Network Enumeration

Ping Sweep

# Ping Sweep For Loop on Linux
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
# Ping Sweep For Loop Using CMD
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
# Ping Sweep Using PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
# Scan network range for open port 445
for i in $(seq 1 254); do nc -zv -w 1 172.16.5.$i 445; done
# Ping Sweep metasploit
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

Scan Network Range

sudo nmap 10.10.0.0/24 -sn -oA tnet | grep for | cut -d" " -f5
sudo nmap -v -sn 10.10.2.1-253 -oG sweep.txt ; grep Up sweep.txt | cut -d " " -f 2

Convert nmap XML report to HTML

xsltproc target.xml -o target.html

ACK-Scan

sudo nmap 10.10.0.1 -p 21 -sA -Pn -n

Scan by Using Decoys

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n -D RND:5

Scan by Using Different Source IP

sudo nmap 10.10.0.1 -S 10.129.2.200 -e tun0 -Pn -n --disable-arp-ping --packet-trace

SYN-Scan From DNS Port

sudo nmap 10.10.0.1 -p22 -sS --source-port 53 -Pn -n --disable-arp-ping

Fast Scan

rustscan -a 192.168.147.96

Service Scanning

# Nmap scan
sudo nmap -sS 10.129.42.253 -sV --version-all -sC -O -A --reason -n -Pn
# Nmap Script Scan
sudo nmap -sS 10.10.0.1 -sV --version-all -sC -O -A --reason -n -Pn --script '((auth or brute or default or exploit or safe or version or vuln) and not broadcast-*)'
# Nmap Script Scan aggressive
sudo nmap -sS 10.10.0.1 -sV --version-all -sC -O -A --reason -n -Pn --script "intrusive,dos,discovery"
​
# List various available nmap scripts
locate scripts/citrix
​
# Run an nmap script on an IP
nmap --script smb-os-discovery.nse -p445 10.10.10.40
​
# Grab banner of an open port
netcat 10.10.10.10 22

Nmap Options

-n	Never do DNS resolution
-sS	TCP SYN scan
-sT	TCP connect scan
-sU	UDP scans
-sV	Version detection
--version-all	Try every single Version probe (intensity 9)
-O	Enable OS detection
--osscan-guess:	Guess OS more aggressively
-sC	Run default NSE script