OSCP Notes
Search…
Nmap Scanning

AutoRecon

1
autorecon 10.10.10.3
Copied!

Initial scan TCP

1
nmap -sC -sV -O -oA nmap/initial 10.10.10.3
Copied!

Full scan TCP

Comprehensive nmap scans in the background to make sure we cover all bases.
1
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.3
Copied!

Full scan UDP

1
nmap -sU -O -p- -oA nmap/udp 10.10.10.3
Copied!

Sparta

SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase.

Normal Scan

1
nmap -A $ip
Copied!

Scan for alive hosts

1
$ nmap -sn $ip/24
2
$ nmap -vvv -sn $ip/24
Copied!
If you want a little faster,
1
$ nmap -sn -n $ip/24 > ip-range.txt
Copied!

Scan specific IP range

1
$ nmap -sP 10.0.0.0-100
Copied!

Sort out the machines that are up

1
$ cat ip-range.txt | grep -B 1 "Host is up"
Copied!
and now filter all the IPs and create a file.
1
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ip-range.txt > only-ip.txt
Copied!

Scan a host

1
nmap www.testhostname.com
Copied!

Scan specific machine

Scan common port

1
$ nmap -A -oA filename $ip/24
Copied!
The command:
    Scan 1024 most common ports
    Run OS detection
    Run default nmap scripts
    Save the result into .nmap, .gnmap and .xml
    Faster

Fast scanning

Scan 100 most common ports
1
nmap -F $ip
Copied!

Quick TCP Scan

1
nmap -sC -sV -vv -oA quick $ip
Copied!

Quick UDP Scan

1
nmap -sU -sV -vv -oA quick_udp $ip
Copied!

Full TCP Scan

1
nmap -sC -sV -p- -vv -oA full 10.10.10.10
Copied!

Port knock

1
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $ip; done
Copied!

Scan deeply

Scanning more deeply:
1
$ nmap -v -p- -sT $ip
2
3
Example:
4
$ nmap -v -p- -sT 10.0.1.0/24
Copied!
This command:
    Scan all 65535 ports with full connect scan
    Take very long time
    Print out straigt away instead of having to wait until end of the scan
Tips:
Scanning this takes a long time, suggest to leave the scan running overnight, when you're sleep or move on to different box in the meantime.

Scan for specific port

1
$ nmap -p T:80,443,8080 $ip/24
Copied!
Use -T: specifies TCP ports. Use -U: for UDP ports.

Scan for unused IP addresses and store in text file

1
$ nmap -v -sn $ip/24 | grep down | awk '{print $5}' > filename.txt
Copied!

Other option

1
nmap -sV -sC -v -oA output $ip
Copied!

UDP scan

Scanning this might slow and unreliadble
1
$ nmap $ip -sU
2
3
Example:
4
$ nmap 10.11.1.X -sU
Copied!

Scan targets from a text file

Create a text file contains of our targets machine (like in method Scan for unused IP addresses and store in text file):
1
192.168.1.144
2
192.168.1.179
3
192.168.1.182
Copied!
Run this nmap command with -iL
1
nmap -iL list-of-ips.txt
Copied!

Onetwopunch.sh

Grab the latest bash script
1
git clone https://github.com/superkojiman/onetwopunch.git
2
cd onetwopunch
Copied!
Create a text file contains of our targets machine (like in method Scan for unused IP addresses and store in text file):
1
192.168.1.144
2
192.168.1.179
3
192.168.1.182
Copied!
Then, run the script and tell it to read our txt file and perform TCP scan against each target.
1
./onetwopunch.sh -t ip-range.txt -p tcp
Copied!
So, the idea behind the script to generate a scan of 65,535 ports on the targets. The script use unicornscan to scan all ports, and make a list of those ports that are open. The script then take the open ports and pass them to nmap for service detection.

AutoRecon

Last modified 1yr ago