# Scanning Port

## <mark style="color:yellow;">Fastest way:</mark>

{% hint style="info" %}
Make sure that the rustscan tool is installed.
{% endhint %}

{% hint style="info" %}
First, create a .txt file that lists all the IP addresses you want to scan. Then, run the command below in Kali Linux.
{% endhint %}

For TCP:

{% code overflow="wrap" %}

```
sudo rustscan -a $ip --range 1-65535 -- -sV -sC --open -oN nmap_tcp.txt

xargs -a ips.txt -I {} sudo rustscan -a {} --range 1-65535 -- -sV -sC --open -oN nmap_tcp_{}.txt

```

{% endcode %}

{% hint style="danger" %}
Sometimes rustscan may give false results. So, Use Nmap tool.
{% endhint %}

```bash
nmap --min-rate 4500 --max-rtt-timeout 1500ms $ip -p- 
```

```bash
nmap --min-rate 4500 --max-rtt-timeout 1500ms $ip -p- -sV -sC --open
```

For UDP:

{% code overflow="wrap" %}

```
sudo rustscan -a $ip --udp --range 1-65535 -- -sU --open -oN nmap_udp.txt

xargs -a my_target.txt -I {} sudo rustscan -a {} --udp --range 1-65535 --ulimit 5000 -- -sU -p- -oN nmap_udp_{}.txt

```

{% endcode %}

`--udp` Tells that it is scanning for UDP Port to rustscaner.

```bash
nmap --min-rate 4500 --max-rtt-timeout 1500ms $ip -p- -sU
```

{% code overflow="wrap" %}

```bash
xargs -a my_target.txt -I {} sudo nmap --min-rate 4500 --max-rtt-timeout 1500ms -sU -p- {} -oN nmap_udp_{}.txt

```

{% endcode %}

{% hint style="danger" %}
If you see DATABASE in Nmap result then there can be possibility of SQLi
{% endhint %}

`-Pn` To skip host discovery.

## <mark style="color:red;">If Nmap is not there !!!</mark>

If there is no Nmap available inside the internal network, but you want to find the open ports, you can try the command below:

```bash
# Change IP and Port according to the need
for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done
```

## <mark style="color:red;">Using Nmap with a proxy chain and its slow !!!</mark>

You can try the below command if you are trying to run Nmap through a proxy.

{% code overflow="wrap" %}

```bash
# Make a list of all IPs and store it in a file named targets.txt
# Run below command

proxychains4 nmap -n -Pn -F -sV -sT -oA nmap_results -vvv -iL targets.txt -T4 --max-retries 1 --max-rtt-timeout 2s --ttl 50ms --open
```

{% endcode %}

## <mark style="color:red;">If you prefer not to use a proxy chain due to its slowness, consider trying the ligolo-ng tool.</mark>

{% embed url="<https://hacking.tipstosecure.com/tools/tools-help-for-pentesting/ligolo-ng-for-pivoting-reverse-shell-and-file-transfer>" %}
Guide on how to use it.
{% endembed %}

## <mark style="color:red;">Want to make list of all ip address available in a subnet ??</mark>

```bash
nmap -sn 192.168.164.0/24 -oG - | awk '/Up$/{print $2}' > targets.txt
```

This will save all the avaialble IP Address in targets.txt file

{% hint style="danger" %}
Sometimes not works !! try netexec

```bash
netexec smb 172.16.164.0/24 | grep 'SMB' | awk '{print $2}' > targets.txt
```

{% endhint %}

## <mark style="color:yellow;">DNS Enumeration</mark>

{% embed url="<https://ankisinha.medium.com/dnsenum-a-command-line-information-gathering-tool-a535078207a6>" %}
Command for DNSenum
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacking.tipstosecure.com/begin/scanning-port.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.