Port Scanners
CLI Tools
Nmap is a powerful network scanning tool used to discover hosts, services, and vulnerabilities on a network.
Classic host discovery via ICMP echo:
# Ping sweep (no port scanning)
sudo nmap -sn 172.16.10.0/24
# Extract IPs
sudo nmap -sn 172.16.10.0/24 | grep 'report' | awk '{print $NF}'The below command is also aimed at live host discovery, but avoid issues where all network hosts come back as alive due to firewall issues (remove -Pn flag if it is too slow):
# Top-1000 ports, no dns resolution, no ping request
sudo nmap -n -Pn --open -oG - 192.168.110.0/24 | awk '/Up$/{print $2}'Banner grabbing:
sudo nmap -sV --script=banner.nse -iL live_hosts | grep "|_banner\||_http-server-header"Exclude IPs:
sudo nmap -iL live_hosts -A --open --exclude 172.16.10.1RustScan is a fast port scanner built in Rust that quickly identifies open ports and hands them off to tools like Nmap for detailed analysis.
# IP address
rustscan -a <IP>
# With a target file and extract IPs (greppable)
rustscan -a "$(cat live_hosts | tr '\n' ',')" -g | awk -F'->' '{print $1,$2}' | tr -d '[]'
# With a target file and extract IPs (default)
rustscan -a "$(cat live_hosts | tr '\n' ',')"Combining rustscan and nmap flags:
rustscan -a 127.0.0.1 -- -A -sCOpen ports with rustscan -> nmap:
# Finding open ports
rustscan -a 10.10.11.152 -g --ulimit=5000
# Querying services details
nmap -T4 -min-rate 100000 10.10.11.152 -sV -sC -p $(cat open_ports | awk -F'>' '{print $2}' | tr -d '[]') -Pnarp-scan is a tool that scans a local network by sending ARP requests to identify all active devices and their MAC addresses. It requires elevated privileges (sudo).
# Basic usage
sudo arp-scan 172.16.10.0/24 -I br_public
# With a target file
sudo arp-scan -f live_hosts -I br_public
# Plain output & IPs addresses
sudo arp-scan 172.16.10.0/24 -x -I br_public | awk '{print $1}'
# Default output & IPs addresses
sudo arp-scan 172.16.10.0/24 -I br_public | awk 'NR > 2 && NR <7 {print $1}'Netcat is a versatile networking utility used for reading from and writing to network connections, often called the “Swiss-army knife” of networking.
# TCP scan on zero I/O mode (don't send any data (-z))
nc -zv 172.16.10.11 1-1024Scan directly from the target:
$ for ip in 192.168.110.{1..254}; do ping -c1 -W1 $ip &>/dev/null && echo "$ip is up"; donePing sweep with PowerShell:
1..256 | % {$ip = "192.168.110.$_"; if (Test-Connection -Count 1 -Comp $ip -Quiet){"${ip}: True"}}IPv6 Firewall Bypass
The initial Nmap scan against the target over IPv4 did not show TCP port 5985 (WinRM) as open:
$ sudo nmap -p5985 10.10.10.10
PORT STATE SERVICE
5985/tcp closed unknownThis typically indicates that the port is closed or filtered by a firewall on the IPv4 interface. After gaining a foothold on the target, we can see that the service is indeed running:
> netstat -anot | findstr :5985
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4 InHostThe service is bound to 0.0.0.0, indicating it's listening on all IPv4 interfaces — but likely restricted by the Windows Firewall for remote connections. Suspecting the firewall might only apply to IPv4, we can re-scan using IPv6:
> ipconfig
IPv6 Address. . . . . . . . . . . : dead:beef::1001$ sudo nmap -p5985 -6 dead:beef::1001
PORT STATE SERVICE
5985/tcp open wsmanWinRM is now visible and accessible — indicating firewall rules do not restrict IPv6 traffic the same way as IPv4. To make tooling easier, we can update /etc/hosts to resolve both IPv4 and IPv6 to the same hostname:
$ grep comp /etc/hosts
10.10.10.10 compatibility
dead:beef::1001 compatibilityLast updated
Was this helpful?