Network Scanning
Network scanning identifies live hosts, open ports, and running services across the internal network. This phase builds the target inventory for deeper enumeration and exploitation.
flowchart TD
A[Network Range] --> B[Host Discovery]
B --> C[Port Scanning]
C --> D[Service Detection]
D --> E[OS Fingerprinting]
E --> F[Vulnerability Scanning]
F --> G[Target Prioritization]
style A fill:#00ff00,stroke:#000,color:#000
style F fill:#ff6b6b,stroke:#000,color:#000
style G fill:#00ffff,stroke:#000,color:#000
Host Discovery
ICMP Ping Sweep
Nmap ping sweep for live host detection.
bash
# Basic ping sweep
nmap -sn 10.0.0.0/24
# Output live hosts to file
nmap -sn 10.0.0.0/24 -oG - | grep Up | cut -d' ' -f2 > live_hosts.txt
# Disable DNS resolution for speed
nmap -sn -n 10.0.0.0/24
# Multiple subnets
nmap -sn 10.0.0.0/24 10.0.1.0/24 10.0.2.0/24
# From file
nmap -sn -iL subnets.txtARP Scanning (Layer 2)
ARP scan - most reliable on local subnet, bypasses firewalls.
bash
# arp-scan (requires root)
sudo arp-scan -l -I eth0
sudo arp-scan 10.0.0.0/24 -I eth0
# Netdiscover - passive and active modes
sudo netdiscover -r 10.0.0.0/24 -i eth0
sudo netdiscover -p -i eth0 # Passive mode
# Nmap ARP discovery (local subnet only)
sudo nmap -PR -sn 10.0.0.0/24TCP/UDP Discovery
Bypass ICMP blocking with TCP/UDP probes.
bash
# TCP SYN ping on common ports
nmap -PS22,80,443,445,3389 -sn 10.0.0.0/24
# TCP ACK ping
nmap -PA80,443 -sn 10.0.0.0/24
# UDP ping
nmap -PU53,161,137 -sn 10.0.0.0/24
# Combined discovery (thorough)
nmap -PS22,80,443,445 -PA80,443 -PU53,161 -sn 10.0.0.0/24
# SCTP discovery
nmap -PY -sn 10.0.0.0/24Tip
In internal networks, ARP scanning is the most reliable for the local subnet since it operates at Layer 2
and cannot be blocked by host firewalls. For remote subnets, combine TCP SYN and UDP probes.
Port Scanning
Quick Scans
Fast initial scans to identify attack surface.
bash
# Top 1000 ports (default)
nmap 10.0.0.1
# Top 100 ports
nmap -F 10.0.0.1
# All ports - fast rate
nmap -p- --min-rate=1000 -T4 10.0.0.1
# Common internal ports
nmap -p 21,22,23,25,53,80,88,110,111,135,139,143,389,443,445,\
464,593,636,993,995,1433,1521,3306,3389,5432,5900,5985,8080 10.0.0.1Comprehensive Service Scans
Detailed scanning with version detection.
bash
# Version detection + default scripts
nmap -sC -sV -p 22,80,445,3389 10.0.0.1 -oA detailed_scan
# Full TCP scan with OS detection
sudo nmap -sS -sV -sC -O -p- 10.0.0.1 -oA full_tcp
# UDP scan (slow but important)
sudo nmap -sU --top-ports 100 10.0.0.1
# Aggressive scan (noisy)
sudo nmap -A -T4 10.0.0.1| Port | Service | Internal Pentest Value |
|---|---|---|
| 88 | Kerberos | Domain Controller - Kerberoasting, AS-REP |
| 389/636 | LDAP/LDAPS | AD enumeration, credential attacks |
| 445 | SMB | File shares, relay attacks, EternalBlue |
| 135 | RPC | Enumeration, DCOM exploitation |
| 5985/5986 | WinRM | Remote PowerShell access |
| 3389 | RDP | Remote desktop, BlueKeep |
| 1433 | MSSQL | Database access, xp_cmdshell |
| 22 | SSH | Linux/network device access |
Domain Controller Discovery
Identify domain controllers - primary targets in AD environments.
