🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  1. Misc
  2. Information Gathering
  3. Active Reconnaissance

Port scanning

Port scanning is the process of probing a host for open ports to determine which services are running. Tools like nmap or masscan can be used to identify open ports and the services behind them.

Useful scans

Scanning for open ports using Live of the land (LOTL) technique:

Windows

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

Linux

for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done

Scans using nmap:

sudo nmap -Pn -sS -p- <target> # Scan for open ports
sudo nmap -sU <target> # Eunumrate udp ports
sudo nmap -sC -sV -p <ports> <target> # Enumrate open ports

Command options:

-Pn: skip host discovery.

-p-: scan all ports (not recommended at first).

-p <ports>: scan specific ports

sV: enumerate for version.

sC: run default script for enumeration.

oN <output_file>: output results in normal format - ALWAYS DOCUMENT YOUR SCANS

sU: UDP scan.

sT: TCP scan.

sS: SYN scan.

PreviousHost DiscoveryNextSMTP - 25

Last updated 8 months ago

💡