Skip to content

Instantly share code, notes, and snippets.

@scriptzteam

scriptzteam/Better Port Scan.md

Forked from int0x80/Better Port Scan.md
Created November 27, 2022 14:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save scriptzteam/1a108948cd6e40c7d86e7ef03f77a38b to your computer and use it in GitHub Desktop.
Save scriptzteam/1a108948cd6e40c7d86e7ef03f77a38b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Better Port Scan.md

Enrich and speed up your port scan recon by using masscan first to identify open ports. Then run service scans with nmap.

$ sudo masscan -p 1-65535,U:1-65535 ${IP} --rate 10000 -oL recon/masscan-${IP}
$ tcp=$(grep -F 'open tcp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ udp=$(grep -F 'open udp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ [ -n ${tcp} ] && sudo nmap -n -A -p ${tcp} ${IP} -oA recon/tcp-${IP} &
$ [ -n ${udp} ] && sudo nmap -n -sU -A -p ${udp} ${IP} -oA recon/udp-${IP} &

Depending on the service, you can sometimes get additional context with a separate scan using nmap --script safe. Add -e tun0 to the initial masscan run if you're doing this on HTB.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment