Network Enumeration Tools
Network Enumeration Tools
Comprehensive collection of network enumeration tools and techniques for reconnaissance and penetration testing.
Nmap
Basic Network Scanning
# Basic host discovery
nmap -sn TARGET_NETWORK
# Ping scan
nmap -PE TARGET_IP
# TCP SYN scan
nmap -sS TARGET_IP
# TCP connect scan
nmap -sT TARGET_IP
# UDP scan
nmap -sU TARGET_IP
# Comprehensive scan
nmap -sS -sU -O -A -v TARGET_IP
# Scan multiple targets
nmap TARGET_IP1 TARGET_IP2 TARGET_IP3
# Scan network range
nmap 192.168.1.0/24
# Scan from file
nmap -iL targets.txt
Advanced Nmap Options
# Stealth scan
nmap -sS -f TARGET_IP
# Fragment packets
nmap -sS -f -D RND:10 TARGET_IP
# Decoy scan
nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP
# Source port scan
nmap -sS --source-port 53 TARGET_IP
# Timing template
nmap -T0 TARGET_IP # Paranoid
nmap -T1 TARGET_IP # Sneaky
nmap -T2 TARGET_IP # Polite
nmap -T3 TARGET_IP # Normal
nmap -T4 TARGET_IP # Aggressive
nmap -T5 TARGET_IP # Insane
# Port range
nmap -p 1-1000 TARGET_IP
nmap -p 80,443,8080,8443 TARGET_IP
nmap -p- TARGET_IP # All ports
# Service detection
nmap -sV TARGET_IP
# OS detection
nmap -O TARGET_IP
# Script scanning
nmap -sC TARGET_IP
# Custom scripts
nmap --script vuln TARGET_IP
nmap --script safe TARGET_IP
nmap --script auth TARGET_IP
nmap --script discovery TARGET_IP
nmap --script exploit TARGET_IP
nmap --script malware TARGET_IP
nmap --script intrusive TARGET_IP
nmap --script version TARGET_IP
nmap --script vuln,exploit TARGET_IP
# Output formats
nmap -oN results.txt TARGET_IP
nmap -oX results.xml TARGET_IP
nmap -oG results.grep TARGET_IP
nmap -oA results TARGET_IP # All formats
Nmap Scripts
# HTTP enumeration
nmap --script http-enum TARGET_IP
nmap --script http-headers TARGET_IP
nmap --script http-methods TARGET_IP
nmap --script http-robots.txt TARGET_IP
nmap --script http-sitemap-generator TARGET_IP
nmap --script http-title TARGET_IP
nmap --script http-vhosts TARGET_IP
# SMB enumeration
nmap --script smb-enum-shares TARGET_IP
nmap --script smb-enum-users TARGET_IP
nmap --script smb-enum-groups TARGET_IP
nmap --script smb-enum-domains TARGET_IP
nmap --script smb-os-discovery TARGET_IP
nmap --script smb-protocols TARGET_IP
nmap --script smb-security-mode TARGET_IP
nmap --script smb-system-info TARGET_IP
# SNMP enumeration
nmap --script snmp-info TARGET_IP
nmap --script snmp-brute TARGET_IP
nmap --script snmp-communities TARGET_IP
nmap --script snmp-hh3c-logins TARGET_IP
nmap --script snmp-interfaces TARGET_IP
nmap --script snmp-ios-config TARGET_IP
nmap --script snmp-netstat TARGET_IP
nmap --script snmp-processes TARGET_IP
nmap --script snmp-public TARGET_IP
nmap --script snmp-sysdescr TARGET_IP
nmap --script snmp-win32-services TARGET_IP
nmap --script snmp-win32-shares TARGET_IP
nmap --script snmp-win32-software TARGET_IP
nmap --script snmp-win32-users TARGET_IP
# DNS enumeration
nmap --script dns-brute TARGET_IP
nmap --script dns-cache-snoop TARGET_IP
nmap --script dns-client-subnet-scan TARGET_IP
nmap --script dns-fingerprint TARGET_IP
nmap --script dns-ip6-arpa-scan TARGET_IP
nmap --script dns-nsec3-enum TARGET_IP
nmap --script dns-nsec-enum TARGET_IP
nmap --script dns-random-srcport TARGET_IP
nmap --script dns-random-txid TARGET_IP
nmap --script dns-recursion TARGET_IP
nmap --script dns-service-discovery TARGET_IP
nmap --script dns-srv-enum TARGET_IP
nmap --script dns-zone-transfer TARGET_IP
# FTP enumeration
nmap --script ftp-anon TARGET_IP
nmap --script ftp-bounce TARGET_IP
nmap --script ftp-brute TARGET_IP
nmap --script ftp-libopie TARGET_IP
nmap --script ftp-proftpd-backdoor TARGET_IP
nmap --script ftp-syst TARGET_IP
nmap --script ftp-vsftpd-backdoor TARGET_IP
nmap --script ftp-vuln-cve2010-4221 TARGET_IP
# SSH enumeration
nmap --script ssh-hostkey TARGET_IP
nmap --script ssh-brute TARGET_IP
nmap --script ssh-publickey-acceptance TARGET_IP
nmap --script ssh-run TARGET_IP
nmap --script ssh2-enum-algos TARGET_IP
nmap --script sshv1 TARGET_IP
# SMTP enumeration
nmap --script smtp-commands TARGET_IP
