Port scanning

Port scanning is the process of probing a host for open ports to determine which services are running. Tools like nmap or masscan can be used to identify open ports and the services behind them.

Useful scans

Scanning for open ports using Live of the land (LOTL) technique:

Windows

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

Linux

for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done

Scans using nmap:

sudo nmap -Pn -sS -p- <target> # Scan for open ports
sudo nmap -sU <target> # Eunumrate udp ports
sudo nmap -sC -sV -p <ports> <target> # Enumrate open ports

Command options:

-Pn: skip host discovery.

-p-: scan all ports (not recommended at first).

-p <ports>: scan specific ports

sV: enumerate for version.

sC: run default script for enumeration.

oN <output_file>: output results in normal format - ALWAYS DOCUMENT YOUR SCANS

sU: UDP scan.

sT: TCP scan.

sS: SYN scan.