Network Enumeration

Ping Sweep

# Ping Sweep For Loop on Linux
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
# Ping Sweep For Loop Using CMD
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
# Ping Sweep Using PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
# Scan network range for open port 445
for i in $(seq 1 254); do nc -zv -w 1 172.16.5.$i 445; done
# Ping Sweep metasploit
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

Scan Network Range

sudo nmap 10.10.0.0/24 -sn -oA tnet | grep for | cut -d" " -f5
sudo nmap -v -sn 10.10.2.1-253 -oG sweep.txt ; grep Up sweep.txt | cut -d " " -f 2

Convert nmap XML report to HTML

xsltproc target.xml -o target.html

ACK-Scan

sudo nmap 10.10.0.1 -p 21 -sA -Pn -n

Scan by Using Decoys

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n -D RND:5

Scan by Using Different Source IP

sudo nmap 10.10.0.1 -S 10.129.2.200 -e tun0 -Pn -n --disable-arp-ping --packet-trace

SYN-Scan From DNS Port

sudo nmap 10.10.0.1 -p22 -sS --source-port 53 -Pn -n --disable-arp-ping

Fast Scan

rustscan -a 192.168.147.96

Service Scanning

# Run an nmap script scan on an IP
nmap -sV -sC -p- 10.129.42.253
​
# List various available nmap scripts
locate scripts/citrix
​
# Run an nmap script on an IP
nmap --script smb-os-discovery.nse -p445 10.10.10.40
​
# Grab banner of an open port
netcat 10.10.10.10 22