Port Scanning Methodology
Port scanning is the process of probing a server or host for open ports to identify running services and potential attack vectors.
Nmap Scanning Techniques
Basic Scanning
# Basic TCP SYN scan
nmap -sS -T4 target.com
nmap -sS -T4 target.com
# Full TCP port scan
nmap -p- -T4 target.com
nmap -p- -T4 target.com
# UDP scan (top 1000 ports)
nmap -sU --top-ports 1000 target.com
nmap -sU --top-ports 1000 target.com
Advanced Detection
# Version detection
nmap -sV target.com
nmap -sV target.com
# OS detection
nmap -O target.com
nmap -O target.com
# Script scanning
nmap -sC target.com
nmap --script vuln target.com
nmap -sC target.com
nmap --script vuln target.com
# Aggressive scan
nmap -A -T4 target.com
nmap -A -T4 target.com
Stealth Techniques
# Stealth scan (fragment + decoys; only within scope)
nmap -sS -f -D RND:10 target.com
nmap -sS -f -D RND:10 target.com
Timing Templates
T0 - Paranoid
Extremely slow, evades IDS detection
T1 - Sneaky
Slow scan to avoid detection
T2 - Polite
Reduces network load
T3 - Normal
Default timing
T4 - Aggressive
Faster, assumes reliable network
T5 - Insane
Very fast, may miss results
# Timing examples
nmap -T0 target.com # Paranoid
nmap -T1 target.com # Sneaky
nmap -T2 target.com # Polite
nmap -T3 target.com # Normal
nmap -T4 target.com # Aggressive
nmap -T5 target.com # Insane
nmap -T0 target.com # Paranoid
nmap -T1 target.com # Sneaky
nmap -T2 target.com # Polite
nmap -T3 target.com # Normal
nmap -T4 target.com # Aggressive
nmap -T5 target.com # Insane
Service Enumeration
HTTP/HTTPS Enumeration
# Directory brute force
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
dirb http://target.com
dirsearch -u http://target.com
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
dirb http://target.com
dirsearch -u http://target.com
# Technology identification
whatweb target.com
wafw00f target.com
whatweb target.com
wafw00f target.com
# Vulnerability scanning
nikto -h target.com
nikto -h target.com
SMB Enumeration
# Basic SMB enumeration
smbclient -L //target.com -N
enum4linux target.com
smbmap -H target.com
smbclient -L //target.com -N
enum4linux target.com
smbmap -H target.com
# Null session
smbclient //target.com/IPC$ -N
smbclient //target.com/IPC$ -N
# SMB version detection
nmap -p 445 --script smb-protocols target.com
nmap -p 445 --script smb-protocols target.com
# SMB vulnerabilities
nmap -p 445 --script smb-vuln* target.com
nmap -p 445 --script smb-vuln* target.com
FTP Enumeration
# Anonymous login
ftp target.com
# Try anonymous:anonymous
ftp target.com
# Try anonymous:anonymous
# Banner grabbing
nc target.com 21
telnet target.com 21
nc target.com 21
telnet target.com 21
# FTP bounce attack
nmap -b ftp-user:password@ftp-server target.com
nmap -b ftp-user:password@ftp-server target.com
SSH Enumeration
# SSH version
ssh target.com
nc target.com 22
ssh target.com
nc target.com 22
# SSH user enumeration (example script)
python ssh_user_enum.py target.com
python ssh_user_enum.py target.com
# SSH brute force (authorized testing only)
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://target.com
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://target.com
DNS Enumeration
# DNS server info
nslookup
> server target.com
> version.bind chaos txt
nslookup
> server target.com
> version.bind chaos txt
# Zone transfer
dig axfr @target.com domain.com
dig axfr @target.com domain.com
# DNS cache snooping
nmap -sU -p 53 --script dns-cache-snoop --script-args 'dns-cache-snoop.mode=timed' target.com
nmap -sU -p 53 --script dns-cache-snoop --script-args 'dns-cache-snoop.mode=timed' target.com
SNMP Enumeration
# SNMP walk
snmpwalk -c public -v1 target.com
# SNMP check
snmp-check target.com
snmpwalk -c public -v1 target.com
# SNMP check
snmp-check target.com
# SNMP brute force (community strings)
onesixtyone -c community.txt target.com
onesixtyone -c community.txt target.com
Common SNMP Communities:
- public
- private
- manager
- cisco
- admin
Advanced Enumeration Techniques
Database Enumeration
MySQL (Port 3306)
