Skip to content

Enumeration port


nmap - TPC scan

sudo nmap -p- -Pn -vv $IP
sudo nmap -p 22,80 -A -vv $IP
to extract ports number from nmap response cat port.txt | awk '{print $1}' | cut -d "/" -f 1 | tr '\n' ','

nmap - UDP scan one port

sudo nmap -p 111 -sU -Pn -vv $IP
sudo nmap -p 161 -sU -Pn -vv $IP
sudo nmap -p 2049 -sU -Pn -vv $IP
1000 ports
sudo nmap -sU -T4 -vv $IP 
65535 ports
sudo nmap -p- -sU -T4 -vv $IP 

nmap with proxychains

proxychains nmap -p- -vv --open 2>/dev/null
- -p- - check all ports - --open - show only open ports - -vv - use verbos to see progress - 2>/dev/null - hide proxychains errors

powershell 1

1..80   | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open!"} 2>$null
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open!"} 2>$null

powershell 2

foreach ($port in 1..1024) {If (($a=Test-NetConnection -Port $port -WarningAction SilentlyContinue).tcpTestSucceeded -eq $true){ "TCP port $port is open!"}}

powershell 3

wget -O /opt/windows/IPv4PortScan.ps1
mkdir -p /home/kali/workspace/www
cd /home/kali/workspace/www
cp /opt/windows/IPv4PortScan.ps1 .
echo "python3 -m http.server 80" > && chmod +x

certutil -urlcache -f IPv4PortScan.ps1
wget -O IPv4PortScan.ps1
.\IPv4PortScan.ps1 -ComputerName DC01.MEDTECH.COM -StartPort 1 -EndPort 65535 | ft
.\IPv4PortScan.ps1 -ComputerName -StartPort 1 -EndPort 65535 | ft
.\IPv4PortScan.ps1 -ComputerName -StartPort 1 -EndPort 1000 | ft
.\IPv4PortScan.ps1 -ComputerName -StartPort 1000 -EndPort 10000 | ft
.\IPv4PortScan.ps1 -ComputerName -StartPort 10000 -EndPort 65535 | ft


netcat - linux

netcat -nvz $IP 80
netcat -nvz $IP 1-65535

netcat - windows

.\nc.exe -nvz $IP 80



sudo hping3 --scan all -S $IP



sudo apt remove -y unicornscan
sudo apt autoclean
sudo apt autoremove
sudo apt install -y unicornscan
sudo unicornscan -mU -vv $IP


masscan - UDP scan

sudo apt remove -y masscan
sudo apt autoclean
sudo apt autoremove
sudo apt install -y masscan
sudo masscan -pU:1-120 $IP



alias rustscan='docker run -it --rm --name rustscan rustscan/rustscan:alpine'
rustscan $IP -t 500 -b 1500 -- -A