Port Scanners

CLI Tools

Nmap is a powerful network scanning tool used to discover hosts, services, and vulnerabilities on a network.

Classic host discovery via ICMP echo:

# Ping sweep (no port scanning)
sudo nmap -sn 172.16.10.0/24
# Extract IPs
sudo nmap -sn 172.16.10.0/24 | grep 'report' | awk '{print $NF}'

The below command is also aimed at live host discovery, but avoid issues where all network hosts come back as alive due to firewall issues (remove -Pn flag if it is too slow):

# Top-1000 ports, no dns resolution, no ping request
sudo nmap -n -Pn --open -oG - 192.168.110.0/24 | awk '/Up$/{print $2}'

Banner grabbing:

sudo nmap -sV --script=banner.nse -iL live_hosts | grep "|_banner\||_http-server-header"

Exclude IPs:

sudo nmap -iL live_hosts -A --open --exclude 172.16.10.1

RustScan is a fast port scanner built in Rust that quickly identifies open ports and hands them off to tools like Nmap for detailed analysis.

# IP address
rustscan -a <IP>

# With a target file and extract IPs (greppable)
rustscan -a "$(cat live_hosts | tr '\n' ',')" -g | awk -F'->' '{print $1,$2}' | tr -d '[]'

# With a target file and extract IPs (default)
rustscan -a "$(cat live_hosts | tr '\n' ',')"

Combining rustscan and nmap flags:

rustscan -a 127.0.0.1 -- -A -sC

Open ports with rustscan -> nmap:

# Finding open ports
rustscan -a 10.10.11.152 -g --ulimit=5000

# Querying services details
nmap -T4 -min-rate 100000 10.10.11.152 -sV -sC -p $(cat open_ports | awk -F'>' '{print $2}' | tr -d '[]') -Pn

arp-scan is a tool that scans a local network by sending ARP requests to identify all active devices and their MAC addresses. It requires elevated privileges (sudo).

The output consists of the IP address, the MAC address, and the vendor details (identified by the first 3 octes of the MAC address).

# Basic usage
sudo arp-scan 172.16.10.0/24 -I br_public

# With a target file
sudo arp-scan -f live_hosts -I br_public

# Plain output & IPs addresses
sudo arp-scan 172.16.10.0/24 -x -I br_public | awk '{print $1}'

# Default output & IPs addresses
sudo arp-scan 172.16.10.0/24 -I br_public | awk 'NR > 2 && NR <7 {print $1}'

Netcat is a versatile networking utility used for reading from and writing to network connections, often called the “Swiss-army knife” of networking.

# TCP scan on zero I/O mode (don't send any data (-z))
nc -zv 172.16.10.11 1-1024

Scan directly from the target:

$ for ip in 192.168.110.{1..254}; do ping -c1 -W1 $ip &>/dev/null && echo "$ip is up"; done

Ping sweep with PowerShell:

1..256 | % {$ip = "192.168.110.$_"; if (Test-Connection -Count 1 -Comp $ip -Quiet){"${ip}: True"}}

IPv6 Firewall Bypass

The initial Nmap scan against the target over IPv4 did not show TCP port 5985 (WinRM) as open:

$ sudo nmap -p5985 10.10.10.10

PORT     STATE  SERVICE
5985/tcp closed unknown

This typically indicates that the port is closed or filtered by a firewall on the IPv4 interface. After gaining a foothold on the target, we can see that the service is indeed running:

> netstat -anot | findstr :5985
TCP    0.0.0.0:5985   0.0.0.0:0   LISTENING   4   InHost

The service is bound to 0.0.0.0, indicating it's listening on all IPv4 interfaces — but likely restricted by the Windows Firewall for remote connections. Suspecting the firewall might only apply to IPv4, we can re-scan using IPv6:

> ipconfig
IPv6 Address. . . . . . . . . . . : dead:beef::1001

$ sudo nmap -p5985 -6 dead:beef::1001

PORT     STATE SERVICE
5985/tcp open  wsman

WinRM is now visible and accessible — indicating firewall rules do not restrict IPv6 traffic the same way as IPv4. To make tooling easier, we can update /etc/hosts to resolve both IPv4 and IPv6 to the same hostname:

$ grep comp /etc/hosts
10.10.10.10       compatibility
dead:beef::1001   compatibility

PreviousCreds NextPasswords

Last updated 16 days ago

Was this helpful?