Scanning

Active scanning reveals open ports, running services, and potential vulnerabilities. This phase provides the technical foundation for exploitation.

🔍 Why Scanning Matters

Service Discovery: Find all entry points - web servers, APIs, databases, and admin panels
Version Identification: Detect software versions to identify known CVEs and exploits
Misconfigurations: Automated scanners catch default credentials, exposed panels, and weak SSL
Attack Prioritization: Focus on high-value targets based on scan results

⚠️ Warning: Active scanning generates significant network traffic and will be logged. Ensure you have authorization and coordinate with the client's security team.

🛠️ Essential Scanning Tools

Nmap

Industry-standard port scanner with NSE scripting

brew install nmap Docs →

Nuclei

Fast template-based vulnerability scanner

go install ...nuclei/v3@latest GitHub →

Nikto

Web server scanner for misconfigurations

brew install nikto GitHub →

Burp Suite

Industry-standard web proxy & scanner

# Download from portswigger.net Website →

RustScan

Modern fast port scanner that pipes to Nmap

brew install rustscan GitHub →

testssl.sh

Comprehensive SSL/TLS configuration testing

brew install testssl Website →

📊 Scanning Process Flow

Target IPs/Domains
Host Discovery
Port Scanning
Service Detection
Version Detection
Vulnerability Scanning
Web App Scanning
Findings Report

Port Scanning with Nmap

Nmap is the industry-standard port scanner. Understanding its options is essential for effective scanning.

Basic Scan Types

bash 
# TCP SYN scan (stealth scan) - requires root
sudo nmap -sS 192.168.1.1

# TCP Connect scan (no root required)
nmap -sT 192.168.1.1

# UDP scan (slow, but important)
sudo nmap -sU 192.168.1.1

# Combined TCP and UDP
sudo nmap -sS -sU 192.168.1.1

# ACK scan (firewall detection)
sudo nmap -sA 192.168.1.1

# FIN scan (stealthier)
sudo nmap -sF 192.168.1.1

Comprehensive Scanning

bash 
# Quick initial scan - find open ports fast
nmap -p- --min-rate=1000 -T4 192.168.1.1 -oN initial_scan.txt

# Detailed scan on discovered ports
nmap -sC -sV -p 22,80,443,8080 192.168.1.1 -oN detailed_scan.txt

# Full comprehensive scan
sudo nmap -sS -sV -sC -O -A -p- 192.168.1.1 -oA full_scan

# Web-focused scan
nmap -sV -p 80,443,8080,8443 --script=http-* 192.168.1.1

# Scan common web ports
nmap -sV -p 80,443,8000,8080,8443,8888,9000,9090 192.168.1.1
Flag Description Use Case
-sS SYN stealth scan Default, fast, stealthy
-sV Version detection Identify service versions
-sC Default scripts Run common NSE scripts
-O OS detection Identify operating system
-A Aggressive OS, version, script, traceroute
-p- All ports Scan all 65535 ports
-T4 Timing template Faster scanning (0-5)
-oA Output all formats Normal, XML, grepable

NSE Scripts for Web

bash 
# HTTP enumeration
nmap -sV -p 80,443 --script=http-enum 192.168.1.1

# HTTP headers
nmap -sV -p 80,443 --script=http-headers 192.168.1.1

# HTTP methods (PUT, DELETE, etc.)
nmap -sV -p 80,443 --script=http-methods 192.168.1.1

# SSL/TLS analysis
nmap -sV -p 443 --script=ssl-enum-ciphers 192.168.1.1
nmap -sV -p 443 --script=ssl-cert 192.168.1.1

# Vulnerability scanning
nmap -sV -p 80,443 --script=vuln 192.168.1.1

# WAF detection
nmap -sV -p 80,443 --script=http-waf-detect,http-waf-fingerprint 192.168.1.1

# Specific vulnerability checks
nmap -sV -p 443 --script=http-shellshock 192.168.1.1
nmap -sV -p 80 --script=http-sql-injection 192.168.1.1

