Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • Nmap
  • Nmap scans often used
  • Sample Nmap scans
  • Nmap Scripting Engine
  • Nmap Scanning resources
  • Masscan
  • Python
  • Scan network for IP and mac address
  • Glossary
  • Other scanning tools

Was this helpful?

  1. PenTesting

Network Scanning

Page contains usage for nmap and masscan, glossary for types of scans, and refers to other scanning scripts/tools.

PreviousReconNextReverse Shell Payloads

Last updated 4 years ago

Was this helpful?

Nmap

Nmap scans often used

Fast noisy initial scans for labs

-T5: Insane timing ; -sC: enable the most common scripts; -sV: version detection ; -oN: output to file;

nmap -T5 -sC -sV -oN initial-nmap $IP -max-retries

Sample Nmap scans

Note worthy Nmap switches:

Scan network for live hosts

nmap -sP 10.0.0.0/24

Scan network for specific ports open/closed

-sT: TCP Connect (Full open scan)

sudo nmap -sT -p 80,443 10.0.0.0/24

Stealth scan network for specific ports open/closed

-sS: SYN Scan (Half-open scan)

sudo nmap -sS -p 80,443 10.0.0.0/24

Scan host with OS detection

sudo nmap -O $IP

Scan host with all detections

-A: Enables OS detection, version detection, script scanning, and traceroute

sudo nmap -A $IP

Stealth scan and add a decoy traffic

-D: Cloak a scan with decoys. Makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.

sudo nmap -sS -D 10.0.0.50 $IP

Scan to identify HTTP WAF

sudo nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.test.com 

Nmap Scripting Engine

Scan host with all vuln NSE scripts

sudo nmap --script vuln $IP

Nmap Scanning resources

Masscan

Python

Scan network for IP and mac address

python3 network_scanner.py -t 10.0.2.1/24

import scapy.all as scapy
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', dest='target', help='Target IP Address/Adresses')
    options = parser.parse_args()

    #Check for errors i.e if the user does not specify the target IP Address
    #Quit the program if the argument is missing
    #While quitting also display an error message
    if not options.target:
        #Code to handle if interface is not specified
        parser.error("[-] Please specify an IP Address or Addresses, use --help for more info.")
    return options
  
def scan(ip):
    arp_req_frame = scapy.ARP(pdst = ip)

    broadcast_ether_frame = scapy.Ether(dst = "ff:ff:ff:ff:ff:ff")
    
    broadcast_ether_arp_req_frame = broadcast_ether_frame / arp_req_frame

    answered_list = scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)[0]
    result = []
    for i in range(0,len(answered_list)):
        client_dict = {"ip" : answered_list[i][1].psrc, "mac" : answered_list[i][1].hwsrc}
        result.append(client_dict)

    return result
  
def display_result(result):
    print("-----------------------------------\nIP Address\tMAC Address\n-----------------------------------")
    for i in result:
        print("{}\t{}".format(i["ip"], i["mac"]))
  

options = get_args()
scanned_output = scan(options.target)
display_result(scanned_output)

Glossary

TCP Connect (Full open scan)

SYN Scan (Half open Scan)

Other scanning tools

List of all NSE scripts:

Null byte using nmap to scan for DoS attacks:

Ref:

Multi-threaded Python Port Scanner:

https://nmap.org/nsedoc/
https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/
https://levelup.gitconnected.com/writing-a-network-scanner-using-python-a41273baf1e2
https://github.com/dievus/threader3000
Nmap TCP Connect traffic on 443
Nmap SYN Scan traffic on 443