Methods for discovering open ports
Once live hosts are identified, perform port scanning to discover exposed services.
Default and most common scan type. Fast and relatively stealthy:
nmap -sS $RHOST
-sS SYN scan (half-open scan)Determine if ports are filtered (firewall detection):
nmap -sA $RHOST
-sA ACK scannmap -p 1-1000 $RHOST # Port range
nmap -p 22,80,443,8080 $RHOST # Specific ports
nmap -p- $RHOST # All 65,535 ports
nmap --top-ports 1000 $RHOST # Top 1000 most common ports
nmap -sU -p 53,161,162 $RHOST # Common UDP ports
nmap -p U:53,161,T:22,80,443 $RHOST # Mix UDP and TCP
nmap -p- -A -iL output.scan
-p- scans all 65,535 TCP ports-A enables OS detection, version detection, scripts and traceroute-iL reads target hosts from a filenmap -f $RHOST # Fragment packets
nmap -f -f $RHOST # Double fragment (16 bytes)
nmap -D RND:10 $RHOST # 10 random decoys
nmap -D 192.168.1.1,192.168.1.2,ME $RHOST # Specific decoys
nmap -S 192.168.1.100 -e eth0 $RHOST
-S spoof source IP-e specify interfacenmap -sI zombie.host.com $RHOST
nmap --source-port 53 $RHOST # Spoof as DNS traffic
nmap -g 53 $RHOST # Same as above
nmap --data-length 200 $RHOST # Append random data
nmap --badsum $RHOST # Invalid checksum (firewall testing)
nmap -sS -f -T2 -D RND:5 $RHOST # Combine multiple techniques
Ultra-fast port scanner:
masscan $RHOST/24 -p1-65535 --rate=1000
masscan $RHOST -p80,443,8080 --rate=10000
--rate packets per secondLightweight port scanning using Netcat. Typically installed on most hosts and useful when other tools like Nmap are not available.
Scan Common Ports:
nc -zv $RHOST 1-1024
Quiet Output (Open Ports Only):
nc -z $RHOST 1-65535 2>/dev/null
Scan Specific Ports:
for port in 22 80 443 8080; do nc -zv $RHOST $port; done
Netcat Flags
-z → zero-I/O scan mode-v → verbose-w 1 → timeout (1 second)-n → don’t resolve DNSnmap -6 -sS $RHOSTv6 # IPv6 SYN scan
nmap -6 -sU $RHOSTv6 # IPv6 UDP scan
--top-ports 1000 before full scans-T2 or -T3 default)--rate or timing to avoid overwhelming targets