search

Port Scans

Port scanning is a network reconnaissance technique used to discover open ports on a target system or network. It involves sending a series of network packets to specific ports on the target machine to determine which ports are open and what services or applications are running on those ports.

circle-info

Note that port scans can be intrusive and can be detected and alerted on by the organization's alerting/detection solution.

hashtag
Nmap

Network Mapper (Nmap) is a widely used open-source network scanning and reconnaissance tool. Nmap comes with customizable Nmap Scripting Engine (NSE)arrow-up-right scripts that allow you to extend the scanner's capabilities.

Here are some Nmap common flags to know:

Linux
nmap [target] [options]

OPTIONS
-sn                            Ping Scan (Disable Port Scan)
-Pn                            Skip Host Discovery (Treat All Hosts As Online)
-sV                            Probe Open Ports For Service/Version Info
-sC                            Run Default Scripts
-O                             Enable OS Detection
-p [ports]                     Scan Specified Ports
-iL [file]                     Input From List Of Hosts/Networks
--top-ports [number]           Scan [number] Most Common Ports
--script=[script1,script2]     Run [script(s)]
--exclude-ip [IP/Range]        IP/Range To Exclude

-oN/-oX/-oG                    Output Scan In Normal/XML/Grepable Format

This would be an extremely long page if I went into detail on specific Nmaparrow-up-right commands. Instead, I'll say that I personally find Nmap more useful when scanning for information on specific hosts you're interested in.

LogoHow to Use Nmap: Commands and Tutorial GuideVaronischevron-right

hashtag
Tenable Nessus

Tenable Nessusarrow-up-right is a widely used vulnerability scanning tool designed to help organizations identify and assess vulnerabilities in their networks, systems, applications, and other assets.

Nessus has a wide range of pluginsarrow-up-right that allow you to extend the scanner's capabilities, allowing people to constantly add new checks to the scan when a new vulnerability surfaces.

Like Nmap, we would be here all day if I went through all the settings available in Nessus. While the complete Nessus tool will set you back a few grand, Nessus Essentialsarrow-up-right is free and allows you to scan up to 16 IP addresses per scanner. Go try it out!

LogoHow To: Run Your First Vulnerability Scan with NessusTenable®chevron-right

hashtag
Masscan

Masscanarrow-up-right is an ultra-fast port scanner commonly used to search for open ports on hosts. Masscan won't go into depth about hosts like Nmap and Nessus will, but if you're given a /16 subnet during an engagement and want to look for hosts with SMB (port 445), Masscan is your tool!

PreviousEnumerationNextWeb Applications

Last updated