search

Port Scans

Port scanning is a network reconnaissance technique used to discover open ports on a target system or network. It involves sending network packets to specific ports on the target machine to determine which ports are open and what services or applications are running on those ports.

circle-info

Note that port scans can be intrusive and can be detected and alerted on by the organization's alerting/detecting solution.

hashtag
Nmap

Network Mapper (Nmap) is a widely used open-source network scanning and reconnaissance tool. Nmap comes with customizable Nmap Scripting Engine (NSE)arrow-up-right scripts that allow you to extend the scanner's capabilities.

Here are some Nmap common flags to know:

Linux
nmap [target] [options]

OPTIONS
-sn                            Ping Scan (Disable Port Scan)
-Pn                            Skip Host Discovery (Treat All Hosts As Online)
-sV                            Probe Open Ports For Service/Version Info
-sC                            Run Default Scripts
-O                             Enable OS Detection
-p [ports]                     Scan Specified Ports
-iL [file]                     Input From List Of Hosts/Networks
--top-ports [number]           Scan [number] Most Common Ports
--script=[script1,script2]     Run [script(s)]
--exclude-ip [IP/Range]        IP/Range To Exclude

-oN/-oX/-oG                    Output Scan In Normal/XML/Grepable Format

This would be an extremely long page if I went into detail on specific Nmaparrow-up-right commands. Instead, I'll say that I personally find Nmap more useful when scanning for information on specific hosts you're interested in.

LogoHow to Use Nmap: Commands and Tutorial GuideVaronischevron-right

hashtag
Tenable Nessus

Tenable Nessusarrow-up-right is a widely used vulnerability scanning tool designed to help organizations identify and assess vulnerabilities in their networks, systems, applications, and other assets.

Nessus has a wide range of pluginsarrow-up-right that allow you to extend the scanner's capabilities, allowing people to constantly add new checks to the scan when a new vulnerability surfaces.

Like Nmap, we would be here all day if I went through all the settings available in Nessus. While the complete Nessus tool will set you back a few grand, Nessus Essentialsarrow-up-right is free and allows you to scan up to 16 IP addresses per scanner. Go try it out!

LogoHow To: Run Your First Vulnerability Scan with NessusTenable®chevron-right

hashtag
Masscan

Masscanarrow-up-right is an ultra-fast port scanner commonly used to search for open ports on hosts. Masscan won't go into depth about hosts like Nmap and Nessus will, but if you're given a /16 subnet during an engagement and want to look for hosts with SMB (port 445), Masscan is your tool!

By default, Masscan sends out SYN packets to the target hosts, and if the target hosts respond with an ACK, Masscan will mark them as alive.

PreviousMail PortalsNextEmail Addresses

Last updated