nmap --script smtp-enum-users TARGET_IP
nmap --script smtp-ntlm-info TARGET_IP
nmap --script smtp-open-relay TARGET_IP
nmap --script smtp-strangeport TARGET_IP
nmap --script smtp-vuln-cve2010-4344 TARGET_IP
nmap --script smtp-vuln-cve2011-1720 TARGET_IP
nmap --script smtp-vuln-cve2011-1764 TARGET_IP
Masscan
Basic Network Scanning
# Basic port scan
masscan -p80,443 TARGET_NETWORK
# Scan all ports
masscan -p0-65535 TARGET_NETWORK
# Scan common ports
masscan -p1-1000 TARGET_NETWORK
# Scan specific ports
masscan -p22,80,443,8080,8443 TARGET_NETWORK
# Scan with rate limit
masscan -p80,443 --rate=1000 TARGET_NETWORK
# Scan with output file
masscan -p80,443 -oG results.txt TARGET_NETWORK
# Scan with XML output
masscan -p80,443 -oX results.xml TARGET_NETWORK
# Scan with JSON output
masscan -p80,443 -oJ results.json TARGET_NETWORK
# Scan with binary output
masscan -p80,443 -oB results.bin TARGET_NETWORK
Advanced Masscan Options
# Stealth scan
masscan -p80,443 --rate=100 TARGET_NETWORK
# Randomize hosts
masscan -p80,443 --randomize-hosts TARGET_NETWORK
# Randomize ports
masscan -p80,443 --randomize-ports TARGET_NETWORK
# Adapter selection
masscan -p80,443 --adapter eth0 TARGET_NETWORK
# Source IP
masscan -p80,443 --source-ip 192.168.1.100 TARGET_NETWORK
# Source port
masscan -p80,443 --source-port 40000 TARGET_NETWORK
# Banner grab
masscan -p80,443 --banners TARGET_NETWORK
# Ping scan
masscan --ping TARGET_NETWORK
# ARP scan
masscan --arp TARGET_NETWORK
# ICMP scan
masscan --icmp TARGET_NETWORK
Zmap
Basic Network Scanning
# Basic port scan
zmap -p 80 TARGET_NETWORK
# Scan multiple ports
zmap -p 80,443 TARGET_NETWORK
# Scan port range
zmap -p 80-443 TARGET_NETWORK
# Scan with rate limit
zmap -p 80 --rate=1000 TARGET_NETWORK
# Scan with bandwidth limit
zmap -p 80 --bandwidth=10M TARGET_NETWORK
# Scan with output file
zmap -p 80 -o results.txt TARGET_NETWORK
# Scan with JSON output
zmap -p 80 -o results.json TARGET_NETWORK
# Scan with CSV output
zmap -p 80 -o results.csv TARGET_NETWORK
# Scan with binary output
zmap -p 80 -o results.bin TARGET_NETWORK
Advanced Zmap Options
# Stealth scan
zmap -p 80 --rate=100 TARGET_NETWORK
# Randomize targets
zmap -p 80 --shards=1/1 TARGET_NETWORK
# Blacklist file
zmap -p 80 --blacklist-file=blacklist.txt TARGET_NETWORK
# Whitelist file
zmap -p 80 --whitelist-file=whitelist.txt TARGET_NETWORK
# Source IP
zmap -p 80 --source-ip=192.168.1.100 TARGET_NETWORK
# Source port
zmap -p 80 --source-port=40000 TARGET_NETWORK
# Interface selection
zmap -p 80 --interface=eth0 TARGET_NETWORK
# Gateway MAC
zmap -p 80 --gateway-mac=00:11:22:33:44:55 TARGET_NETWORK
# Probe module
zmap -p 80 --probe-module=tcp_synscan TARGET_NETWORK
# Output module
zmap -p 80 --output-module=json TARGET_NETWORK
Custom Scripts
Python Network Scanner
import socket
import threading
import queue
import time
import ipaddress
def network_scanner(target, ports, threads=10, delay=0):
def worker():
while True:
try:
port = ports.get()
if port is None:
break
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
result = sock.connect_ex((target, port))
if result == 0:
print(f"[OPEN] {target}:{port}")
sock.close()
time.sleep(delay)
except Exception as e:
pass
finally:
ports.task_done()
# Start threads
for i in range(threads):
t = threading.Thread(target=worker)
t.daemon = True
t.start()
# Add ports to queue
for port in range(1, 65536):
ports.put(port)
# Wait for completion
ports.join()
# Usage
target = "TARGET_IP"
ports = queue.Queue()
network_scanner(target, ports, threads=100, delay=0.01)
Bash Network Scanner
#!/bin/bash
TARGET_IP="TARGET_IP"
THREADS=10
# Function to check port
check_port() {
local port=$1
local target=$2
if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then
echo "[OPEN] $target:$port"
fi
}
# Export function for parallel
export -f check_port
export TARGET_IP
# Run parallel port check
seq 1 65535 | parallel -j "$THREADS" check_port {} "$TARGET_IP"
Network Discovery
ARP Scanning
# ARP scan
arp-scan -l
# ARP scan with interface
arp-scan -I eth0 -l
