDR> -iL <INPUT_FILE>]
grep "Status: Up" <OUTPUT_GNMAP> | cut -f 2 -d ' ' > <OUTPUT_IP_FILE>
Port Discovery
# Most common top 100 ports.
nmap -sS -T4 -Pn -A -oG <TopTCP | OUTPUT_FILE> -iL <HOSTS_FILE>
nmap -sU -T4 -Pn -A -oN <TopUDP | OUTPUT_FILE> -iL <HOSTS_FILE>
# Full port scans (UDP scans are very slow).
nmap -sS -T4 -Pn -A -p- -oN <FullTCP | OUTPUT_FILE> -iL <HOSTS_FILE>
nmap -sU -T4 -Pn -A -p- -oN <FullUDP | OUTPUT_FILE> -iL <HOSTS_FILE>
Print results
grep "open" FullTCP | cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' | xargs | sed 's/ /,/g'| awk '{print "T:"$0}'
grep "open" FullUDP | cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' | xargs | sed 's/ /,/g'| awk '{print "U:"$0}'
Specific service vulnerabilities
nmap -v -sT -Pn -p <SERVICE_PORT> -oA <FILEOUT> --script=vuln <RANGE | CIDR>
nmap -v -sT -Pn -p <SERVICE_PORT> -oA <FILEOUT> --script=vuln -iL <HOSTS_FILE>
Scan Types
-sS
: TCP
SYN
scan.
A SYN
packet is sent. In response, a SYN/ACK
indicates the port is listening (open), while a RST
(reset) packet is indicative of a non-listener. No response or an ICMP
unreachable error means the port is filtered.
-sT
: TCP
connect scan.
Does not require admin privilege. Instead of writing raw packets as most other scan types do, nmap
asks the underlying operating system to establish a connection with the target machine. Works the same way as the TCP
SYN
scan, only closing the TCP
handshake.
-sU
: UDP
scan.
Can be combined with a TCP
scan. A UDP
packet is sent. Open and filtered ports rarely send any response. If an ICMP
port unreachable error (type 3, code 3) is returned, the port is closed.
-sN
, -sF
, -sX
: TCP
NULL
, FIN
, and Xmas
scans.
NULL scan: Does not set any bits (
TCP
flag header is 0).FIN
scan: Sets just theTCP
FIN
bit.Xmas scan: Sets the
FIN
,PSH
, andURG
flags, "lighting the packet up like a Christmas tree."
If the system scanned is RFC compliant, a RST
packet will be received if the port is closed and no response at all if the port is open. The port is marked filtered if an ICMP
unreachable error (type 3
, code 0, 1, 2, 3, 9, 10, or 13) is received. The key advantage to these scan types is that they might sneak through certain non-stateful firewalls and packet filtering routers.
-sI <REMOTE_ZOMBIE_HOST>
: idle / zombie scan.
Channel the ports scan through a non controlled remote host. Reference: https://nmap.org/book/idlescan.html
.
Target Specification
nmap
supports multiple way to specify a target host, either as an input command line parameter or through a file:
IP address or hostname (example: 192.168.15.15 / www.google.com).
IP range (example: 192.168.0.*).
CIDR-style subnet (example: 192.168.0.0/24).
Common options
-p <PORT | PORTS | PORT_RANGE>
: scan specified ports.
Individual port numbers, comma separated list of ports or hyphen separated range can be used. When scanning a combination of protocols, a particular protocol can be specified by preceding the port numbers by T:
for TCP
, U:
for UDP
.
Example: -p U:53,111,137, T:21-25,80,139,443,8080
-sn
: no port scan (ping scan only).
Instructs nmap
not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes.
-Pn
: skip the host discovery phase and assume every hosts is up.
By default, nmap
use a ping scan to determine if the host is up before starting the specified scan. If specified, this flag tells nmap
to skip the host discovery phase and directly start the specified scan.
-n
: skipDNS
resolution.
Instructs nmap
to never do reverse DNS
resolution on the active IP addresses it may find. Can reduce scanning times.
--dns-servers <NAMESERVER>
.
Instructs nmap
to use the specified nameserver for DNS
resolution.
-PR
:ARP
ping.
Instructs nmap
to use ARP
requests to conduct host discovery on LA-T4N
network.
--sV
: enables version probing.
Instructs nmap
to try to determine the service protocol, the application name, the version number, hostname, device type and OS family of the target.
-O
: enables OS detection.
Instructs nmap
to try to determine the OS and OS details of the target.
--sC
: enables default script scanning.
