# IP & Port Scanning

## Introduction

This section contains the tools to discover assets and the services running inside each of them.

## Discovering assets

If the attacker needs to attack an internal network, first of all, will need to discover which hosts are active on that network. For doing so, we can use several tools.

Ping scan with **Nmap** pings each machine to check if it is active. However, if there are machines configured to not respond to pings, they will not appear (Machines with windows defender enabled).

```bash
sudo nmap -sn -n <NETWORK>/<MASK>
```

The **Arp-scan** tool uses the Address Resolution Protocol (ARP) to identify all active network assets.

```bash
sudo arp-scan -I <NETWORK_INTERFACE> <NETWORK>/<MASK>
sudo netdiscover -r <NETWORK>/<MASK>
```

Another alternative would be to scan the top X ports of all the machines on a network, waiting for some to respond so we know a device is active.

Obtain the top X TCP ports based on Nmap.

```bash
nmap --top-ports 20 -v -oG - 2>/dev/null | grep 'Ports scanned' | awk '{print $4}' | sed 's/.*(\(.*\))/\1/' | awk -F\; '{print $2}'
```

Ports scanners tools:

```bash
masscan -p<PORTS> <NETWORK>/<MASK>
nmap -n -p<PORTS> <NETWORK>/<MASK> #SLOWER
```

Finally, another method much slower and less intrusive is sniffing the traffic. However, it will only detect the devices that send ARP requests or replies over the network, requiring a ton of time to notice the whole network.

```bash
sudo netdiscover -p
```

### Scanning assets

Once the attackers know the assets to analyse, they need to scan which ports have opened. This can be done with Nmap.

### TCP Ports

Obtaining all TCP listening ports.

```bash
sudo nmap -v -sS -p- -n -T4 -oN AllTCPPorts.txt <IP>
```

### UDP Ports

Obtaining UDP listening ports.

```bash
sudo nmap -v -sU -T4 -n -oN AllPortsTop1000UDP.txt <IP> 
sudo nmap -v -sU -p- -T4 -n -oN AllPortsUDP.txt <IP> 
```

### Port information gathering

Then, for each TCP or UDP listening port, the attacker needs to identify the running service and version and extra information about them.

```bash
sudo nmap -sS -sC -sV -n -oN ScriptPortsScan.txt -p <PORTS> <IP> # TCP
sudo nmap -sU -sC -sV -n -oN ScriptPortsScan.txt -p <PORTS> <IP> # UDP
```

### Simple vulnerability scanning

Nmap also provides scripts for detecting vulnerabilities in concrete services.

```bash
sudo nmap --script vuln -n -oN VulnsPorts.txt -p <PORTS> <IP>
```

### Detecting the Operating System

A simple way to detect the installed operating system is by checking the TTL of a ping. If the TTL is around 60, there is a high chance it is Linux; meanwhile, if the TTL is around 128, the system can be Windows.

Nonetheless, Nmap has built-in scripts to detect the operative system and version.

```bash
sudo nmap -O -sV <IP>
```

## Massive host scanning

Imagine that you have a huge scope like a /16 network, which is a total of 65536 hosts. For those cases, you can use automated tools like Nessus or be very organised while scanning hosts.

The best option is the have each host separated by folders; so that every result of scans, tools, exploits, etc. are stored in the same host's folder. The problem is that when scanning a whole network con Nmap, the result is stored in one huge file. Hence, as a solution, with the script [massScan.sh](https://raw.githubusercontent.com/Marmeus/Kali-Booster/refs/heads/main/Assets/Scripts/massScan.sh), you will obtain the scans in this structure.

```bash
# /24, /32 networks
/tmp/NmapScan/
├── 1
│   ├── AllPorts.gnmap
│   ├── AllPorts.nmap
│   └── AllPorts.xml

# /16 network
/tmp/NmapScan/
├── 0
│   ├── 1
│   │   ├── AllPorts.gnmap
│   │   ├── AllPorts.nmap
│   │   └── AllPorts.xml
```

This way, you can easily obtain which hosts have port 80 open with this command.

```bash
grep "80/open" $(find /tmp/NmapScan/ -name *.gnmap) | awk '{print $2}'
```

Finally, with the script [massScan\_depth.sh](https://raw.githubusercontent.com/Marmeus/Kali-Booster/refs/heads/main/Assets/Scripts/massScan_depth.sh), you can make a scan more in-depth about each open port, knowing more information about each service. The results will be stored like this.

```bash
/tmp/NmapScan/
├── 0
│   ├── 1
│   │   ├── AllPorts.gnmap
│   │   ├── AllPorts.nmap
│   │   ├── AllPorts.xml
│   │   └── PortsDepth.txt
```

Nmap cheatsheet

![NMAP Cheatsheet](https://3683125600-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FAiuSjJMFQ72nHxKtvtIh%2Fuploads%2Fgit-blob-72fc8a93fe0c8eb994882662cf350631c63d8d79%2Fnmap_cheatsheet.jpg?alt=media)

## Windows environment

As a first approach, the attacker can use Enum4linux for enumerating information from Windows and Samba systems.

```bash
enum4linux -a [-u "username" -p "password"] <IP>
enum4linux -A [-u "username" -p "password"] <IP>
enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/active/ip-and-port-scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.