Vulnerability Scanning

Nikto - Web Server Scanner

bash 
# Basic scan
nikto -h https://example.com

# Scan specific port
nikto -h https://example.com -p 8443

# Output to file
nikto -h https://example.com -o nikto_report.html -Format htm

# Tuning options (specific tests)
nikto -h https://example.com -Tuning 123bde

# With authentication
nikto -h https://example.com -id admin:password

# SSL mode
nikto -h https://example.com -ssl

# Follow redirects
nikto -h https://example.com -followredirects

Nuclei - Template-Based Scanner

bash 
# Update templates
nuclei -update-templates

# Basic scan with all templates
nuclei -u https://example.com

# Scan from URL list
nuclei -list urls.txt

# Filter by severity
nuclei -u https://example.com -severity critical,high

# Specific template tags
nuclei -u https://example.com -tags cve,rce,sqli

# Technology-specific
nuclei -u https://example.com -tags wordpress
nuclei -u https://example.com -tags apache

# Rate limiting
nuclei -u https://example.com -rate-limit 100

# Output formats
nuclei -u https://example.com -o results.txt
nuclei -u https://example.com -json -o results.json

# Custom templates
nuclei -u https://example.com -t /path/to/custom-templates/

Nuclei Templates

Nuclei has thousands of community templates covering CVEs, misconfigurations, exposed panels, default credentials, and more. Update templates regularly with nuclei -update-templates.

SSL/TLS Analysis

bash 
# Using testssl.sh
./testssl.sh https://example.com

# Quick check
./testssl.sh --fast https://example.com

# Check specific vulnerabilities
./testssl.sh --heartbleed https://example.com
./testssl.sh --poodle https://example.com
./testssl.sh --beast https://example.com

# Using sslscan
sslscan https://example.com

# Using sslyze
sslyze example.com

# OpenSSL manual check
openssl s_client -connect example.com:443
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text

Web Application Proxies

Intercepting proxies are essential for manual web application testing and understanding application behavior.

Burp Suite Setup

Initial Configuration

  1. Set proxy listener (default: 127.0.0.1:8080)
  2. Configure browser to use proxy
  3. Install Burp CA certificate
  4. Add target to scope
  5. Configure spider settings

Useful Extensions

  • Autorize - Authorization testing
  • Logger++ - Enhanced logging
  • Turbo Intruder - Fast fuzzing
  • ActiveScan++ - Enhanced scanning
  • JSON Web Tokens - JWT manipulation

Scanning Output & Organization

bash 
# Create organized directory structure
mkdir -p scans/{nmap,nikto,nuclei,ssl}

# Run organized scans
nmap -sC -sV -oA scans/nmap/full_scan target.com
nikto -h https://target.com -o scans/nikto/report.html -Format htm
nuclei -u https://target.com -json -o scans/nuclei/results.json
testssl.sh --jsonfile scans/ssl/results.json https://target.com

# Parse Nmap XML to extract info
xsltproc scans/nmap/full_scan.xml -o scans/nmap/report.html

# Extract open ports from Nmap
grep "open" scans/nmap/full_scan.nmap | cut -d'/' -f1

✅ Scanning Testing Checklist

🔌 Port Scanning

🔍 Vulnerability Scanning

🔐 SSL/TLS Analysis

📋 Documentation

🎮 Practice Labs

Practice scanning techniques on these intentionally vulnerable platforms:

TryHackMe - Nmap

Master Nmap scanning techniques and NSE scripts

TryHackMe - Vulnversity

Practice reconnaissance and scanning on a web server

Hack The Box

Full penetration testing practice with scanning phases

testssl.sh Reference

SSL/TLS cipher suite mapping and analysis

Next Steps

With open ports and services identified, proceed to Enumeration to discover directories, files, and application-specific details.

Related Topics

Reconnaissance

Information gathering phase

Enumeration

Directory and endpoint discovery

Nmap Cheatsheet

Complete Nmap reference

Tools Reference

Complete scanning tools listing