Port Scanning and Discovery

I'm knocking on every door


Nmap is ubiquitous for scanning and rightfully so. Exceptionally powerful and tons of impressive backend scripts. Useful to determine potential services and versions of software running on a host.

nmap       # Scans with top 100 ports
sudo nmap  # Can perform stealth scans
nmap -p-      # Scans all TCP ports on with verbose output
nmap -p1-99   # Scans only TCP ports 1-99
nmap -pU:53,U:110,T20-445    # Scans UDP ports 53 + 110, then TCP 20 thru 445
nmap -iL targets.txt    # Scans all of the hosts in the targets.txt file

Straightforward, quick, and easy way to determine a large amount of info on an IP

sudo nmap -vv -A    # Scans top 100 ports, attempt OS Detection, Versions, and Tracert, very verbose

Nmap scripts have some really interesting capabiltiies

locate *.nse       # Find all nmap scripting files on the host
nmap -sC  # Run default scripts 
nmap --script-updatedb    # Update the script database

Scan Types




Probe only, host discovery and no port scanning


SYN scan (aka stealth, does not establish 3-way handshake)


TCP connect scan (full 3-way connection)


UDP scan


Version scan


OS Detection


Set a custom list of TCP flags using URGACKPSHRSTSYNFIN in any order

Probing Options




Don't ICMP probe, assume all targets are up. Useful if target is known to be on the network, but blocking ICMP


Default probe (TCP 80, 445, & ICMP)


ICMP Echo Request


ICMP Timestamp Request


ICMP Netmask Request

Timing Options




Paranoid: very slow, potential IDS evasion


Sneaky: Slow, IDS evasion again


Polite: Slows down to consume less bandwidth, runs about 10 times slower than default


Normal: Default value, dynamic timing model based on target responsiveness


Aggressive: Assumes a fast and reliable network


Insane: Very aggressive, likely to miss open ports and may overwhelm targets

Most of this info gathered from SANS cheat sheet https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/

While the scan is running, can view additional information about the scan with the buttons below:




Turn on packet tracing

P [Uppercase!]

Turn off packet tracing


Increase verbosity

V [Uppercase!]

decrease verbosity


Increase debugging level

D [Uppercase!]

decrease debugging level


Masscan is capable of asynchronous transmission, which is a fancy way of saying that it doesnt have to wait for replies when sending out probes. Wicked fast scanning!

masscan -p443    # Scans the entire subnet for TCP 443
masscan -p22-25  # Scans subnet for TCP 22, 23, 24, & 25
masscan ‐‐top-ports 100    # Nmap's top 100 ports

Options can be found with the --echo switch. Default scanning rate is 100 pkts/sec, which is slow. Increase the rate with the --rate switch. Typically, 15,000 pkts/sec is a safe limit.

masscan ‐‐top-ports 100 ––rate 10000
masscan -p0-65535 --rate 10000    # Scan all ports on a host

masscan -p 0-65535 --rate 1000     # Slower rate when scanning over the Internet
masscan -p U:0-65535 --rate 1000     # UDP scanning over the Internet
masscan -p0-65535,U:0-65535 --rate 1000     # Scan UDP and TCP at the same time!

We can also gather information from banners, and even spoof the source IP.

--banner                # For "supported protocols"
-source-ip     # To change the source

Info gathered from Daniel Miessler, https://danielmiessler.com/study/masscan/


Can use netcat to run as a scanner if necessary, gets information back if a port is open or not.

echo "" | nc -nvw2 20-80


Useful to watch scanning while it occurs on tcpdump, to help validate correct scanning and potential issues.

sudo tcpdump -w - | tee file.pcap | tcpdump -r -        # Allows pcap to be printed to screen and saved at the same time


Gobuster can be used to enumerate vhosts, dns, directories, and S3 buckets. Requires many different subcommands to work properly.


DNS mode looks for subdomains. -d is domain, -w is wordlist, --wildcard ignores wildcards, and -r specifies a resolver.

gobuster dns -d m4lwhere.org -w ./wordlist.txt --wildcard -r


A more "classic" use of the program, where forced browsing is used to try and uncover hidden files/folders.

gobuster dir -u https://m4lwhere.org/ -w ./wordlist.txt -q -n -e 

S3 Buckets

We can try to identify S3 buckets now. The wordlist of bucket names does NOT need to be a FQDN, as the tool can append to the bucket name as needed. A "pattern" can be used as well, this replaces {GOBUSTER} with the wordlist.

The "patterns" file can contain items such as {GOBUSTER}-dev, {GOBUSTER}-01, {GOBUSTER}-backup and more.

gobuster s3 -w list_of_buckets.txt
gobuster s3 -w list_of_buckets.txt -p patterns.txt


EyeWitness is an exceptional tool to help quickly identify and display potentially vulnerable systems. Imagine having over 3,000 responding systems on a network, how do you know which ones are vulnerable?

EyeWiteness makes this easy by grabbing screenshots of web services and saving them into an HTML report. This allows an analyst to view and scroll through the screenshots, making it easier to quickly identify potentially vulnerable systems.

The workflow should involve masscan -> nmap for services -> eyewitness for info.

python3 EyeWitness.py --web -f urls.txt --prepend-https

Last updated