# MySQL enumeration
nmap -p 3306 --script mysql-info target.com
nmap -p 3306 --script mysql-info target.com
# MySQL brute force
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://target.com
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://target.com
MSSQL (Port 1433)
# MSSQL enumeration
nmap -p 1433 --script ms-sql-info target.com
nmap -p 1433 --script ms-sql-info target.com
# MSSQL brute force
hydra -l sa -P /usr/share/wordlists/rockyou.txt mssql://target.com
hydra -l sa -P /usr/share/wordlists/rockyou.txt mssql://target.com
# Impacket MSSQL client
python mssqlclient.py sa:password@target.com
python mssqlclient.py sa:password@target.com
PostgreSQL (Port 5432)
# PostgreSQL enumeration
nmap -p 5432 --script pgsql-brute target.com
nmap -p 5432 --script pgsql-brute target.com
RPC Enumeration (Port 135)
# RPC enumeration
rpcinfo target.com
rpcclient -U "" target.com -N
rpcinfo target.com
rpcclient -U "" target.com -N
# Impacket tools
python rpcmap.py target.com
python rpcmap.py target.com
# Nmap RPC scripts
nmap -p 135 --script rpc-grind target.com
nmap -p 135 --script rpc-grind target.com
LDAP Enumeration (Port 389/636)
# LDAP enumeration
ldapsearch -x -h target.com -s base
ldapsearch -x -h target.com -b "dc=domain,dc=com"
ldapsearch -x -h target.com -s base
ldapsearch -x -h target.com -b "dc=domain,dc=com"
# Anonymous bind check
ldapsearch -x -h target.com -s base namingcontexts
ldapsearch -x -h target.com -s base namingcontexts
# LDAP brute force (example)
hydra -l "cn=admin,dc=domain,dc=com" -P /usr/share/wordlists/rockyou.txt ldap2://target.com
hydra -l "cn=admin,dc=domain,dc=com" -P /usr/share/wordlists/rockyou.txt ldap2://target.com
Vulnerability Scanning
Nmap Scripting Engine (NSE)
# Vulnerability detection
nmap --script vuln target.com
nmap --script safe target.com
nmap --script default target.com
nmap --script vuln target.com
nmap --script safe target.com
nmap --script default target.com
# Specific vulnerability checks
nmap --script smb-vuln-ms17-010 target.com
nmap --script smb-vuln-ms17-010 target.com
OpenVAS/GVM
OpenVAS (Greenbone Vulnerability Management):
- Comprehensive vulnerability scanner
- Regular vulnerability feed updates
- Web-based management interface
- Detailed vulnerability reports
- Integration with other security tools
Nessus
🔍 Nessus Professional
Commercial vulnerability scanner with extensive plugin database
Service-Specific Attack Vectors
Port 21 - FTP
Anonymous access, brute force, bounce attacks
Port 22 - SSH
Brute force, key-based attacks, version exploits
Port 23 - Telnet
Default credentials, credential sniffing
Port 53 - DNS
Zone transfers, cache poisoning, amplification
Port 80/443 - HTTP/S
Web application attacks, directory traversal
Port 135 - RPC
MSRPC enumeration, service abuse, privesc paths
Port 137–139 - NetBIOS
Name service enumeration, share discovery, relays
Port 445 - SMB
Null sessions, SMBv1 vulns, pass-the-hash/relay
Port 1433 - MSSQL
Default creds, xp_cmdshell, DB takeover
Port 1521 - Oracle
TNS listener issues, default accounts
Port 3306 - MySQL
Weak root, DB dumps, auth bypass configs
Port 3389 - RDP
NLA misconfig, legacy exploits, brute force
Port 5432 - PostgreSQL
Weak creds, extension abuse, data exfil
Port 5900 - VNC
Weak/no auth, remote desktop takeover
Port 6379 - Redis
Unauthenticated access, RCE, persistence
Port 8080/8443 - Web Services
Mgmt consoles (Tomcat/JBoss), traversal
Output Handling & Automation Tips
# Save Nmap outputs for tooling
nmap -sV -oA scans/target_sV target.com
# Grep open ports from gnmap
grep "/open/" scans/target_sV.gnmap | awk -F/ '{print $1}' | awk '{print $2}' | tr '\n' ','
# Pipe live hosts into httpx (example)
cat live_hosts.txt | httpx -status-code -title -tech-detect -o httpx_out.txt
nmap -sV -oA scans/target_sV target.com
# Grep open ports from gnmap
grep "/open/" scans/target_sV.gnmap | awk -F/ '{print $1}' | awk '{print $2}' | tr '\n' ','
# Pipe live hosts into httpx (example)
cat live_hosts.txt | httpx -status-code -title -tech-detect -o httpx_out.txt