This is a reference guide offering concise command suggestions for machine scanning. It encompasses widely-used tools and provides “living off the land” commands, ensuring adaptability to various environments.
Host Discovery
nmap
# Basic ping sweep
|
└─$ nmap -sn 10.10.10.0/24
# If ICMP is blocked:
|
└─$ nmap -Pn -p 80,443 10.10.10.0/24ARP Scan with arping
└─$ arping -I eth0 10.10.10.0/24Netdiscover
└─$ nmap netdiscover -r 10.10.10.0/24Broadcast Ping
└─$ ping -b 10.10.10.255Masscan
└─$ masscan 192.168.1.0/24 -p1-65535 --rate=1000Host Scanning
Initial Scan
└─$ nmap $IP -T4 -F -oA nmap.initFull Port – Script and Versioning Scan
# Best Initial CTF Scan
└─$nmap $IP -p- -sV -sC -oA ctf.scanAggressive Service and Version Scan
└─$ nmap $IP -sC -sV -A -oA nmap.aggroUDP Scan
└─$ nmap $IP -sU -p- -oA nmap.udpOS Detection Scan
└─$ nmap $IP -O --oA nmap.osScript Scanning
# list all scripts of a given type i.e. 'http*'
└─$ ls /usr/share/nmap/scripts/x*
# Where x is the class. i.e. 'http-'
└─$ nmap $IP --script=x-*Living Off The Land
Python
import socket
target = "example.com"
ports = range(1, 1025)
for port in ports:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
result = s.connect_ex((target, port))
if result == 0:
print(f"Port {port} is open.")
s.close()python -c 'import socket; target="example.com"; ports=range(1,1025); [print(f"Port {port} is open.") for port in ports if not socket.create_connection((target, port), timeout=1).close()]'Bash
#!/bin/bash
target="example.com"
for port in {1..1024}; do
(echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."
donetarget="example.com"; for port in {1..1024}; do (echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."; donePowerShell
$target = "example.com"
1..1024 | ForEach-Object {
$port = $_
$TCPClient = New-Object System.Net.Sockets.TcpClient
Try {
$TCPClient.Connect($target, $port)
$TCPClient.Close()
Write-Host "Port $port is open."
} Catch {}
}$target="example.com"; 1..1024 | % { $port=$_; $TCPClient=New-Object System.Net.Sockets.TcpClient; Try{$TCPClient.Connect($target, $port); $TCPClient.Close(); Write-Host "Port $port is open."}Catch{}}Netcat
#!/bin/bash
target="example.com"
for port in {1..1024}; do
nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."
donetarget="example.com"; for port in {1..1024}; do nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."; doneBack Burner: Unusual Scans
Reverse Scans
# Fin Scan
|
└─$ nmap -sF $IP -oA nmap.fin
# Null Scan
|
└─$ nmap -sN $IP -oA nmap.null
# Xmas Scan
|
└─$ nmap -sX $IP -oA nmap.xmassZombie Scan
└─$ nmap -sI $ZOMBIE_IP $IP -oA nmap.zomFTP Bounce Scan
└─$ nmap -b FTP_SERVER $IP -oA nmap.ftpbWeb Server
Gobuster
# gobuster directory
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
# gobuster files
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
# gobuster for subdomains
gobuster dns -d domain.org -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30wfuzz
# fuzz directories
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"
# fuzz files
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"dirbuster
└─$ dirbuster $IP
# Put http://$IP:$PORT in the top bar, select the wordlist from the file explorer.API
# Use gobuster pattern matching feature for API scanning.
| i.e. 'pattern' == v1, v2, v3 - API's often end in version numbers
|
└─$ gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
