Reconnaissance | T1046
🔍 Network Port Scanning
🧠 Description
Port scanning is the process of probing target systems to discover open ports and services. It forms the foundation of network reconnaissance and helps identify potential attack vectors.
🛠️ Nmap Scanning
Basic Scans:
# TCP SYN scan (stealth) nmap -sS target.com # TCP connect scan nmap -sT target.com # UDP scan nmap -sU target.com # Quick scan top ports nmap -F target.com # Full port scan nmap -p- target.com
Service Detection:
# Version detection nmap -sV target.com # Aggressive scan (OS, version, scripts, traceroute) nmap -A target.com # Scan with default scripts nmap -sC target.com # CVE detection nmap --script vuln target.com
Timing & Evasion:
# Timing templates (T0-T5) nmap -T4 target.com # Slow scan (avoid detection) nmap -T1 -p- target.com # Source spoofing nmap -S 10.0.0.1 target.com # Fragmented packets nmap -f target.com # Decoy scan nmap -D decoy1,decoy2 target.com
Output Formats:
# Normal output nmap -oN scan.txt target.com # XML output (for tools) nmap -oX scan.xml target.com # Grepable format nmap -oG scan.gnmap target.com # All formats nmap -oA scan target.com
⚡ Masscan (Fast Scanning)
# Fast scan entire network masscan -p1-65535 10.0.0.0/24 --rate=10000 # Scan specific ports masscan -p22,80,443,445,3389 10.0.0.0/24 # With output masscan -p1-10000 10.0.0.0/24 -oX scan.xml # Exclude specific IPs masscan -p1-1000 10.0.0.0/24 --excludefile no_scan.txt
📜 NSE Scripts
# Vulnerability scanning nmap --script vuln target.com # SMB enumeration nmap --script smb-enum-shares,smb-enum-users target.com # HTTP enumeration nmap --script http-enum,http-title target.com # SSL/TLS scanning nmap --script ssl-enum-ciphers target.com # DNS zone transfer nmap --script dns-zone-transfer -p53 target.com # Brute force nmap --script brute target.com