Port Scans

Port scanning is a network reconnaissance technique used to discover open ports on a target system or network. It involves sending network packets to specific ports on the target machine to determine which ports are open and what services or applications are running on those ports.

Note that port scans can be intrusive and can be detected and alerted on by the organization's alerting/detecting solution.

Nmap

Network Mapper (Nmap) is a widely used open-source network scanning and reconnaissance tool. Nmap comes with customizable Nmap Scripting Engine (NSE) scripts that allow you to extend the scanner's capabilities.

Here are some Nmap common flags to know:

Linux

nmap [target] [options]

OPTIONS
-sn                            Ping Scan (Disable Port Scan)
-Pn                            Skip Host Discovery (Treat All Hosts As Online)
-sV                            Probe Open Ports For Service/Version Info
-sC                            Run Default Scripts
-O                             Enable OS Detection
-p [ports]                     Scan Specified Ports
-iL [file]                     Input From List Of Hosts/Networks
--top-ports [number]           Scan [number] Most Common Ports
--script=[script1,script2]     Run [script(s)]
--exclude-ip [IP/Range]        IP/Range To Exclude

-oN/-oX/-oG                    Output Scan In Normal/XML/Grepable Format

This would be an extremely long page if I went into detail on specific Nmap commands. Instead, I'll say that I personally find Nmap more useful when scanning for information on specific hosts you're interested in.

How to Use Nmap: Commands and Tutorial GuideVaronis

Tenable Nessus

Tenable Nessus is a widely used vulnerability scanning tool designed to help organizations identify and assess vulnerabilities in their networks, systems, applications, and other assets.

Nessus has a wide range of plugins that allow you to extend the scanner's capabilities, allowing people to constantly add new checks to the scan when a new vulnerability surfaces.

Like Nmap, we would be here all day if I went through all the settings available in Nessus. While the complete Nessus tool will set you back a few grand, Nessus Essentials is free and allows you to scan up to 16 IP addresses per scanner. Go try it out!

How To: Run Your First Vulnerability Scan with NessusTenable®

Masscan

Masscan is an ultra-fast port scanner commonly used to search for open ports on hosts. Masscan won't go into depth about hosts like Nmap and Nessus will, but if you're given a /16 subnet during an engagement and want to look for hosts with SMB (port 445), Masscan is your tool!

By default, Masscan sends out SYN packets to the target hosts, and if the target hosts respond with an ACK, Masscan will mark them as alive.

Linux

masscan [target] -p [ports] [options]

OPTIONS
--rate [number]                Rate Of Sending Packets (Packets Per Second)
--exclude [IP/Range]           IP(s)/Range(s) To Exclude
--excludefile [file]           Excludes IP(s)/Range(s) From A File

-oL/-oX/-oG                    Output Scan In List/XML/Grepable Format

PreviousMail Portals NextEmail Addresses

Last updated 1 year ago