Port & Services Scanning

For TCP Scan - Nmap

TCP Scan:

​nmap -Pn -v -sS -A -T4 XXIPXXXnmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/Documents/XXXX XXIPXXXnmap -sC -sV -vv -oA quick ipnmap -sV -sC -T4 -p- -oA nmap ipnmap -sS -p4555 -sV --reason ipnmap -sS -T4 -sV -oA 00-tcp-top100/top-100 --stats-every 60s --max-retries 3 --defeat-rst-ratelimit --top-ports 100 --script banner --reason solidstate.htbnmap -sS --min-rate 5000 --max-retries 1 -p- ipnmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip

MassScan

masscan -p1-65535 ip --rate=1000 -e tun0 > portsports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')nmap -Pn -sV -sC -p$ports ip

Full TCP Scan

nmap -sC -sV -p- -vv -oA full ipnmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip​

For UDP Scan

nmap -sU -sV -p- XXIPXXXnmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA  /root/Documents/XXXX XXIPXXXnmap -sU -sV -vv -oA quick_udp ip

Port Knocking

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x ip; done​

Port 445, 139 Scan Scripts

nmap -p445 --script smb-protocols $IPnmap -p445 --script smb-vuln-ms17-010 $IPnmap $IP -sV -Pn -vv -p 139,445 --script=smb-vuln* --script-args=unsafe=1nmap $IP --script=msrpc-enumnmap --script smb-vuln* -p 445 -oA nmap/smb_vulns ipnmap --script vuln -p445 ip​python usermap_script.py ip 445 ip 1234python usermap_script.py ip 139 ip 1234https://github.com/amriunix/CVE-2007-2447

FTP Port 21 Scan Scripts

nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $IP

SNMP Port 161

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IPnmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IPnmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x

MYSQL PORT 3306

nmap -sV -Pn -vv  $IP -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

Oracle Port 1521/1560

nmap --script=oracle-sid-brute  $IPnmap --script=oracle-brute  $IPtnscmd10g version -h $IP

Finger Port 79

finger-user-enumfinger-user-enum.pl -U /usr/share/seclist/username/name/name.txt -t​

POP3 Port 110

telnet INSERTIPADDRESS 110USER [username]PASS [password]To list messagesRETR [message number]​telnet ipuser userpass pwRETR 2​

SSH PORT 22

nmap -p22 -n -sV --script ssh2-enum-algos ip