Port scanning – alternative

Alternative port scanning tools.

Portscan with netcat

Scans specific IP between tcp port 20 – 65000.

for i in $(seq 20 65000); do nc -zv 10.xx.xx.xx $i 2&gt;&amp;1;done | grep open

1 2	for i in $(seq 20 65000); do nc -zv 10.xx.xx.xx $i 2>&1;done \| grep open

Check open ports outbound from host with Wget

Check outbound rules from specific host. If TCP SYN is received on tcpdump the outbound port is allowed.

On victim:

for i in $(seq 20 65000); do wget –connect-timeout=2 -t 1 http://10.11.1.X:$i; done

1 2	for i in $(seq 20 65000); do wget –connect-timeout=2 -t 1 http://10.11.1.X:$i; done

On attacker:

tcpdump -I tun0 host 10.11.1.x and not port 22 and not port 80 and not arp

1 2	tcpdump -I tun0 host 10.11.1.x and not port 22 and not port 80 and not arp

Python script / piescan

https://github.com/m57/piescan/blob/master/piescan.py

./piescan.py -t 10.xx.xx.xx -p 0-1024 -v

1 2	./piescan.py -t 10.xx.xx.xx -p 0-1024 -v

OffSec Blog