Living Off The Land (LOTL) techniques rely on using native tools already available in the target or testing environment to perform reconnaissance, establish persistence, and execute commands—all while remaining stealthy. This guide focuses on performing basic port scanning using tools likely present in most environments.

Python

Python is commonly installed on Linux and sometimes on Windows. Below is a Python-based port scanner using the socket library.

Full Script

import socket

target = "example.com"
ports = range(1, 1025)

for port in ports:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(1)
    result = s.connect_ex((target, port))
    if result == 0:
        print(f"Port {port} is open.")
    s.close()

Inline One-Liner

python -c 'import socket; target="example.com"; [print(f"Port {port} is open.") for port in range(1,1025) if not socket.create_connection((target, port), timeout=1).close()]'

Bash

Leverage /dev/tcp for basic port scanning in Linux.

Script

#!/bin/bash
target="example.com"
for port in {1..1024}; do
    (echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."
done

Inline

target="example.com"; for port in {1..1024}; do (echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."; done

PowerShell

PowerShell provides flexible port scanning via .NET libraries.

Script

$target = "example.com"
1..1024 | ForEach-Object {
    $port = $_
    $TCPClient = New-Object System.Net.Sockets.TcpClient
    Try {
        $TCPClient.Connect($target, $port)
        $TCPClient.Close()
        Write-Host "Port $port is open."
    } Catch {}
}

Inline

$target="example.com"; 1..1024 | % { $port=$_; $TCPClient=New-Object System.Net.Sockets.TcpClient; Try{$TCPClient.Connect($target, $port); $TCPClient.Close(); Write-Host "Port $port is open."}Catch{} }

Single Port Check

Test-NetConnection -Port 80 -ComputerName $IP

Netcat

Netcat (nc) is a quick and effective LOTL scanning tool available in many systems.

Script

#!/bin/bash
target="example.com"
for port in {1..1024}; do
    nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."
done

Inline

target="example.com"; for port in {1..1024}; do nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."; done

Advantages

• Stealth: Uses native system tools less likely to be flagged by security controls.

• Portable: No need to download or compile external binaries.

• Environment-Aware: Adapts to the tools already available.

Drawbacks

• Noisy: Not optimized for stealth in active IDS environments.

• Limited Capability: Lacks advanced features of tools like Nmap or Masscan.

Conclusion

LOTL scanning is a valuable tactic during red team engagements, constrained environments, or stealth assessments. While these methods lack the power of full scanning tools, they offer flexibility, covertness, and can serve as a tactical advantage when operating under visibility constraints.

Use responsibly and always ensure proper authorization when performing scans.