Skip to content

Instantly share code, notes, and snippets.

@int0x80
Created January 9, 2021 16:32
Show Gist options
  • Save int0x80/1f5ca31f7ab1c9c8f619955eefbb301b to your computer and use it in GitHub Desktop.
Save int0x80/1f5ca31f7ab1c9c8f619955eefbb301b to your computer and use it in GitHub Desktop.

Enrich and speed up your port scan recon by using masscan first to identify open ports. Then run service scans with nmap.

$ sudo masscan -p 1-65535,U:1-65535 ${IP} --rate 10000 -oL recon/masscan-${IP}
$ tcp=$(grep -F 'open tcp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ udp=$(grep -F 'open udp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ [ -n ${tcp} ] && sudo nmap -n -A -p ${tcp} ${IP} -oA recon/tcp-${IP} &
$ [ -n ${udp} ] && sudo nmap -n -sU -A -p ${udp} ${IP} -oA recon/udp-${IP} &

Depending on the service, you can sometimes get additional context with a separate scan using nmap --script safe. Add -e tun0 to the initial masscan run if you're doing this on HTB.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment