# Port Scanning and Discovery
## Nmap
Nmap is ubiquitous for scanning and rightfully so. Exceptionally powerful and tons of impressive backend scripts. Useful to determine potential services and versions of software running on a host.
```bash
nmap 192.168.1.1 # Scans 192.168.1.1 with top 100 ports
sudo nmap 192.168.1.1 # Can perform stealth scans
nmap 10.0.0.1 -p- # Scans all TCP ports on 10.0.0.1 with verbose output
nmap 10.0.0.1 -p1-99 # Scans only TCP ports 1-99
nmap 10.0.0.1 -pU:53,U:110,T20-445 # Scans UDP ports 53 + 110, then TCP 20 thru 445
nmap 10.0.0.1 -iL targets.txt # Scans all of the hosts in the targets.txt file
```
Straightforward, quick, and easy way to determine a large amount of info on an IP
```bash
sudo nmap 10.0.0.1 -vv -A # Scans top 100 ports, attempt OS Detection, Versions, and Tracert, very verbose
```
Nmap scripts have some really interesting capabiltiies
```bash
locate *.nse # Find all nmap scripting files on the host
nmap 10.0.0.1 -sC # Run default scripts
nmap --script-updatedb # Update the script database
```
#### Scan Types
| Switch | Description |
| ------------- | ------------------------------------------------------------------------------- |
| `-sn` | Probe only, host discovery and no port scanning |
| `-sS` | SYN scan (aka stealth, does not establish 3-way handshake) |
| `-sT` | TCP connect scan (full 3-way connection) |
| `-sU` | UDP scan |
| `-sV` | Version scan |
| `-O` | OS Detection |
| `--scanflags` | Set a custom list of TCP flags using `URGACKPSHRSTSYNFIN` in any order |
#### Probing Options
| Switch | Description |
| ------ | -------------------------------------------------------------------------------------------------------------- |
| `-Pn` | Don't ICMP probe, assume all targets are up. Useful if target is known to be on the network, but blocking ICMP |
| `-PB` | Default probe (TCP 80, 445, & ICMP) |
| `-PE` | ICMP Echo Request |
| `-PP` | ICMP Timestamp Request |
| `-PM` | ICMP Netmask Request |
#### Timing Options
| Switch | Description |
| ------ | ----------------------------------------------------------------------------------------- |
| `-T0` | **Paranoid**: very slow, potential IDS evasion |
| `-T1` | **Sneaky**: Slow, IDS evasion again |
| `-T2` | **Polite**: Slows down to consume less bandwidth, runs about 10 times slower than default |
| `-T3` | **Normal**: Default value, dynamic timing model based on target responsiveness |
| `-T4` | **Aggressive**: Assumes a fast and reliable network |
| `-T5` | **Insane**: Very aggressive, likely to miss open ports and may overwhelm targets |
Most of this info gathered from SANS cheat sheet
While the scan is running, can view additional information about the scan with the buttons below:
| Button | Meaning |
| ----------------- | ------------------------ |
| `p` | Turn on packet tracing |
| `P` \[Uppercase!] | Turn off packet tracing |
| `v` | Increase verbosity |
| `V` \[Uppercase!] | decrease verbosity |
| `d` | Increase debugging level |
| `D` \[Uppercase!] | decrease debugging level |
## Masscan
Masscan is capable of asynchronous transmission, which is a fancy way of saying that it doesnt have to wait for replies when sending out probes. Wicked fast scanning!
```bash
masscan 10.11.0.0/16 -p443 # Scans the entire subnet for TCP 443
masscan 10.11.0.0/16 -p22-25 # Scans subnet for TCP 22, 23, 24, & 25
masscan 10.11.0.0/16 ‐‐top-ports 100 # Nmap's top 100 ports
```
Options can be found with the `--echo` switch. Default scanning rate is 100 pkts/sec, which is slow. Increase the rate with the `--rate` switch. Typically, 15,000 pkts/sec is a safe limit.
```bash
masscan 10.11.0.0/16 ‐‐top-ports 100 ––rate 10000
masscan 10.0.0.1/32 -p0-65535 --rate 10000 # Scan all ports on a host
masscan 45.33.32.156 -p 0-65535 --rate 1000 # Slower rate when scanning over the Internet
masscan 45.33.32.156 -p U:0-65535 --rate 1000 # UDP scanning over the Internet
masscan 45.33.32.156 -p0-65535,U:0-65535 --rate 1000 # Scan UDP and TCP at the same time!
```
We can also gather information from banners, and even spoof the source IP.
```
--banner # For "supported protocols"
-source-ip 10.1.1.2 # To change the source
```
Info gathered from Daniel Miessler,
## Netcat
Can use netcat to run as a scanner if necessary, gets information back if a port is open or not.
```bash
echo "" | nc -nvw2 10.10.1.2 20-80
```
## Tcpdump
Useful to watch scanning while it occurs on tcpdump, to help validate correct scanning and potential issues.
```bash
sudo tcpdump -w - | tee file.pcap | tcpdump -r - # Allows pcap to be printed to screen and saved at the same time
```
## Gobuster
Gobuster can be used to enumerate vhosts, dns, directories, and S3 buckets. Requires many different subcommands to work properly.
### DNS
DNS mode looks for subdomains. `-d` is domain, `-w` is wordlist, `--wildcard` ignores wildcards, and `-r` specifies a resolver.
```
gobuster dns -d m4lwhere.org -w ./wordlist.txt --wildcard -r 8.8.8.8
```
### Directory
A more "classic" use of the program, where forced browsing is used to try and uncover hidden files/folders.
```
gobuster dir -u https://m4lwhere.org/ -w ./wordlist.txt -q -n -e
```
### S3 Buckets
We can try to identify S3 buckets now. The wordlist of bucket names does NOT need to be a FQDN, as the tool can append to the bucket name as needed. A "pattern" can be used as well, this replaces `{GOBUSTER}` with the wordlist.
The "patterns" file can contain items such as `{GOBUSTER}-dev`, `{GOBUSTER}-01`, `{GOBUSTER}-backup` and more.
```
gobuster s3 -w list_of_buckets.txt
gobuster s3 -w list_of_buckets.txt -p patterns.txt
```
## EyeWitness
EyeWitness is an exceptional tool to help quickly identify and display potentially vulnerable systems. Imagine having over 3,000 responding systems on a network, how do you know which ones are vulnerable?
EyeWiteness makes this easy by grabbing screenshots of web services and saving them into an HTML report. This allows an analyst to view and scroll through the screenshots, making it easier to quickly identify potentially vulnerable systems.
The workflow should involve `masscan -> nmap for services -> eyewitness for info`.
```
python3 EyeWitness.py --web -f urls.txt --prepend-https
```