bash
# DNS query for DCs
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local
dig SRV _ldap._tcp.dc._msdcs.domain.local
# Find GC servers
nslookup -type=SRV _gc._tcp.domain.local
# Scan for DC ports
nmap -p 53,88,135,139,389,445,464,636,3268,3269 10.0.0.0/24
# Identify DCs by open port combination
nmap -p 88,389,636 --open 10.0.0.0/24 -oG - | grep "88/open" | grep "389/open"NSE Scripts for Internal Networks
SMB Enumeration
bash
# SMB security mode
nmap -p 445 --script smb-security-mode 10.0.0.1
# SMB shares
nmap -p 445 --script smb-enum-shares 10.0.0.1
# SMB users (requires access)
nmap -p 445 --script smb-enum-users 10.0.0.1
# SMB vulnerabilities
nmap -p 445 --script smb-vuln* 10.0.0.1
# All SMB scripts
nmap -p 139,445 --script smb* 10.0.0.1LDAP & Kerberos
bash
# LDAP root DSE
nmap -p 389 --script ldap-rootdse 10.0.0.1
# LDAP search (anonymous)
nmap -p 389 --script ldap-search 10.0.0.1
# Kerberos enumeration
nmap -p 88 --script krb5-enum-users --script-args \
krb5-enum-users.realm='DOMAIN.LOCAL',userdb=users.txt 10.0.0.1Other Useful Scripts
bash
# MS-SQL info
nmap -p 1433 --script ms-sql-info 10.0.0.1
# SNMP enumeration
nmap -sU -p 161 --script snmp-info,snmp-interfaces 10.0.0.1
# NFS shares
nmap -p 111,2049 --script nfs-ls,nfs-showmount 10.0.0.1
# RDP security
nmap -p 3389 --script rdp-enum-encryption 10.0.0.1
# FTP anonymous
nmap -p 21 --script ftp-anon 10.0.0.1Vulnerability Scanning
Nmap Vulnerability Scripts
bash
# All vuln scripts (noisy)
nmap --script vuln 10.0.0.1
# Specific CVE checks
nmap -p 445 --script smb-vuln-ms17-010 10.0.0.1 # EternalBlue
nmap -p 3389 --script rdp-vuln-ms12-020 10.0.0.1 # BlueKeep
nmap -p 443 --script ssl-heartbleed 10.0.0.1
# Check for ZeroLogon (CVE-2020-1472)
nmap -p 135,139,445 --script smb-vuln* 10.0.0.1Nessus / OpenVAS
For comprehensive vulnerability assessment, use dedicated scanners like Nessus or OpenVAS. These provide detailed vulnerability reports with CVSS scores and remediation guidance.
Warning
Vulnerability scanning can be disruptive. Coordinate with the client and avoid scanning
critical production systems during business hours. Always have emergency contacts ready.
Output Organization
bash
# Create organized directory structure
mkdir -p scans/{discovery,ports,services,vulns}
# Systematic scanning workflow
# 1. Host discovery
nmap -sn 10.0.0.0/24 -oA scans/discovery/live_hosts
# 2. Quick port scan on live hosts
nmap -iL scans/discovery/live_hosts.gnmap -p- --min-rate=1000 \
-oA scans/ports/all_ports
# 3. Service detection on open ports
nmap -iL scans/discovery/live_hosts.gnmap -sC -sV \
-p $(cat scans/ports/all_ports.nmap | grep open | cut -d'/' -f1 | sort -u | tr '\n' ',') \
-oA scans/services/detailed
# 4. Vulnerability scanning
nmap -iL scans/discovery/live_hosts.gnmap --script vuln \
-oA scans/vulns/vuln_scan
# Parse results
grep -E "^[0-9]" scans/ports/all_ports.gnmap | cut -d' ' -f2 | sort -u > targets.txt
grep "open" scans/services/detailed.nmap | grep -v "filtered"Information
With hosts and services identified, proceed to Enumeration for detailed
SMB, LDAP, and service-specific information gathering.