Network Scanning
Host Discovery¶
ARP¶
Quickly discover live hosts on same the subnet as the NIC.
sudo nmap -sn -PR -n -T4 <cidr> -oA nmap_live_hosts_arp
TCP/UDP/ICMP¶
Quickly discover live hosts including on routed subnets.
sudo nmap -sn -n -T4 -PE -PP -PS7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900-5901,6000-6002,6646,7070,8000,8008-8009,8080-8081,8443,8888,9000-9001,9090,9100,9102,9999-10001,32768,49152-49157 -PU53,67-69,111,123,135,137-139,161-162,445,500,514,520,631,996-999,1434,1701,1900,3283,4500,5353,49152-49157 --max-retries 2 --host-timeout 180s --min-parallelism 100 -vv -iL scope.txt -oA nmap_live_hosts
Extract live IPs from nmap xml output
xmlstarlet sel -t -m "//host[status/@state='up']/address[@addrtype='ipv4']" -v "@addr" -n nmap_live_hosts.xml
Output: List of IPs including whichever IP each domain resolved to.
Extract live hosts from xml output in input format (domains or IPs)
xmlstarlet sel -t -m "//host[status/@state='up']" -i "hostnames/hostname[@type='user']" -v "hostnames/hostname[@type='user'][1]/@name" -n -b -i "not(hostnames/hostname[@type='user'])" -v "address[@addrtype='ipv4']/@addr" -n nmap_live_hosts.xml
Output: list of IPs and/or domains, whichever were used in the nmap -iL file.
Quick Service Scan¶
Quickly discover running services.
sudo nmap -sS -sV --version-light -Pn -n -T4 --top-ports 200 --open -iL scope.txt -oA nmap_quick_tcp
Comprehensive Service Scan¶
Identify all open TCP ports and common UDP.
TCP & UDP¶
Scan all 65,535 TCP and common UDP ports and perform light service discovery
sudo nmap -sS -sU -sV --version-intensity 0 -Pn -n -T4 -p T:1-65535,U:53,67-69,111,123,135,137-139,161-162,445,500,514,520,631,996-999,1434,1701,1900,3283,4500,5353,49152-49154 --max-retries 2 --open -iL scope.txt -oA nmap_comp
TCP Only¶
Scan all 65,535 TCP ports and perform light service discovery
sudo nmap -sS -sV --version-intensity 0 -Pn -n -T4 -p- --max-retries 2 --open -iL scope.txt -oA nmap_comp_tcp
UDP Only¶
Scan common UDP ports and perform light service discovery
sudo nmap -sU -sV --version-intensity 0 -Pn -n -T3 -p 53,67-68,69,88,111,123,137-138,161-162,389,464,500,520,631,1434,1701,1812-1813,1900,2049,3389,3702,4500,5004-5005,5060,5353,5355,11211,4789 --max-retries 2 --open -iL scope.txt -oA nmap_comp_udp
Deep Service Scanning¶
Extract open TCP port numbers from nmap_output.xml into a comma separated list
xmlstarlet sel -t -m "//port[@protocol='tcp'][state/@state='open']" -v @portid -n nmap_comp.xml | sort -n | uniq | paste -sd, - > open_tcp.lst
Extract open UDP port numbers from nmap_output.xml into a comma separated list
xmlstarlet sel -t -m "//port[@protocol='udp'][state/@state='open' or state/@state='open|filtered']" -v @portid -n nmap_comp.xml | sort -n | uniq | paste -sd, - > open_udp.lst
Extract all the open ports from a comprehensive or quick scan for further discovery
Perform deeper discovery against all identified live hosts and open ports
sudo nmap -Pn -sVC -p<open_ports> -iL scope.txt -oA nmap_comp_svc
Web Service Scanning¶
Gather screenshots¶
https://github.com/sensepost/gowitness
Web server list must be in the format:
<host>:<port>
Parse nmap scan into web server list for gowitness¶
Extract all http services from nmap.xml
xmlstarlet sel -t -m "//host[status/@state='up']/ports/port[@protocol='tcp'][state/@state='open' and contains(service/@name,'http')]" -i "../../hostnames/hostname[@type='user']" -v "concat(../../hostnames/hostname[@type='user'][1]/@name,':',@portid)" -b -i "not(../../hostnames/hostname[@type='user']) and ../../address[@addrtype='ipv4']" -v "concat(../../address[@addrtype='ipv4']/@addr,':',@portid)" -b -i "not(../../hostnames/hostname[@type='user']) and ../../address[@addrtype='ipv6']" -v "concat('[',../../address[@addrtype='ipv6']/@addr,']:',@portid)" -b -n nmap_comp_svc.xml | awk 'NF' | sort -u > web_servers.lst
Output list format:
<host>:<port>This will output the web servers with an IP or domain as the host, whichever was originally supplied for the nmap scan.
Web directory enumeration¶
Loop through list of web servers and enumerate directories using ffuf
mkdir -p results && xargs -a web_servers_with_proto.lst -P 8 -I{} sh -c 'fn=$(printf "%s" "{}" | sed "s#[/:?&]#_#g"); stdbuf -oL ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -u "{}/FUZZ" -ac -of plain 2>&1 | tee "results/${fn}_ffuf.out"' </dev/null
Web server list must be in the format:
http(s)://<host>:<port>
Parse nmap scan into web server list for directory enumeration¶
Extract all http services from nmap.xml
xmlstarlet sel -t -m '//host[status/@state="up"]/ports/port[@protocol="tcp"][state/@state="open" and contains(service/@name,"http")]' -i 'service/@tunnel="ssl" or starts-with(service/@name,"https") or contains(service/@name,"ssl/http")' -o 'https://' -b -i 'not(service/@tunnel="ssl" or starts-with(service/@name,"https") or contains(service/@name,"ssl/http"))' -o 'http://' -b -i '../../hostnames/hostname[@type="user"]' -v 'concat(../../hostnames/hostname[@type="user"][1]/@name,":",@portid)' -b -i 'not(../../hostnames/hostname[@type="user"]) and ../../address[@addrtype="ipv4"]' -v 'concat(../../address[@addrtype="ipv4"]/@addr,":",@portid)' -b -i 'not(../../hostnames/hostname[@type="user"]) and ../../address[@addrtype="ipv6"]' -v 'concat("[",../../address[@addrtype="ipv6"]/@addr,"]:",@portid)' -b -n nmap_comp_svc.xml | awk 'NF' | sort -u > web_servers_with_proto.lst
Output list format:
http(s)://<host>:<port>This will output the web servers with an IP or domain as the host, whichever was originally supplied for the nmap scan.