# ARP scan with output
arp-scan -l -o results.txt
# ARP scan with verbose
arp-scan -l -v
# ARP scan with quiet
arp-scan -l -q
# ARP scan with timeout
arp-scan -l -t 1000
# ARP scan with retries
arp-scan -l -r 3
# ARP scan with random
arp-scan -l --random
# ARP scan with local
arp-scan -l --local
ICMP Scanning
# ICMP ping
ping -c 4 TARGET_IP
# ICMP ping with timestamp
ping -D TARGET_IP
# ICMP ping with flood
ping -f TARGET_IP
# ICMP ping with interval
ping -i 0.2 TARGET_IP
# ICMP ping with size
ping -s 1000 TARGET_IP
# ICMP ping with TTL
ping -t 64 TARGET_IP
# ICMP ping with verbose
ping -v TARGET_IP
# ICMP ping with quiet
ping -q TARGET_IP
UDP Scanning
# UDP scan with nmap
nmap -sU TARGET_IP
# UDP scan with specific ports
nmap -sU -p 53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 TARGET_IP
# UDP scan with service detection
nmap -sU -sV TARGET_IP
# UDP scan with OS detection
nmap -sU -O TARGET_IP
# UDP scan with scripts
nmap -sU --script vuln TARGET_IP
Service Detection
Banner Grabbing
# Telnet banner grab
telnet TARGET_IP 80
# Netcat banner grab
nc TARGET_IP 80
# Nmap banner grab
nmap -sV --script banner TARGET_IP
# Curl banner grab
curl -I http://TARGET_IP
# Wget banner grab
wget --spider -S http://TARGET_IP
# OpenSSL banner grab
openssl s_client -connect TARGET_IP:443
# SMTP banner grab
nc TARGET_IP 25
# FTP banner grab
nc TARGET_IP 21
# SSH banner grab
nc TARGET_IP 22
Service Enumeration
# HTTP service enumeration
nmap --script http-enum TARGET_IP
nmap --script http-headers TARGET_IP
nmap --script http-methods TARGET_IP
nmap --script http-robots.txt TARGET_IP
nmap --script http-sitemap-generator TARGET_IP
nmap --script http-title TARGET_IP
nmap --script http-vhosts TARGET_IP
# SMB service enumeration
nmap --script smb-enum-shares TARGET_IP
nmap --script smb-enum-users TARGET_IP
nmap --script smb-enum-groups TARGET_IP
nmap --script smb-enum-domains TARGET_IP
nmap --script smb-os-discovery TARGET_IP
nmap --script smb-protocols TARGET_IP
nmap --script smb-security-mode TARGET_IP
nmap --script smb-system-info TARGET_IP
# SNMP service enumeration
nmap --script snmp-info TARGET_IP
nmap --script snmp-brute TARGET_IP
nmap --script snmp-communities TARGET_IP
nmap --script snmp-hh3c-logins TARGET_IP
nmap --script snmp-interfaces TARGET_IP
nmap --script snmp-ios-config TARGET_IP
nmap --script snmp-netstat TARGET_IP
nmap --script snmp-processes TARGET_IP
nmap --script snmp-public TARGET_IP
nmap --script snmp-sysdescr TARGET_IP
nmap --script snmp-win32-services TARGET_IP
nmap --script snmp-win32-shares TARGET_IP
nmap --script snmp-win32-software TARGET_IP
nmap --script snmp-win32-users TARGET_IP
Best Practices
Rate Limiting
# Add delay between requests
nmap -T2 TARGET_IP
# Use fewer threads
nmap -T1 TARGET_IP
# Use proxy rotation
nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP
Stealth Mode
# Use random timing
nmap -T3 --randomize-hosts TARGET_IP
# Use fragment packets
nmap -sS -f TARGET_IP
# Use decoy scans
nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP
# Use source port spoofing
nmap -sS --source-port 53 TARGET_IP
Output Analysis
# Save results to file
nmap -oN results.txt TARGET_IP
# Filter by port status
grep "open" results.txt
grep "filtered" results.txt
grep "closed" results.txt
# Filter by service
grep "http" results.txt
grep "ssh" results.txt
grep "ftp" results.txt
grep "smb" results.txt
grep "snmp" results.txt
Troubleshooting
Common Issues
# Connection timeout
nmap -T1 TARGET_IP
# Too many requests
nmap -T0 TARGET_IP
# Invalid target
nmap -sn TARGET_NETWORK
# Permission denied
sudo nmap -sS TARGET_IP
Performance Optimization
# Use appropriate timing
nmap -T4 TARGET_IP
# Use smaller port ranges
nmap -p 1-1000 TARGET_IP
# Use specific scripts
nmap --script vuln TARGET_IP
Legal and Ethical Considerations
- Always obtain proper authorization before testing
- Respect rate limits and server resources
- Use appropriate tools for the target
- Document findings properly
- Follow responsible disclosure practices