Instructs nmap
to perform enumeration using its NSE
script engine and a default set of scripts.
-A
: "aggressive" scan options (equivalent to-sV
,-O
, and-sC
).
Tells nmap
to perform OS detection (-O
), version scanning (-sV
), script scanning (-sC
) and traceroute (--traceroute
).
-T <paranoid/0 | sneaky/1 | polite/2 | normal/3 | aggressive/4 | insane/5>
: timing template.
Instructs nmap
to use the specified scan / timing template: - paranoid/0
and sneaky/1
are for IDS
evasion and are incredibly slow. - polite/2
mode slows down the scan to use less bandwidth and resources from the targeted hosts. A polite
scan may be 10 times slower than a normal
scan. - normal/3
mode is the default scan mode.
- aggressive/4
mode speeds scans up by making the assumption that the scan is conducted on a reasonably fast and reliable network. - insane/5
mode assumes that the scan is conducted on an extraordinarily fast network or sacrifices some accuracy for speed.
nmap Scripting Engine (NSE)
nmap
's NSE
scripts are categorized in a list of categories they belong to. The following categories are currently defined:
auth
broadcast
brute
default
discovery
dos
exploit
external
fuzzer
intrusive
malware
safe
version
vuln
nmap
's NSE
usage:
# Updates the script database (found in scripts/script.db).
nmap --script-updatedb
# Runs the specified script, comma-separated list of scripts, script category, or scripts in the specified directory.
nmap [...] --script <SCRIPT_NAME> | <SCRIPT_CATEGORY> | <DIRECTORY> | <EXPRESSION> | [,...]>
# Specifies arguments for the given script.
# Arguments are a comma-separated list of name=value pairs. Names and values may be strings not containing whitespace or the characters '{', '}', '=', or ','. To include one of these characters in a string, the string must be enclosed in single or double quotes.
nmap [...] --script <SCRIPT> --script-args <n1=<v1>,<n2>={<n3>=<v3>},<n4>={<v4>,<v5>}
# Loads the arguments from the specified file. Any arguments on the command line supersede ones in the file.
nmap [...] --script <SCRIPT> [--script-args <CLI_ARGUMENTS>] --script-args-file <FILE>
# Shows the help and usage for the specified scripts.
# The online NSE Documentation Portal at https://nmap.org/nsedoc/ lists as well the arguments that each script accepts, including any library arguments that may influence the script.
nmap --script-help <SCRIPT_NAME> | <SCRIPT_CATEGORY> | <DIRECTORY> | <EXPRESSION> | [,...]>
# Runs all scripts whose name starts with http-, such as http-auth and http-open-proxy.
nmap --script 'http-*'
# Runs every script except for those in the intrusive category.
nmap --script "not intrusive"
# Runs all scripts that are in the default category or the safe category.
# Equivalent to nmap --script "default,safe".
nmap --script "default or safe"
nmap output parsing
nmap-parse-output
The nmap-parse-output
utility can be used to parse and extract information from nmap
outputs (in the xml
format).
# Extracts hosts that have at least one open port.
nmap-parse-output <NMAP_XML_SCAN_RESULT> hosts
# Extracts all open ports in the following format: "<IP>:<PORT> <TCP | UDP>".
nmap-parse-output <NMAP_XML_SCAN_RESULT> host-ports
nmap-parse-output <NMAP_XML_SCAN_RESULT> host-ports | cut -d " " -f 1
# Extract a list of uniquely filtered services identified.
nmap-parse-output <NMAP_XML_SCAN_RESULT> service-names
# Extract hosts with the specified service exposed, in the following format: "<IP>:<PORT>".
nmap-parse-output <NMAP_XML_SCAN_RESULT> service <SERVICE_NAME>
# Extract hosts with an exposed http service, in the following format: "<http | https>://<IP>:<PORT>".
# The following services are currently identified as being http services: http, https, http-alt, https-alt, http-proxy, sip, rtsp, soap, vnc-http, caldav.
nmap-parse-output <NMAP_XML_SCAN_RESULT> http-ports
NmaptoCSV
The NmaptoCSV
Python script can be used to convert nmap
outputs (regular, GNMAP
, or XML
formats) to the CSV
format.
nmaptocsv [-d ","] -i <NMAP_REGULAR_OUPUT | NMAP_GNMAP_OUTPUT> -o <CSV_OUTPUT>
nmaptocsv [-d ","] -x <NMAP_XML_OUPUT> -o <CSV_OUTPUT>
Pivot scans through compromised hosts
Netcat
As described above, netcat
can be used to conduct a basic ports scan from a compromised host.
