Skip to content

Instantly share code, notes, and snippets.

@int0x80

int0x80/Better Port Scan.md

Created January 9, 2021 16:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save int0x80/1f5ca31f7ab1c9c8f619955eefbb301b to your computer and use it in GitHub Desktop.
Save int0x80/1f5ca31f7ab1c9c8f619955eefbb301b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Better Port Scan.md

Enrich and speed up your port scan recon by using masscan first to identify open ports. Then run service scans with nmap.

$ sudo masscan -p 1-65535,U:1-65535 ${IP} --rate 10000 -oL recon/masscan-${IP}
$ tcp=$(grep -F 'open tcp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ udp=$(grep -F 'open udp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ [ -n ${tcp} ] && sudo nmap -n -A -p ${tcp} ${IP} -oA recon/tcp-${IP} &
$ [ -n ${udp} ] && sudo nmap -n -sU -A -p ${udp} ${IP} -oA recon/udp-${IP} &

Depending on the service, you can sometimes get additional context with a separate scan using nmap --script safe. Add -e tun0 to the initial masscan run if you're doing this on HTB.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment