Reconnaissance

Footprinting Tools Comprehensive collection of footprinting tools and techniques for reconnaissance and information gathering. WHOIS Lookup Basic WHOIS Queries # Domain WHOIS whois TARGET_DOMAIN # IP WHOIS whois TARGET_IP # ASN WHOIS whois -h whois.radb.net AS12345 # Multiple domains whois TARGET_DOMAIN1 TARGET_DOMAIN2 TARGET_DOMAIN3 # Specific WHOIS server whois -h whois.verisign-grs.com TARGET_DOMAIN # WHOIS with output file whois TARGET_DOMAIN > whois_results.txt # WHOIS with verbose output whois -v TARGET_DOMAIN # WHOIS with quiet output whois -q TARGET_DOMAIN Advanced WHOIS Options # WHOIS with specific fields whois -H TARGET_DOMAIN # WHOIS with JSON output whois -j TARGET_DOMAIN # WHOIS with XML output whois -x TARGET_DOMAIN # WHOIS with CSV output whois -c TARGET_DOMAIN # WHOIS with HTML output whois -h TARGET_DOMAIN # WHOIS with raw output whois -r TARGET_DOMAIN # WHOIS with summary whois -s TARGET_DOMAIN # WHOIS with technical whois -t TARGET_DOMAIN # WHOIS with administrative whois -a TARGET_DOMAIN # WHOIS with billing whois -b TARGET_DOMAIN DNS Enumeration Basic DNS Queries # A record lookup dig TARGET_DOMAIN A # AAAA record lookup dig TARGET_DOMAIN AAAA # CNAME record lookup dig TARGET_DOMAIN CNAME # MX record lookup dig TARGET_DOMAIN MX # NS record lookup dig TARGET_DOMAIN NS # SOA record lookup dig TARGET_DOMAIN SOA # TXT record lookup dig TARGET_DOMAIN TXT # PTR record lookup dig -x TARGET_IP # ANY record lookup dig TARGET_DOMAIN ANY # All record types dig TARGET_DOMAIN ALL Advanced DNS Queries # DNS with specific server dig @8.8.8.8 TARGET_DOMAIN A # DNS with specific port dig @8.8.8.8 -p 53 TARGET_DOMAIN A # DNS with TCP dig @8.8.8.8 +tcp TARGET_DOMAIN A # DNS with UDP dig @8.8.8.8 +notcp TARGET_DOMAIN A # DNS with recursion dig @8.8.8.8 +recurse TARGET_DOMAIN A # DNS without recursion dig @8.8.8.8 +norecurse TARGET_DOMAIN A # DNS with trace dig @8.8.8.8 +trace TARGET_DOMAIN A # DNS with short answer dig @8.8.8.8 +short TARGET_DOMAIN A # DNS with verbose answer dig @8.8.8.8 +verbose TARGET_DOMAIN A # DNS with debug dig @8.8.8.8 +debug TARGET_DOMAIN A DNS Zone Transfer # Zone transfer attempt dig @TARGET_DOMAIN AXFR # Zone transfer with specific server dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN # Zone transfer with multiple servers dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN dig @ns2.TARGET_DOMAIN AXFR TARGET_DOMAIN dig @ns3.TARGET_DOMAIN AXFR TARGET_DOMAIN # Zone transfer with output dig @TARGET_DOMAIN AXFR > zone_transfer.txt # Zone transfer with verbose dig @TARGET_DOMAIN AXFR +verbose # Zone transfer with debug dig @TARGET_DOMAIN AXFR +debug Nslookup Basic Nslookup Queries # A record lookup nslookup TARGET_DOMAIN # AAAA record lookup nslookup -type=AAAA TARGET_DOMAIN # CNAME record lookup nslookup -type=CNAME TARGET_DOMAIN # MX record lookup nslookup -type=MX TARGET_DOMAIN # NS record lookup nslookup -type=NS TARGET_DOMAIN # SOA record lookup nslookup -type=SOA TARGET_DOMAIN # TXT record lookup nslookup -type=TXT TARGET_DOMAIN # PTR record lookup nslookup TARGET_IP # Interactive mode nslookup > set type=A > TARGET_DOMAIN > set type=MX > TARGET_DOMAIN > exit Advanced Nslookup Options # Nslookup with specific server nslookup TARGET_DOMAIN 8.8.8.8 # Nslookup with debug nslookup -debug TARGET_DOMAIN # Nslookup with verbose nslookup -verbose TARGET_DOMAIN # Nslookup with timeout nslookup -timeout=10 TARGET_DOMAIN # Nslookup with retries nslookup -retries=3 TARGET_DOMAIN # Nslookup with port nslookup -port=53 TARGET_DOMAIN # Nslookup with query type nslookup -querytype=A TARGET_DOMAIN # Nslookup with class nslookup -class=IN TARGET_DOMAIN Host Command Basic Host Queries # A record lookup host TARGET_DOMAIN # AAAA record lookup host -t AAAA TARGET_DOMAIN # CNAME record lookup host -t CNAME TARGET_DOMAIN # MX record lookup host -t MX TARGET_DOMAIN # NS record lookup host -t NS TARGET_DOMAIN # SOA record lookup host -t SOA TARGET_DOMAIN # TXT record lookup host -t TXT TARGET_DOMAIN # PTR record lookup host TARGET_IP # All record types host -a TARGET_DOMAIN Advanced Host Options # Host with specific server host TARGET_DOMAIN 8.8.8.8 # Host with verbose output host -v TARGET_DOMAIN # Host with debug output host -d TARGET_DOMAIN # Host with timeout host -W 10 TARGET_DOMAIN # Host with retries host -r TARGET_DOMAIN # Host with class host -C TARGET_DOMAIN # Host with query type host -t A TARGET_DOMAIN # Host with reverse lookup host -r TARGET_IP Social Engineering Email Harvesting # TheHarvester theHarvester -d TARGET_DOMAIN -b google # TheHarvester with multiple sources theHarvester -d TARGET_DOMAIN -b google,bing,yahoo,baidu,duckduckgo # TheHarvester with output file theHarvester -d TARGET_DOMAIN -b google -f results.html # TheHarvester with limit theHarvester -d TARGET_DOMAIN -b google -l 100 # TheHarvester with proxy theHarvester -d TARGET_DOMAIN -b google -p 127.0.0.1:8080 # TheHarvester with timeout theHarvester -d TARGET_DOMAIN -b google -t 10 # TheHarvester with verbose theHarvester -d TARGET_DOMAIN -b google -v # TheHarvester with quiet theHarvester -d TARGET_DOMAIN -b google -q Social Media Intelligence # Social-Engineer Toolkit setoolkit # Maltego maltego # Recon-ng recon-ng # SpiderFoot spiderfoot -l 127.0.0.1:5001 # OSINT Framework osintframework.com # Shodan shodan search TARGET_DOMAIN # Censys censys.io # VirusTotal virustotal.com # PassiveTotal passivetotal.com Search Engine Queries Google Dorking # Site-specific search site:TARGET_DOMAIN # File type search site:TARGET_DOMAIN filetype:pdf # Directory search site:TARGET_DOMAIN inurl:admin # Login page search site:TARGET_DOMAIN inurl:login # Configuration file search site:TARGET_DOMAIN filetype:conf # Database file search site:TARGET_DOMAIN filetype:db # Backup file search site:TARGET_DOMAIN filetype:bak # Log file search site:TARGET_DOMAIN filetype:log # Error page search site:TARGET_DOMAIN inurl:error # API endpoint search site:TARGET_DOMAIN inurl:api Advanced Search Queries # Intitle search intitle:"index of" TARGET_DOMAIN # Inurl search inurl:admin TARGET_DOMAIN # Intext search intext:"password" site:TARGET_DOMAIN # Filetype search filetype:sql site:TARGET_DOMAIN # Ext search ext:php site:TARGET_DOMAIN # Cache search cache:TARGET_DOMAIN # Related search related:TARGET_DOMAIN # Link search link:TARGET_DOMAIN # Info search info:TARGET_DOMAIN Custom Scripts Python Footprinting Script import socket import dns.resolver import whois import requests import json def footprint_target(domain): results = {} # WHOIS lookup try: w = whois.whois(domain) results['whois'] = { 'registrar': w.registrar, 'creation_date': w.creation_date, 'expiration_date': w.expiration_date, 'name_servers': w.name_servers, 'emails': w.emails } except Exception as e: results['whois'] = {'error': str(e)} # DNS lookup try: dns_results = {} # A records a_records = dns.resolver.resolve(domain, 'A') dns_results['A'] = [str(record) for record in a_records] # AAAA records aaaa_records = dns.resolver.resolve(domain, 'AAAA') dns_results['AAAA'] = [str(record) for record in aaaa_records] # MX records mx_records = dns.resolver.resolve(domain, 'MX') dns_results['MX'] = [str(record) for record in mx_records] # NS records ns_records = dns.resolver.resolve(domain, 'NS') dns_results['NS'] = [str(record) for record in ns_records] # TXT records txt_records = dns.resolver.resolve(domain, 'TXT') dns_results['TXT'] = [str(record) for record in txt_records] results['dns'] = dns_results except Exception as e: results['dns'] = {'error': str(e)} # HTTP headers try: response = requests.get(f'http://{domain}', timeout=10) results['http_headers'] = dict(response.headers) results['http_status'] = response.status_code except Exception as e: results['http_headers'] = {'error': str(e)} # HTTPS headers try: response = requests.get(f'https://{domain}', timeout=10, verify=False) results['https_headers'] = dict(response.headers) results['https_status'] = response.status_code except Exception as e: results['https_headers'] = {'error': str(e)} return results # Usage domain = "TARGET_DOMAIN" results = footprint_target(domain) print(json.dumps(results, indent=2)) Bash Footprinting Script #!/bin/bash DOMAIN="TARGET_DOMAIN" OUTPUT_FILE="footprint_results.txt" echo "=== Footprinting $DOMAIN ===" > "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # WHOIS lookup echo "=== WHOIS Information ===" >> "$OUTPUT_FILE" whois "$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # DNS lookup echo "=== DNS Information ===" >> "$OUTPUT_FILE" echo "A Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" A +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "AAAA Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" AAAA +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "MX Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" MX +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "NS Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" NS +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "TXT Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" TXT +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # HTTP headers echo "=== HTTP Headers ===" >> "$OUTPUT_FILE" curl -I "http://$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # HTTPS headers echo "=== HTTPS Headers ===" >> "$OUTPUT_FILE" curl -I "https://$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "Footprinting completed. Results saved to $OUTPUT_FILE" Information Gathering Company Information # LinkedIn company search linkedin.com/company/TARGET_COMPANY # Glassdoor company search glassdoor.com/Overview/Working-at-TARGET_COMPANY-EI_IE123456.11,23.htm # Crunchbase company search crunchbase.com/organization/TARGET_COMPANY # AngelList company search angel.co/TARGET_COMPANY # Indeed company search indeed.com/cmp/TARGET_COMPANY # Google company search google.com/search?q=TARGET_COMPANY # Bing company search bing.com/search?q=TARGET_COMPANY # Yahoo company search yahoo.com/search?p=TARGET_COMPANY Employee Information # LinkedIn employee search linkedin.com/search/results/people/?company=TARGET_COMPANY # Facebook employee search facebook.com/search/people/?q=TARGET_COMPANY # Twitter employee search twitter.com/search?q=TARGET_COMPANY # Instagram employee search instagram.com/explore/tags/TARGET_COMPANY # GitHub employee search github.com/search?q=TARGET_COMPANY # Stack Overflow employee search stackoverflow.com/users?tab=reputation&filter=all # Reddit employee search reddit.com/search?q=TARGET_COMPANY # Quora employee search quora.com/search?q=TARGET_COMPANY Best Practices Rate Limiting # Add delay between requests sleep 1 # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation curl --proxy http://proxy1:8080 TARGET_URL Stealth Mode # Use random user agents curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" TARGET_URL # Use realistic delays sleep 2 # Use smaller wordlists nmap -p 1-1000 TARGET_IP Output Analysis # Save results to file whois TARGET_DOMAIN > results.txt # Filter by specific information grep "Registrar" results.txt grep "Name Server" results.txt grep "Creation Date" results.txt grep "Expiration Date" results.txt # Sort by date sort -k3 -n results.txt Troubleshooting Common Issues # Connection timeout curl --connect-timeout 10 TARGET_URL # Too many requests sleep 5 # Invalid domain dig TARGET_DOMAIN # Permission denied sudo whois TARGET_DOMAIN Performance Optimization # Use appropriate tools nmap -T4 TARGET_IP # Use smaller ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices

Network Enumeration Tools Comprehensive collection of network enumeration tools and techniques for reconnaissance and penetration testing. Nmap Basic Network Scanning # Basic host discovery nmap -sn TARGET_NETWORK # Ping scan nmap -PE TARGET_IP # TCP SYN scan nmap -sS TARGET_IP # TCP connect scan nmap -sT TARGET_IP # UDP scan nmap -sU TARGET_IP # Comprehensive scan nmap -sS -sU -O -A -v TARGET_IP # Scan multiple targets nmap TARGET_IP1 TARGET_IP2 TARGET_IP3 # Scan network range nmap 192.168.1.0/24 # Scan from file nmap -iL targets.txt Advanced Nmap Options # Stealth scan nmap -sS -f TARGET_IP # Fragment packets nmap -sS -f -D RND:10 TARGET_IP # Decoy scan nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Source port scan nmap -sS --source-port 53 TARGET_IP # Timing template nmap -T0 TARGET_IP # Paranoid nmap -T1 TARGET_IP # Sneaky nmap -T2 TARGET_IP # Polite nmap -T3 TARGET_IP # Normal nmap -T4 TARGET_IP # Aggressive nmap -T5 TARGET_IP # Insane # Port range nmap -p 1-1000 TARGET_IP nmap -p 80,443,8080,8443 TARGET_IP nmap -p- TARGET_IP # All ports # Service detection nmap -sV TARGET_IP # OS detection nmap -O TARGET_IP # Script scanning nmap -sC TARGET_IP # Custom scripts nmap --script vuln TARGET_IP nmap --script safe TARGET_IP nmap --script auth TARGET_IP nmap --script discovery TARGET_IP nmap --script exploit TARGET_IP nmap --script malware TARGET_IP nmap --script intrusive TARGET_IP nmap --script version TARGET_IP nmap --script vuln,exploit TARGET_IP # Output formats nmap -oN results.txt TARGET_IP nmap -oX results.xml TARGET_IP nmap -oG results.grep TARGET_IP nmap -oA results TARGET_IP # All formats Nmap Scripts # HTTP enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP # DNS enumeration nmap --script dns-brute TARGET_IP nmap --script dns-cache-snoop TARGET_IP nmap --script dns-client-subnet-scan TARGET_IP nmap --script dns-fingerprint TARGET_IP nmap --script dns-ip6-arpa-scan TARGET_IP nmap --script dns-nsec3-enum TARGET_IP nmap --script dns-nsec-enum TARGET_IP nmap --script dns-random-srcport TARGET_IP nmap --script dns-random-txid TARGET_IP nmap --script dns-recursion TARGET_IP nmap --script dns-service-discovery TARGET_IP nmap --script dns-srv-enum TARGET_IP nmap --script dns-zone-transfer TARGET_IP # FTP enumeration nmap --script ftp-anon TARGET_IP nmap --script ftp-bounce TARGET_IP nmap --script ftp-brute TARGET_IP nmap --script ftp-libopie TARGET_IP nmap --script ftp-proftpd-backdoor TARGET_IP nmap --script ftp-syst TARGET_IP nmap --script ftp-vsftpd-backdoor TARGET_IP nmap --script ftp-vuln-cve2010-4221 TARGET_IP # SSH enumeration nmap --script ssh-hostkey TARGET_IP nmap --script ssh-brute TARGET_IP nmap --script ssh-publickey-acceptance TARGET_IP nmap --script ssh-run TARGET_IP nmap --script ssh2-enum-algos TARGET_IP nmap --script sshv1 TARGET_IP # SMTP enumeration nmap --script smtp-commands TARGET_IP nmap --script smtp-enum-users TARGET_IP nmap --script smtp-ntlm-info TARGET_IP nmap --script smtp-open-relay TARGET_IP nmap --script smtp-strangeport TARGET_IP nmap --script smtp-vuln-cve2010-4344 TARGET_IP nmap --script smtp-vuln-cve2011-1720 TARGET_IP nmap --script smtp-vuln-cve2011-1764 TARGET_IP Masscan Basic Network Scanning # Basic port scan masscan -p80,443 TARGET_NETWORK # Scan all ports masscan -p0-65535 TARGET_NETWORK # Scan common ports masscan -p1-1000 TARGET_NETWORK # Scan specific ports masscan -p22,80,443,8080,8443 TARGET_NETWORK # Scan with rate limit masscan -p80,443 --rate=1000 TARGET_NETWORK # Scan with output file masscan -p80,443 -oG results.txt TARGET_NETWORK # Scan with XML output masscan -p80,443 -oX results.xml TARGET_NETWORK # Scan with JSON output masscan -p80,443 -oJ results.json TARGET_NETWORK # Scan with binary output masscan -p80,443 -oB results.bin TARGET_NETWORK Advanced Masscan Options # Stealth scan masscan -p80,443 --rate=100 TARGET_NETWORK # Randomize hosts masscan -p80,443 --randomize-hosts TARGET_NETWORK # Randomize ports masscan -p80,443 --randomize-ports TARGET_NETWORK # Adapter selection masscan -p80,443 --adapter eth0 TARGET_NETWORK # Source IP masscan -p80,443 --source-ip 192.168.1.100 TARGET_NETWORK # Source port masscan -p80,443 --source-port 40000 TARGET_NETWORK # Banner grab masscan -p80,443 --banners TARGET_NETWORK # Ping scan masscan --ping TARGET_NETWORK # ARP scan masscan --arp TARGET_NETWORK # ICMP scan masscan --icmp TARGET_NETWORK Zmap Basic Network Scanning # Basic port scan zmap -p 80 TARGET_NETWORK # Scan multiple ports zmap -p 80,443 TARGET_NETWORK # Scan port range zmap -p 80-443 TARGET_NETWORK # Scan with rate limit zmap -p 80 --rate=1000 TARGET_NETWORK # Scan with bandwidth limit zmap -p 80 --bandwidth=10M TARGET_NETWORK # Scan with output file zmap -p 80 -o results.txt TARGET_NETWORK # Scan with JSON output zmap -p 80 -o results.json TARGET_NETWORK # Scan with CSV output zmap -p 80 -o results.csv TARGET_NETWORK # Scan with binary output zmap -p 80 -o results.bin TARGET_NETWORK Advanced Zmap Options # Stealth scan zmap -p 80 --rate=100 TARGET_NETWORK # Randomize targets zmap -p 80 --shards=1/1 TARGET_NETWORK # Blacklist file zmap -p 80 --blacklist-file=blacklist.txt TARGET_NETWORK # Whitelist file zmap -p 80 --whitelist-file=whitelist.txt TARGET_NETWORK # Source IP zmap -p 80 --source-ip=192.168.1.100 TARGET_NETWORK # Source port zmap -p 80 --source-port=40000 TARGET_NETWORK # Interface selection zmap -p 80 --interface=eth0 TARGET_NETWORK # Gateway MAC zmap -p 80 --gateway-mac=00:11:22:33:44:55 TARGET_NETWORK # Probe module zmap -p 80 --probe-module=tcp_synscan TARGET_NETWORK # Output module zmap -p 80 --output-module=json TARGET_NETWORK Custom Scripts Python Network Scanner import socket import threading import queue import time import ipaddress def network_scanner(target, ports, threads=10, delay=0): def worker(): while True: try: port = ports.get() if port is None: break sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) result = sock.connect_ex((target, port)) if result == 0: print(f"[OPEN] {target}:{port}") sock.close() time.sleep(delay) except Exception as e: pass finally: ports.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add ports to queue for port in range(1, 65536): ports.put(port) # Wait for completion ports.join() # Usage target = "TARGET_IP" ports = queue.Queue() network_scanner(target, ports, threads=100, delay=0.01) Bash Network Scanner #!/bin/bash TARGET_IP="TARGET_IP" THREADS=10 # Function to check port check_port() { local port=$1 local target=$2 if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then echo "[OPEN] $target:$port" fi } # Export function for parallel export -f check_port export TARGET_IP # Run parallel port check seq 1 65535 | parallel -j "$THREADS" check_port {} "$TARGET_IP" Network Discovery ARP Scanning # ARP scan arp-scan -l # ARP scan with interface arp-scan -I eth0 -l # ARP scan with output arp-scan -l -o results.txt # ARP scan with verbose arp-scan -l -v # ARP scan with quiet arp-scan -l -q # ARP scan with timeout arp-scan -l -t 1000 # ARP scan with retries arp-scan -l -r 3 # ARP scan with random arp-scan -l --random # ARP scan with local arp-scan -l --local ICMP Scanning # ICMP ping ping -c 4 TARGET_IP # ICMP ping with timestamp ping -D TARGET_IP # ICMP ping with flood ping -f TARGET_IP # ICMP ping with interval ping -i 0.2 TARGET_IP # ICMP ping with size ping -s 1000 TARGET_IP # ICMP ping with TTL ping -t 64 TARGET_IP # ICMP ping with verbose ping -v TARGET_IP # ICMP ping with quiet ping -q TARGET_IP UDP Scanning # UDP scan with nmap nmap -sU TARGET_IP # UDP scan with specific ports nmap -sU -p 53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 TARGET_IP # UDP scan with service detection nmap -sU -sV TARGET_IP # UDP scan with OS detection nmap -sU -O TARGET_IP # UDP scan with scripts nmap -sU --script vuln TARGET_IP Service Detection Banner Grabbing # Telnet banner grab telnet TARGET_IP 80 # Netcat banner grab nc TARGET_IP 80 # Nmap banner grab nmap -sV --script banner TARGET_IP # Curl banner grab curl -I http://TARGET_IP # Wget banner grab wget --spider -S http://TARGET_IP # OpenSSL banner grab openssl s_client -connect TARGET_IP:443 # SMTP banner grab nc TARGET_IP 25 # FTP banner grab nc TARGET_IP 21 # SSH banner grab nc TARGET_IP 22 Service Enumeration # HTTP service enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB service enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP service enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP Best Practices Rate Limiting # Add delay between requests nmap -T2 TARGET_IP # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP Stealth Mode # Use random timing nmap -T3 --randomize-hosts TARGET_IP # Use fragment packets nmap -sS -f TARGET_IP # Use decoy scans nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Use source port spoofing nmap -sS --source-port 53 TARGET_IP Output Analysis # Save results to file nmap -oN results.txt TARGET_IP # Filter by port status grep "open" results.txt grep "filtered" results.txt grep "closed" results.txt # Filter by service grep "http" results.txt grep "ssh" results.txt grep "ftp" results.txt grep "smb" results.txt grep "snmp" results.txt Troubleshooting Common Issues # Connection timeout nmap -T1 TARGET_IP # Too many requests nmap -T0 TARGET_IP # Invalid target nmap -sn TARGET_NETWORK # Permission denied sudo nmap -sS TARGET_IP Performance Optimization # Use appropriate timing nmap -T4 TARGET_IP # Use smaller port ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices

Port Scanning Tools Comprehensive collection of port scanning tools and techniques for network reconnaissance and penetration testing. Nmap Port Scanning Basic Port Scanning # TCP SYN scan nmap -sS TARGET_IP # TCP connect scan nmap -sT TARGET_IP # UDP scan nmap -sU TARGET_IP # TCP ACK scan nmap -sA TARGET_IP # TCP FIN scan nmap -sF TARGET_IP # TCP NULL scan nmap -sN TARGET_IP # TCP XMAS scan nmap -sX TARGET_IP # TCP Maimon scan nmap -sM TARGET_IP # TCP Window scan nmap -sW TARGET_IP # TCP Idle scan nmap -sI ZOMBIE_IP TARGET_IP Advanced Port Scanning # Comprehensive scan nmap -sS -sU -O -A -v TARGET_IP # Stealth scan nmap -sS -f TARGET_IP # Fragment packets nmap -sS -f -D RND:10 TARGET_IP # Decoy scan nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Source port scan nmap -sS --source-port 53 TARGET_IP # Timing template nmap -T0 TARGET_IP # Paranoid nmap -T1 TARGET_IP # Sneaky nmap -T2 TARGET_IP # Polite nmap -T3 TARGET_IP # Normal nmap -T4 TARGET_IP # Aggressive nmap -T5 TARGET_IP # Insane # Port range nmap -p 1-1000 TARGET_IP nmap -p 80,443,8080,8443 TARGET_IP nmap -p- TARGET_IP # All ports # Service detection nmap -sV TARGET_IP # OS detection nmap -O TARGET_IP # Script scanning nmap -sC TARGET_IP Port Scanning Techniques # SYN scan (stealth) nmap -sS TARGET_IP # Connect scan (reliable) nmap -sT TARGET_IP # UDP scan (slow but necessary) nmap -sU TARGET_IP # ACK scan (firewall detection) nmap -sA TARGET_IP # FIN scan (stealth) nmap -sF TARGET_IP # NULL scan (stealth) nmap -sN TARGET_IP # XMAS scan (stealth) nmap -sX TARGET_IP # Maimon scan (stealth) nmap -sM TARGET_IP # Window scan (stealth) nmap -sW TARGET_IP # Idle scan (stealth) nmap -sI ZOMBIE_IP TARGET_IP Masscan Basic Port Scanning # Basic port scan masscan -p80,443 TARGET_NETWORK # Scan all ports masscan -p0-65535 TARGET_NETWORK # Scan common ports masscan -p1-1000 TARGET_NETWORK # Scan specific ports masscan -p22,80,443,8080,8443 TARGET_NETWORK # Scan with rate limit masscan -p80,443 --rate=1000 TARGET_NETWORK # Scan with output file masscan -p80,443 -oG results.txt TARGET_NETWORK # Scan with XML output masscan -p80,443 -oX results.xml TARGET_NETWORK # Scan with JSON output masscan -p80,443 -oJ results.json TARGET_NETWORK # Scan with binary output masscan -p80,443 -oB results.bin TARGET_NETWORK Advanced Masscan Options # Stealth scan masscan -p80,443 --rate=100 TARGET_NETWORK # Randomize hosts masscan -p80,443 --randomize-hosts TARGET_NETWORK # Randomize ports masscan -p80,443 --randomize-ports TARGET_NETWORK # Adapter selection masscan -p80,443 --adapter eth0 TARGET_NETWORK # Source IP masscan -p80,443 --source-ip 192.168.1.100 TARGET_NETWORK # Source port masscan -p80,443 --source-port 40000 TARGET_NETWORK # Banner grab masscan -p80,443 --banners TARGET_NETWORK # Ping scan masscan --ping TARGET_NETWORK # ARP scan masscan --arp TARGET_NETWORK # ICMP scan masscan --icmp TARGET_NETWORK Zmap Basic Port Scanning # Basic port scan zmap -p 80 TARGET_NETWORK # Scan multiple ports zmap -p 80,443 TARGET_NETWORK # Scan port range zmap -p 80-443 TARGET_NETWORK # Scan with rate limit zmap -p 80 --rate=1000 TARGET_NETWORK # Scan with bandwidth limit zmap -p 80 --bandwidth=10M TARGET_NETWORK # Scan with output file zmap -p 80 -o results.txt TARGET_NETWORK # Scan with JSON output zmap -p 80 -o results.json TARGET_NETWORK # Scan with CSV output zmap -p 80 -o results.csv TARGET_NETWORK # Scan with binary output zmap -p 80 -o results.bin TARGET_NETWORK Advanced Zmap Options # Stealth scan zmap -p 80 --rate=100 TARGET_NETWORK # Randomize targets zmap -p 80 --shards=1/1 TARGET_NETWORK # Blacklist file zmap -p 80 --blacklist-file=blacklist.txt TARGET_NETWORK # Whitelist file zmap -p 80 --whitelist-file=whitelist.txt TARGET_NETWORK # Source IP zmap -p 80 --source-ip=192.168.1.100 TARGET_NETWORK # Source port zmap -p 80 --source-port=40000 TARGET_NETWORK # Interface selection zmap -p 80 --interface=eth0 TARGET_NETWORK # Gateway MAC zmap -p 80 --gateway-mac=00:11:22:33:44:55 TARGET_NETWORK # Probe module zmap -p 80 --probe-module=tcp_synscan TARGET_NETWORK # Output module zmap -p 80 --output-module=json TARGET_NETWORK Custom Port Scanners Python Port Scanner import socket import threading import queue import time import ipaddress def port_scanner(target, ports, threads=10, delay=0): def worker(): while True: try: port = ports.get() if port is None: break sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) result = sock.connect_ex((target, port)) if result == 0: print(f"[OPEN] {target}:{port}") sock.close() time.sleep(delay) except Exception as e: pass finally: ports.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add ports to queue for port in range(1, 65536): ports.put(port) # Wait for completion ports.join() # Usage target = "TARGET_IP" ports = queue.Queue() port_scanner(target, ports, threads=100, delay=0.01) Bash Port Scanner #!/bin/bash TARGET_IP="TARGET_IP" THREADS=10 # Function to check port check_port() { local port=$1 local target=$2 if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then echo "[OPEN] $target:$port" fi } # Export function for parallel export -f check_port export TARGET_IP # Run parallel port check seq 1 65535 | parallel -j "$THREADS" check_port {} "$TARGET_IP" Port Scanning Techniques TCP Scanning # SYN scan (stealth) nmap -sS TARGET_IP # Connect scan (reliable) nmap -sT TARGET_IP # ACK scan (firewall detection) nmap -sA TARGET_IP # FIN scan (stealth) nmap -sF TARGET_IP # NULL scan (stealth) nmap -sN TARGET_IP # XMAS scan (stealth) nmap -sX TARGET_IP # Maimon scan (stealth) nmap -sM TARGET_IP # Window scan (stealth) nmap -sW TARGET_IP # Idle scan (stealth) nmap -sI ZOMBIE_IP TARGET_IP UDP Scanning # UDP scan nmap -sU TARGET_IP # UDP scan with specific ports nmap -sU -p 53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 TARGET_IP # UDP scan with service detection nmap -sU -sV TARGET_IP # UDP scan with OS detection nmap -sU -O TARGET_IP # UDP scan with scripts nmap -sU --script vuln TARGET_IP ICMP Scanning # ICMP ping ping -c 4 TARGET_IP # ICMP ping with timestamp ping -D TARGET_IP # ICMP ping with flood ping -f TARGET_IP # ICMP ping with interval ping -i 0.2 TARGET_IP # ICMP ping with size ping -s 1000 TARGET_IP # ICMP ping with TTL ping -t 64 TARGET_IP # ICMP ping with verbose ping -v TARGET_IP # ICMP ping with quiet ping -q TARGET_IP Service Detection Banner Grabbing # Telnet banner grab telnet TARGET_IP 80 # Netcat banner grab nc TARGET_IP 80 # Nmap banner grab nmap -sV --script banner TARGET_IP # Curl banner grab curl -I http://TARGET_IP # Wget banner grab wget --spider -S http://TARGET_IP # OpenSSL banner grab openssl s_client -connect TARGET_IP:443 # SMTP banner grab nc TARGET_IP 25 # FTP banner grab nc TARGET_IP 21 # SSH banner grab nc TARGET_IP 22 Service Enumeration # HTTP service enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB service enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP service enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP Port Scanning Scripts Nmap Scripts # Vulnerability scripts nmap --script vuln TARGET_IP # Safe scripts nmap --script safe TARGET_IP # Auth scripts nmap --script auth TARGET_IP # Discovery scripts nmap --script discovery TARGET_IP # Exploit scripts nmap --script exploit TARGET_IP # Malware scripts nmap --script malware TARGET_IP # Intrusive scripts nmap --script intrusive TARGET_IP # Version scripts nmap --script version TARGET_IP # Multiple script categories nmap --script vuln,exploit TARGET_IP Custom Scripts # HTTP enumeration script nmap --script http-enum TARGET_IP # SMB enumeration script nmap --script smb-enum-shares TARGET_IP # SNMP enumeration script nmap --script snmp-info TARGET_IP # DNS enumeration script nmap --script dns-brute TARGET_IP # FTP enumeration script nmap --script ftp-anon TARGET_IP # SSH enumeration script nmap --script ssh-hostkey TARGET_IP # SMTP enumeration script nmap --script smtp-commands TARGET_IP Best Practices Rate Limiting # Add delay between requests nmap -T2 TARGET_IP # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP Stealth Mode # Use random timing nmap -T3 --randomize-hosts TARGET_IP # Use fragment packets nmap -sS -f TARGET_IP # Use decoy scans nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Use source port spoofing nmap -sS --source-port 53 TARGET_IP Output Analysis # Save results to file nmap -oN results.txt TARGET_IP # Filter by port status grep "open" results.txt grep "filtered" results.txt grep "closed" results.txt # Filter by service grep "http" results.txt grep "ssh" results.txt grep "ftp" results.txt grep "smb" results.txt grep "snmp" results.txt Troubleshooting Common Issues # Connection timeout nmap -T1 TARGET_IP # Too many requests nmap -T0 TARGET_IP # Invalid target nmap -sn TARGET_NETWORK # Permission denied sudo nmap -sS TARGET_IP Performance Optimization # Use appropriate timing nmap -T4 TARGET_IP # Use smaller port ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices

Service Enumeration Tools Comprehensive collection of service enumeration tools and techniques for network reconnaissance and penetration testing. Banner Grabbing Basic Banner Grabbing # Telnet banner grab telnet TARGET_IP 80 telnet TARGET_IP 443 telnet TARGET_IP 21 telnet TARGET_IP 25 telnet TARGET_IP 22 # Netcat banner grab nc TARGET_IP 80 nc TARGET_IP 443 nc TARGET_IP 21 nc TARGET_IP 25 nc TARGET_IP 22 # Nmap banner grab nmap -sV --script banner TARGET_IP # Curl banner grab curl -I http://TARGET_IP curl -I https://TARGET_IP # Wget banner grab wget --spider -S http://TARGET_IP wget --spider -S https://TARGET_IP # OpenSSL banner grab openssl s_client -connect TARGET_IP:443 openssl s_client -connect TARGET_IP:993 openssl s_client -connect TARGET_IP:995 # SMTP banner grab nc TARGET_IP 25 nc TARGET_IP 587 nc TARGET_IP 465 # FTP banner grab nc TARGET_IP 21 nc TARGET_IP 990 # SSH banner grab nc TARGET_IP 22 Advanced Banner Grabbing # HTTP banner grab with headers curl -I -H "User-Agent: Mozilla/5.0" http://TARGET_IP # HTTPS banner grab with headers curl -I -H "User-Agent: Mozilla/5.0" https://TARGET_IP # HTTP banner grab with custom headers curl -I -H "User-Agent: CustomAgent" -H "Accept: */*" http://TARGET_IP # HTTPS banner grab with custom headers curl -I -H "User-Agent: CustomAgent" -H "Accept: */*" https://TARGET_IP # HTTP banner grab with proxy curl -I --proxy http://proxy:8080 http://TARGET_IP # HTTPS banner grab with proxy curl -I --proxy http://proxy:8080 https://TARGET_IP # HTTP banner grab with timeout curl -I --connect-timeout 10 http://TARGET_IP # HTTPS banner grab with timeout curl -I --connect-timeout 10 https://TARGET_IP # HTTP banner grab with verbose curl -I -v http://TARGET_IP # HTTPS banner grab with verbose curl -I -v https://TARGET_IP Version Detection Nmap Version Detection # Basic version detection nmap -sV TARGET_IP # Version detection with specific ports nmap -sV -p 80,443,8080,8443 TARGET_IP # Version detection with all ports nmap -sV -p- TARGET_IP # Version detection with intensity nmap -sV --version-intensity 9 TARGET_IP # Version detection with light intensity nmap -sV --version-intensity 1 TARGET_IP # Version detection with all probes nmap -sV --version-all TARGET_IP # Version detection with trace nmap -sV --version-trace TARGET_IP # Version detection with debug nmap -sV --version-debug TARGET_IP # Version detection with verbose nmap -sV -v TARGET_IP Advanced Version Detection # Version detection with OS detection nmap -sV -O TARGET_IP # Version detection with script scanning nmap -sV -sC TARGET_IP # Version detection with custom scripts nmap -sV --script vuln TARGET_IP # Version detection with output file nmap -sV -oN results.txt TARGET_IP # Version detection with XML output nmap -sV -oX results.xml TARGET_IP # Version detection with JSON output nmap -sV -oJ results.json TARGET_IP # Version detection with grep output nmap -sV -oG results.grep TARGET_IP # Version detection with all formats nmap -sV -oA results TARGET_IP Service-Specific Enumeration HTTP Service Enumeration # HTTP enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # HTTP authentication nmap --script http-auth TARGET_IP nmap --script http-auth-finder TARGET_IP nmap --script http-brute TARGET_IP nmap --script http-form-brute TARGET_IP nmap --script http-form-fuzzer TARGET_IP # HTTP vulnerabilities nmap --script http-vuln-cve2010-0738 TARGET_IP nmap --script http-vuln-cve2010-2861 TARGET_IP nmap --script http-vuln-cve2011-3192 TARGET_IP nmap --script http-vuln-cve2011-3368 TARGET_IP nmap --script http-vuln-cve2012-1823 TARGET_IP nmap --script http-vuln-cve2013-0156 TARGET_IP nmap --script http-vuln-cve2013-6786 TARGET_IP nmap --script http-vuln-cve2014-2126 TARGET_IP nmap --script http-vuln-cve2014-2127 TARGET_IP nmap --script http-vuln-cve2014-2128 TARGET_IP nmap --script http-vuln-cve2014-2129 TARGET_IP nmap --script http-vuln-cve2014-2130 TARGET_IP nmap --script http-vuln-cve2014-2131 TARGET_IP nmap --script http-vuln-cve2014-2132 TARGET_IP nmap --script http-vuln-cve2014-2133 TARGET_IP nmap --script http-vuln-cve2014-2134 TARGET_IP nmap --script http-vuln-cve2014-2135 TARGET_IP nmap --script http-vuln-cve2014-2136 TARGET_IP nmap --script http-vuln-cve2014-2137 TARGET_IP nmap --script http-vuln-cve2014-2138 TARGET_IP nmap --script http-vuln-cve2014-2139 TARGET_IP nmap --script http-vuln-cve2014-2140 TARGET_IP SMB Service Enumeration # SMB enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SMB authentication nmap --script smb-brute TARGET_IP nmap --script smb-enum-sessions TARGET_IP nmap --script smb-enum-sessions TARGET_IP nmap --script smb-enum-sessions TARGET_IP # SMB vulnerabilities nmap --script smb-vuln-cve2009-3103 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP SNMP Service Enumeration # SNMP enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP # SNMP authentication nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP # SNMP vulnerabilities nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP FTP Service Enumeration # FTP enumeration nmap --script ftp-anon TARGET_IP nmap --script ftp-bounce TARGET_IP nmap --script ftp-brute TARGET_IP nmap --script ftp-libopie TARGET_IP nmap --script ftp-proftpd-backdoor TARGET_IP nmap --script ftp-syst TARGET_IP nmap --script ftp-vsftpd-backdoor TARGET_IP nmap --script ftp-vuln-cve2010-4221 TARGET_IP # FTP authentication nmap --script ftp-brute TARGET_IP nmap --script ftp-anon TARGET_IP # FTP vulnerabilities nmap --script ftp-vuln-cve2010-4221 TARGET_IP nmap --script ftp-proftpd-backdoor TARGET_IP nmap --script ftp-vsftpd-backdoor TARGET_IP SSH Service Enumeration # SSH enumeration nmap --script ssh-hostkey TARGET_IP nmap --script ssh-brute TARGET_IP nmap --script ssh-publickey-acceptance TARGET_IP nmap --script ssh-run TARGET_IP nmap --script ssh2-enum-algos TARGET_IP nmap --script sshv1 TARGET_IP # SSH authentication nmap --script ssh-brute TARGET_IP nmap --script ssh-publickey-acceptance TARGET_IP # SSH vulnerabilities nmap --script sshv1 TARGET_IP nmap --script ssh-hostkey TARGET_IP SMTP Service Enumeration # SMTP enumeration nmap --script smtp-commands TARGET_IP nmap --script smtp-enum-users TARGET_IP nmap --script smtp-ntlm-info TARGET_IP nmap --script smtp-open-relay TARGET_IP nmap --script smtp-strangeport TARGET_IP nmap --script smtp-vuln-cve2010-4344 TARGET_IP nmap --script smtp-vuln-cve2011-1720 TARGET_IP nmap --script smtp-vuln-cve2011-1764 TARGET_IP # SMTP authentication nmap --script smtp-enum-users TARGET_IP nmap --script smtp-brute TARGET_IP # SMTP vulnerabilities nmap --script smtp-vuln-cve2010-4344 TARGET_IP nmap --script smtp-vuln-cve2011-1720 TARGET_IP nmap --script smtp-vuln-cve2011-1764 TARGET_IP Custom Service Enumeration Python Service Enumeration import socket import threading import queue import time import requests def service_enumeration(target, ports, threads=10, delay=0): def worker(): while True: try: port = ports.get() if port is None: break # Check if port is open sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) result = sock.connect_ex((target, port)) if result == 0: # Try to grab banner try: if port == 80: response = requests.get(f'http://{target}', timeout=5) print(f"[HTTP] {target}:{port} - {response.headers.get('Server', 'Unknown')}") elif port == 443: response = requests.get(f'https://{target}', timeout=5, verify=False) print(f"[HTTPS] {target}:{port} - {response.headers.get('Server', 'Unknown')}") elif port == 21: sock.send(b'USER anonymous\r\n') banner = sock.recv(1024).decode('utf-8', errors='ignore') print(f"[FTP] {target}:{port} - {banner.strip()}") elif port == 22: banner = sock.recv(1024).decode('utf-8', errors='ignore') print(f"[SSH] {target}:{port} - {banner.strip()}") elif port == 25: banner = sock.recv(1024).decode('utf-8', errors='ignore') print(f"[SMTP] {target}:{port} - {banner.strip()}") else: print(f"[OPEN] {target}:{port}") except: print(f"[OPEN] {target}:{port}") sock.close() time.sleep(delay) except Exception as e: pass finally: ports.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add ports to queue for port in range(1, 65536): ports.put(port) # Wait for completion ports.join() # Usage target = "TARGET_IP" ports = queue.Queue() service_enumeration(target, ports, threads=100, delay=0.01) Bash Service Enumeration #!/bin/bash TARGET_IP="TARGET_IP" THREADS=10 # Function to check service check_service() { local port=$1 local target=$2 if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then # Try to grab banner case $port in 80) banner=$(curl -s -I "http://$target" | grep -i "server:" | cut -d' ' -f2-) echo "[HTTP] $target:$port - $banner" ;; 443) banner=$(curl -s -I "https://$target" | grep -i "server:" | cut -d' ' -f2-) echo "[HTTPS] $target:$port - $banner" ;; 21) banner=$(echo "QUIT" | nc "$target" "$port" 2>/dev/null | head -1) echo "[FTP] $target:$port - $banner" ;; 22) banner=$(nc "$target" "$port" 2>/dev/null | head -1) echo "[SSH] $target:$port - $banner" ;; 25) banner=$(nc "$target" "$port" 2>/dev/null | head -1) echo "[SMTP] $target:$port - $banner" ;; *) echo "[OPEN] $target:$port" ;; esac fi } # Export function for parallel export -f check_service export TARGET_IP # Run parallel service check seq 1 65535 | parallel -j "$THREADS" check_service {} "$TARGET_IP" Best Practices Rate Limiting # Add delay between requests nmap -T2 TARGET_IP # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP Stealth Mode # Use random timing nmap -T3 --randomize-hosts TARGET_IP # Use fragment packets nmap -sS -f TARGET_IP # Use decoy scans nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Use source port spoofing nmap -sS --source-port 53 TARGET_IP Output Analysis # Save results to file nmap -sV -oN results.txt TARGET_IP # Filter by service grep "http" results.txt grep "ssh" results.txt grep "ftp" results.txt grep "smb" results.txt grep "snmp" results.txt # Filter by version grep "Apache" results.txt grep "nginx" results.txt grep "IIS" results.txt grep "OpenSSH" results.txt grep "vsftpd" results.txt Troubleshooting Common Issues # Connection timeout nmap -T1 TARGET_IP # Too many requests nmap -T0 TARGET_IP # Invalid target nmap -sn TARGET_NETWORK # Permission denied sudo nmap -sS TARGET_IP Performance Optimization # Use appropriate timing nmap -T4 TARGET_IP # Use smaller port ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices

Subdomain Enumeration Tools Comprehensive collection of subdomain enumeration tools and techniques for reconnaissance and web application security testing. Subfinder Basic Subdomain Enumeration # Basic subdomain enumeration subfinder -d TARGET_DOMAIN # With multiple domains subfinder -d TARGET_DOMAIN1,TARGET_DOMAIN2,TARGET_DOMAIN3 # With output file subfinder -d TARGET_DOMAIN -o results.txt # With JSON output subfinder -d TARGET_DOMAIN -o results.json -json # With verbose output subfinder -d TARGET_DOMAIN -v # With silent output subfinder -d TARGET_DOMAIN -silent # With threads subfinder -d TARGET_DOMAIN -t 50 # With timeout subfinder -d TARGET_DOMAIN -timeout 10 # With retries subfinder -d TARGET_DOMAIN -retries 3 Advanced Subfinder Options # With specific sources subfinder -d TARGET_DOMAIN -sources shodan,crtsh,passivetotal # With all sources subfinder -d TARGET_DOMAIN -all # With exclude sources subfinder -d TARGET_DOMAIN -exclude-sources shodan,crtsh # With config file subfinder -d TARGET_DOMAIN -config config.yaml # With proxy subfinder -d TARGET_DOMAIN -proxy http://127.0.0.1:8080 # With rate limit subfinder -d TARGET_DOMAIN -rate-limit 100 # With wildcard detection subfinder -d TARGET_DOMAIN -wildcard # With recursive enumeration subfinder -d TARGET_DOMAIN -recursive Amass Basic Subdomain Enumeration # Basic subdomain enumeration amass enum -d TARGET_DOMAIN # With multiple domains amass enum -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file amass enum -d TARGET_DOMAIN -o results.txt # With JSON output amass enum -d TARGET_DOMAIN -json results.json # With verbose output amass enum -d TARGET_DOMAIN -v # With silent output amass enum -d TARGET_DOMAIN -silent # With threads amass enum -d TARGET_DOMAIN -t 50 # With timeout amass enum -d TARGET_DOMAIN -timeout 10 Advanced Amass Options # With specific sources amass enum -d TARGET_DOMAIN -sources shodan,crtsh,passivetotal # With all sources amass enum -d TARGET_DOMAIN -all # With exclude sources amass enum -d TARGET_DOMAIN -exclude-sources shodan,crtsh # With config file amass enum -d TARGET_DOMAIN -config config.yaml # With proxy amass enum -d TARGET_DOMAIN -proxy http://127.0.0.1:8080 # With rate limit amass enum -d TARGET_DOMAIN -rate-limit 100 # With wildcard detection amass enum -d TARGET_DOMAIN -wildcard # With recursive enumeration amass enum -d TARGET_DOMAIN -recursive # With brute force amass enum -d TARGET_DOMAIN -brute # With wordlist amass enum -d TARGET_DOMAIN -w wordlist.txt Assetfinder Basic Subdomain Enumeration # Basic subdomain enumeration assetfinder TARGET_DOMAIN # With multiple domains assetfinder TARGET_DOMAIN1 TARGET_DOMAIN2 TARGET_DOMAIN3 # With output file assetfinder TARGET_DOMAIN > results.txt # With subs-only assetfinder --subs-only TARGET_DOMAIN # With alive check assetfinder --alive TARGET_DOMAIN # With verbose output assetfinder -v TARGET_DOMAIN Sublist3r Basic Subdomain Enumeration # Basic subdomain enumeration sublist3r -d TARGET_DOMAIN # With multiple domains sublist3r -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file sublist3r -d TARGET_DOMAIN -o results.txt # With verbose output sublist3r -d TARGET_DOMAIN -v # With threads sublist3r -d TARGET_DOMAIN -t 50 # With timeout sublist3r -d TARGET_DOMAIN -t 10 # With specific engines sublist3r -d TARGET_DOMAIN -e google,yahoo,bing # With all engines sublist3r -d TARGET_DOMAIN -e all # With exclude engines sublist3r -d TARGET_DOMAIN -e google,yahoo -x bing,duckduckgo DNSrecon Basic DNS Enumeration # Basic DNS enumeration dnsrecon -d TARGET_DOMAIN # With multiple domains dnsrecon -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file dnsrecon -d TARGET_DOMAIN -o results.txt # With JSON output dnsrecon -d TARGET_DOMAIN -j results.json # With verbose output dnsrecon -d TARGET_DOMAIN -v # With threads dnsrecon -d TARGET_DOMAIN -t 50 # With timeout dnsrecon -d TARGET_DOMAIN -t 10 # With specific record types dnsrecon -d TARGET_DOMAIN -t A,AAAA,CNAME,MX,NS,SOA,TXT # With all record types dnsrecon -d TARGET_DOMAIN -t all # With brute force dnsrecon -d TARGET_DOMAIN -b # With wordlist dnsrecon -d TARGET_DOMAIN -w wordlist.txt Fierce Basic Subdomain Enumeration # Basic subdomain enumeration fierce -dns TARGET_DOMAIN # With multiple domains fierce -dns TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file fierce -dns TARGET_DOMAIN -file results.txt # With verbose output fierce -dns TARGET_DOMAIN -verbose # With threads fierce -dns TARGET_DOMAIN -threads 50 # With timeout fierce -dns TARGET_DOMAIN -timeout 10 # With wordlist fierce -dns TARGET_DOMAIN -wordlist wordlist.txt # With range fierce -dns TARGET_DOMAIN -range 192.168.1.0/24 # With delay fierce -dns TARGET_DOMAIN -delay 1 DNSenum Basic DNS Enumeration # Basic DNS enumeration dnsenum TARGET_DOMAIN # With multiple domains dnsenum TARGET_DOMAIN1 TARGET_DOMAIN2 # With output file dnsenum TARGET_DOMAIN -o results.txt # With verbose output dnsenum TARGET_DOMAIN -v # With threads dnsenum TARGET_DOMAIN -t 50 # With timeout dnsenum TARGET_DOMAIN -t 10 # With wordlist dnsenum TARGET_DOMAIN -w wordlist.txt # With range dnsenum TARGET_DOMAIN -r 192.168.1.0/24 # With delay dnsenum TARGET_DOMAIN -d 1 Custom Scripts Python Subdomain Enumeration import requests import threading import queue import time import dns.resolver def subdomain_enumeration(domain, wordlist, threads=10, delay=0): def worker(): while True: try: subdomain = wordlist.get() if subdomain is None: break full_domain = f"{subdomain}.{domain}" # DNS resolution try: dns.resolver.resolve(full_domain, 'A') print(f"[DNS] {full_domain}") except: pass # HTTP check try: response = requests.get(f"http://{full_domain}", timeout=5) print(f"[HTTP] {full_domain} - {response.status_code}") except: pass # HTTPS check try: response = requests.get(f"https://{full_domain}", timeout=5) print(f"[HTTPS] {full_domain} - {response.status_code}") except: pass time.sleep(delay) except Exception as e: pass finally: wordlist.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add subdomains to queue with open(wordlist_file, 'r') as f: for line in f: wordlist.put(line.strip()) # Wait for completion wordlist.join() # Usage domain = "TARGET_DOMAIN" wordlist_file = "/usr/share/wordlists/subdomains.txt" wordlist = queue.Queue() subdomain_enumeration(domain, wordlist, threads=20, delay=0.1) Bash Subdomain Enumeration #!/bin/bash DOMAIN="TARGET_DOMAIN" WORDLIST="/usr/share/wordlists/subdomains.txt" THREADS=10 # Function to check subdomain check_subdomain() { local subdomain=$1 local full_domain="${subdomain}.${DOMAIN}" # DNS resolution if nslookup "$full_domain" > /dev/null 2>&1; then echo "[DNS] $full_domain" fi # HTTP check if curl -s -o /dev/null -w "%{http_code}" "http://$full_domain" | grep -q "200\|301\|302\|403\|401"; then echo "[HTTP] $full_domain" fi # HTTPS check if curl -s -o /dev/null -w "%{http_code}" "https://$full_domain" | grep -q "200\|301\|302\|403\|401"; then echo "[HTTPS] $full_domain" fi } # Export function for parallel export -f check_subdomain export DOMAIN # Run parallel subdomain check cat "$WORDLIST" | parallel -j "$THREADS" check_subdomain {} Wordlists Common Subdomain Wordlists # SecLists subdomain wordlists /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt /usr/share/wordlists/SecLists/Discovery/DNS/dns-Jhaddix.txt # Custom subdomain wordlists /usr/share/wordlists/custom/subdomains.txt /usr/share/wordlists/custom/api-subdomains.txt /usr/share/wordlists/custom/admin-subdomains.txt # Generate custom wordlists echo "www,mail,ftp,admin,api,dev,test,staging,prod" | tr ',' '\n' > custom_subdomains.txt Creating Custom Wordlists # Extract subdomains from certificate transparency logs curl -s "https://crt.sh/?q=%.TARGET_DOMAIN&output=json" | jq -r '.[].name_value' | sort -u > crt_subdomains.txt # Extract subdomains from DNS records dig @8.8.8.8 TARGET_DOMAIN ANY | grep -oP 'IN\s+\w+\s+\K[^\s]+' | sort -u > dns_subdomains.txt # Combine multiple wordlists cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined_wordlist.txt # Remove empty lines and duplicates grep -v '^$' wordlist.txt | sort -u > clean_wordlist.txt API-based Enumeration Shodan API # Using Shodan CLI shodan domain TARGET_DOMAIN # Using Shodan API curl -s "https://api.shodan.io/dns/domain/TARGET_DOMAIN?key=YOUR_API_KEY" | jq -r '.data[].subdomain' | sort -u Censys API # Using Censys API curl -s "https://censys.io/api/v1/search/certificates" \ -H "Authorization: Basic YOUR_API_KEY" \ -d '{"query": "TARGET_DOMAIN", "fields": ["parsed.names"]}' | jq -r '.result.hits[].parsed.names[]' | sort -u VirusTotal API # Using VirusTotal API curl -s "https://www.virustotal.com/vtapi/v2/domain/report" \ -d "apikey=YOUR_API_KEY" \ -d "domain=TARGET_DOMAIN" | jq -r '.subdomains[]' | sort -u Passive vs Active Enumeration Passive Enumeration # Using only passive sources subfinder -d TARGET_DOMAIN -sources crtsh,passivetotal,shodan # Using only passive DNS dnsrecon -d TARGET_DOMAIN -t A,AAAA,CNAME,MX,NS,SOA,TXT # Using only certificate transparency curl -s "https://crt.sh/?q=%.TARGET_DOMAIN&output=json" | jq -r '.[].name_value' | sort -u Active Enumeration # Using brute force amass enum -d TARGET_DOMAIN -brute # Using wordlist subfinder -d TARGET_DOMAIN -w wordlist.txt # Using recursive enumeration subfinder -d TARGET_DOMAIN -recursive Best Practices Rate Limiting # Add delay between requests subfinder -d TARGET_DOMAIN -rate-limit 100 # Use fewer threads subfinder -d TARGET_DOMAIN -t 10 # Use proxy rotation subfinder -d TARGET_DOMAIN -proxy http://proxy1:8080 Stealth Mode # Use random user agents subfinder -d TARGET_DOMAIN -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # Use realistic delays subfinder -d TARGET_DOMAIN -rate-limit 50 # Use smaller wordlists subfinder -d TARGET_DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Output Analysis # Save results to file subfinder -d TARGET_DOMAIN -o results.txt # Filter by status code grep "200" results.txt grep "403" results.txt grep "301\|302" results.txt # Sort by response size sort -k3 -n results.txt Troubleshooting Common Issues # Connection timeout subfinder -d TARGET_DOMAIN -t 5 # Too many requests subfinder -d TARGET_DOMAIN -rate-limit 50 # Invalid SSL certificate subfinder -d TARGET_DOMAIN -k # Authentication required subfinder -d TARGET_DOMAIN -u admin -p password Performance Optimization # Use appropriate thread count subfinder -d TARGET_DOMAIN -t 20 # Use smaller wordlists for initial scan subfinder -d TARGET_DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt # Use specific sources subfinder -d TARGET_DOMAIN -sources crtsh,passivetotal Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate wordlists for the target Document findings properly Follow responsible disclosure practices