# Scanning Port

## <mark style="color:yellow;">Fastest way:</mark>

{% hint style="info" %}
Make sure that the rustscan tool is installed.
{% endhint %}

{% hint style="info" %}
First, create a .txt file that lists all the IP addresses you want to scan. Then, run the command below in Kali Linux.
{% endhint %}

For TCP:

{% code overflow="wrap" %}

```
sudo rustscan -a $ip --range 1-65535 -- -sV -sC --open -oN nmap_tcp.txt

xargs -a ips.txt -I {} sudo rustscan -a {} --range 1-65535 -- -sV -sC --open -oN nmap_tcp_{}.txt

```

{% endcode %}

{% hint style="danger" %}
Sometimes rustscan may give false results. So, Use Nmap tool.
{% endhint %}

```bash
nmap --min-rate 4500 --max-rtt-timeout 1500ms $ip -p- 
```

```bash
nmap --min-rate 4500 --max-rtt-timeout 1500ms $ip -p- -sV -sC --open
```

For UDP:

{% code overflow="wrap" %}

```
sudo rustscan -a $ip --udp --range 1-65535 -- -sU --open -oN nmap_udp.txt

xargs -a my_target.txt -I {} sudo rustscan -a {} --udp --range 1-65535 --ulimit 5000 -- -sU -p- -oN nmap_udp_{}.txt

```

{% endcode %}

`--udp` Tells that it is scanning for UDP Port to rustscaner.

```bash
nmap --min-rate 4500 --max-rtt-timeout 1500ms $ip -p- -sU
```

{% code overflow="wrap" %}

```bash
xargs -a my_target.txt -I {} sudo nmap --min-rate 4500 --max-rtt-timeout 1500ms -sU -p- {} -oN nmap_udp_{}.txt

```

{% endcode %}

{% hint style="danger" %}
If you see DATABASE in Nmap result then there can be possibility of SQLi
{% endhint %}

`-Pn` To skip host discovery.

## <mark style="color:red;">If Nmap is not there !!!</mark>

If there is no Nmap available inside the internal network, but you want to find the open ports, you can try the command below:

```bash
# Change IP and Port according to the need
for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done
```

## <mark style="color:red;">Using Nmap with a proxy chain and its slow !!!</mark>

You can try the below command if you are trying to run Nmap through a proxy.

{% code overflow="wrap" %}

```bash
# Make a list of all IPs and store it in a file named targets.txt
# Run below command

proxychains4 nmap -n -Pn -F -sV -sT -oA nmap_results -vvv -iL targets.txt -T4 --max-retries 1 --max-rtt-timeout 2s --ttl 50ms --open
```

{% endcode %}

## <mark style="color:red;">If you prefer not to use a proxy chain due to its slowness, consider trying the ligolo-ng tool.</mark>

{% embed url="<https://hacking.tipstosecure.com/tools/tools-help-for-pentesting/ligolo-ng-for-pivoting-reverse-shell-and-file-transfer>" %}
Guide on how to use it.
{% endembed %}

## <mark style="color:red;">Want to make list of all ip address available in a subnet ??</mark>

```bash
nmap -sn 192.168.164.0/24 -oG - | awk '/Up$/{print $2}' > targets.txt
```

This will save all the avaialble IP Address in targets.txt file

{% hint style="danger" %}
Sometimes not works !! try netexec

```bash
netexec smb 172.16.164.0/24 | grep 'SMB' | awk '{print $2}' > targets.txt
```

{% endhint %}

## <mark style="color:yellow;">DNS Enumeration</mark>

{% embed url="<https://ankisinha.medium.com/dnsenum-a-command-line-information-gathering-tool-a535078207a6>" %}
Command for DNSenum
{% endembed %}