Once you have owned your victim's machine, it is time to pivot to other hosts and enumerate their open ports. In this section, you will find some techniques to perform such tasks.
Ping Sweep
The easiest way to find hosts on a network can be achieved by sending ICMP requests to each host and waiting for their reply.
Windows:
for /l %i in (1,1,254) do @ping -n 1 -w 100 X.X.X.%i |find"Reply"
Linux:
for i in {1..254} ;do (ping-c1X.X.X.$i |grep"bytes from"&) ;done
Port Scanning
Here are some "One-liners" that you can use to perform port scanning against your victim's system.
PowerShell:
1..65536|% {echo ((new-object Net.Sockets.TcpClient).Connect(“X.X.X.X”,$_)) “Port $_ is open!”} 2>$null
Bash:
#!/bin/bashtemp=$(mktemp-tPortScan_XXXXXX)for port in $(seq165535); dotimeout2bash-c"2>/dev/null echo '' > /dev/tcp/$1/$port "&&echo"[*] Port $port - OPEN"|tee-a $temp &done; waitecho"Results stored at $temp"
Python:
#!/usr/bin/python3import socketimport sysfor port inrange(65536): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try: s.connect((sys.argv[1],port))print("Port ", port, " is open")except:pass#print("Port ", port, " is closed")
Tools
Here you have better tools to perform port scanning and ping sweep.
