Once you have owned your victim's machine, it is time to pivot to other hosts and enumerate their open ports. In this section, you will find some techniques to perform such tasks.
Ping Sweep
The easiest way to find hosts on a network can be achieved by sending ICMP requests to each host and waiting for their reply.
Windows:
for /l %i in (1,1,254) do @ping -n 1 -w 100 X.X.X.%i | find "Reply"
Linux:
for i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done
Port Scanning
Here are some "One-liners" that you can use to perform port scanning against your victim's system.
#!/bin/bash
temp=$(mktemp -t PortScan_XXXXXX)
for port in $(seq 1 65535); do
timeout 2 bash -c "2>/dev/null echo '' > /dev/tcp/$1/$port " && echo "[*] Port $port - OPEN" | tee -a $temp &
done; wait
echo "Results stored at $temp"
Python:
#!/usr/bin/python3
import socket
import sys
for port in range(65536):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((sys.argv[1],port))
print("Port ", port, " is open")
except:
pass
#print("Port ", port, " is closed")
Tools
Here you have better tools to perform port scanning and ping sweep.