Static nmap
Prebuild static and standalone binaries of nmap
are available on the following GitHub repository. nmap
is compiled from the official GitHub repository sources automatically with GitHub Actions
.
https://github.com/ernw/static-toolbox
The run-nmap.sh
or run-nmap.ps1
scripts can be used to run the prebuild nmap
on a compromised host without external dependencies. Additionally, the binary comes with the various NSE
scripts and modules necessary to conduct version fingerprinting.
./run-nmap.sh <NMAP_OPTIONS>
.\run-nmap.ps1 <NMAP_OPTIONS>
Proychains
Proxychains
(or ProxyChains-NG
) can be used to conduct ports scans through a proxy (supported proxies types: http
, socks4
and socks5
).
Note that a few restrictions apply whenever conducting a ports scan through a proxy:
HTTP
/socks4
can only be used to conductTCP
scan.ICMP
packets can not pass through the proxy (nmap
's-Pn
option).RAW
packets cannot be redirected throughproxychains
as it is designed to relay fullTCP
connections only (nmap
's-sT
option).DNS
resolutions should not be conducted through a proxy if confidentially is of importance and to reduce scan time (nmap
's-n
).OS fingerprinting based on features of the IP stack may not work properly.
For example, nmap
can be used to conduct a ports scan and services discovery through a proxy using proxychains
:
The proxychains configuration file (/etc/proxychains.conf) should first be updated to specify the proxy to use.
<http | socks4 | socks5> <IP> <PORT>
# Start the scan using proxychains.
proxychains nmap -v -n -Pn -sT -sV [...]
Metasploit
The following Metasploit
modules can be used to conduct a ports scan:
auxiliary/scanner/portscan/syn
auxiliary/scanner/portscan/tcp
auxiliary/scanner/portscan/ack
auxiliary/scanner/portscan/ftpbounce
auxiliary/scanner/portscan/xmas
The port range default to 1-10000
. To scan all possible ports the 0-65535
ports range should be specified (set PORTS 0-65535
).
The modules can be used directly or through a meterpreter
session to use the compromised host as a pivot.
# Direct ports scan from the current host.
msf> use auxiliary/scanner/portscan/tcp
# Pivoting through a meterpreter session.
meterpreter> run auxiliary/scanner/portscan/syn RHOSTS=<IP | CIDR> [PORTS=<PORT | PORTS_RANGE>]
meterpreter> run auxiliary/scanner/portscan/tcp RHOSTS=<IP | CIDR> [PORTS=<PORT | PORTS_RANGE>]
Local netstat execution trough remote code execution
A remote execution utility, such as a PsExec
-like tool or CrackMapExec
, can be used to retrieve the locally exposed services on a target through netstat
if valid credentials could be obtained for remote code execution.
For more information about the tools usage refer to the [Windows] Lateral movements
note for more information.
# netstat's -b options requires local administrator privileges (which are also required by CrackMapExec for remote code execution over the SMB protocol).
crackmapexec [...] -x 'netstat -anob'
crackmapexec [...] -x 'netstat -anob | find "<PORT>"'
Graphical ports scanning utilities
Advanced port scanner
Advanced port scanner
is a Windows GUI multithreaded ports and services scanner that can be both installed and used in standalone mode.
The tool provides easy access to the main identified services (HTTP
, HTTPS
, SSH
, RDP
, SMB
, etc.) by starting the associated Windows built-ins.
netscan
SoftPerfect
's NetScan
is an advanced and lightweight Windows GUI network scanner utility, available as a standalone binary. NetScan
supports the Windows 7
through Windows 10
, and Windows Server 2008 R2
through Windows Server 2019
operating systems.
Note that the free edition of NetScan
can only be used to display a maximum of 10 devices.
In addition to IPv4 and IPv6 hosts discovery and ports scanning, NetScan
provides the following key features:
Discovery of network shares and integration with Windows built-in network share explorer and drive mapping functionalities.
Sending of
Wake-on-LAN (WoL)
messages.Discovery of
Dynamic Host Configuration Protocol (DHCP)
servers.Automatic discovery of network interface IP range.
Remote execution of
SSH
,PowerShell
andVBScript
command execution.
Cracked commercial editions of NetScan
have been observed to be used in the wild by malicious actors, notably in ransomware attack scenarios, with the deployment of NetScan
standalone binary on a compromised system to discover and map remote C$
network shares.
Last updated