# Pivoting

## Introduction

Once you have owned your victim's machine, it is time to pivot to other hosts and enumerate their open ports. In this section, you will find some techniques to perform such tasks.

## Ping Sweep

The easiest way to find hosts on a network can be achieved by sending ICMP requests to each host and waiting for their reply.

**Windows**:

```bash
for /l %i in (1,1,254) do @ping -n 1 -w 100 X.X.X.%i | find "Reply"
```

**Linux**:

```bash
for i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done
```

## Port Scanning

Here are some "One-liners" that you can use to perform port scanning against your victim's system.

**PowerShell**:

```powershell
1..65536 | % {echo ((new-object Net.Sockets.TcpClient).Connect(“X.X.X.X”,$_)) “Port $_ is open!”} 2>$null
```

**Bash**:

```bash
#!/bin/bash
temp=$(mktemp -t PortScan_XXXXXX)
for port in $(seq 1 65535); do
    timeout 2 bash -c "2>/dev/null echo '' > /dev/tcp/$1/$port " && echo "[*] Port $port - OPEN" | tee -a $temp &
done; wait
echo "Results stored at $temp"
```

**Python**:

```python
#!/usr/bin/python3
import socket
import sys
for port in range(65536):
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 try:
  s.connect((sys.argv[1],port))
  print("Port ", port, " is open")
 except:
  pass
  #print("Port ", port, " is closed")
```

## Tools

Here you have better tools to perform port scanning and ping sweep.

* **Nmap portable**: [Link](https://github.com/ernw/static-toolbox/releases)
* **Minimalistic PowerShell TCP Scanner**: [Link](https://raw.githubusercontent.com/InfosecMatter/Minimalistic-offensive-security-tools/master/port-scan-tcp.ps1)
* **Minimalistic PowerShell UDP Scanner**: [Link](https://raw.githubusercontent.com/InfosecMatter/Minimalistic-offensive-security-tools/master/port-scan-udp.ps1)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/pivoting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.