📓 Jorkle's Notes

Internal Port Scanning

Dec 15, 20252 min read

Thought process (pentest)

  • Scanning all 65535 ports on every discovered host loses viability with internal networks with larger numbers of hosts.
  • Host discovery should be completed separately and the result IP addresses used as an input for port discovery scans
  • The IP addresses being referenced in these commands should be verified against the in scope & out of scope documentation to confirm scope isn’t being violated at every step of the penetration testing process.

Options

typespeedCOVERAGEcommandexplanation
TCPFASTMODERATEnmap --top-ports 200 -sT -T3 -Pn -n --open <target> -oA ./scans/nmap/tcp-top-200-portsAssumes hosts up and performs a TCP CONNECT scan against the top 200 TCP Ports
UDPFASTMODERATEnmap --top-ports 200 -sU -T3 -Pn -n --open <target> -oA ./scans/nmap/tcp-top-200-portsAssumes hosts up and performs a UDP scan against the top 200 UDP Ports
TCPMODERATEHIGHnmap --top-ports 1000 -sT -T3 -Pn -n --open <target> -oA ./scans/nmap/tcp-top-1000-portsAssumes hosts up and performs a TCP CONNECT port scan against the top 1000 TCP Ports
UDPMODERATEHIGHnmap --top-ports 1000 -sT -T3 -Pn -n --open <target> -oA ./scans/nmap/tcp-top-1000-portsAssumes hosts up and performs a UDP port scan against the top 1000 UDP Ports
TCPSLOWVERY HIGHnmap --top-ports 4000 -sT -T3 -Pn -n --open <target> -oA ./scans/nmap/tcp-top-4000-portsAssumes host up and performs a TCP CONNECT port scan against the top 4000 TCP Ports
UDPSLOWVERY HIGHnmap --top-ports 2000 -sT -T3 -Pn -n --open <target> -oA ./scans/nmap/tcp-top-4000-portsAssumes host up and performs a UDP port scan against the top 2000 UDP Ports

Related Notes

Graph View

Backlinks