# Scanning

## AutoRecon

```bash
autorecon -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost
autorecon 10.200.97.200
autorecon -t targets.txt --only-scans-dir

# With vhost enumeration for known hostname
autorecon TARGET_IP --vhost-enum.hostname TARGET.htb -v

# Specify directory busting tool
autorecon TARGET_IP --dirbuster.tool feroxbuster -v

# Combined example
autorecon 10.129.237.241 --vhost-enum.hostname planning.htb --dirbuster.tool feroxbuster -v
```

**Common Flags:**

| Flag                    | Description                                              |
| ----------------------- | -------------------------------------------------------- |
| `-ct`                   | Concurrent targets                                       |
| `-cs`                   | Concurrent scans per target                              |
| `-o`                    | Custom output directory                                  |
| `-v` / `-vv`            | Verbose output                                           |
| `--vhost-enum.hostname` | Hostname for vhost enumeration                           |
| `--dirbuster.tool`      | Tool for directory busting (gobuster, feroxbuster, ffuf) |
| `--only-scans-dir`      | Only output scans directory                              |

AutoRecon will create and store results in the `/results` directory.

## General Enumeration Figure out the Hosts and Services Running

### NetDiscover

* Netdiscover is an active/passive reconnaissance tool that uses ARP to find live hosts on a local network.
* Netdiscover actively searches for live hosts on the network by broadcasting ARP requests like a router.
* By default netdiscover operates in active mode, however you can use it in passive mode with `-p`. With passive move it will not broadcast anything.
* Note: ARP is unable to cross network boundaries or over any VPN connection

```
netdiscover -r 10.11.1.0/24
```

### Nmap

* I have no time to read, just give me the nmap scanning meta.

```
nmap -sS x.x.x.x -p- --min-rate 10000
nmap -A -T5 x.x.x.x -p- -vv
nmap --script=scriptname.nse x.x.x.x -vv
```

#### Ping Scan -sn Option

* -sn tells nmap to perform host discovery only without any additional port scanning and prints out details of any hosts that responded.

```
nmap -sn 10.11.1.0/24
```

* nmap also has the -Pn option which will disable the host discovery stage altogether on a scan. The -Pn option is best used in combination with other scans.

#### TCP Connect Scan

* The TCP connect scan in Nmap is the alternative TCP scan to use when a SYN scan is not an option.
* TCP connect scan should be used when nmap does not have raw packet privileges which is required for a SYN scan.

```
nmap -sT [target host]
```

#### TCP SYN Scan

* Does not complete the 3 way handshake

```
nmap -sS [target host]
```

#### UDP Port Scanning

* Always check for UDP ports will pick up DNS, NTP, SNMP

```
nmap -sU [target host]
nmap -sU -F [target host]
```

#### Fingerprint Services

* To figure out what services are running on target ports we use:

```
nmap -sV [target ip address]
```

* The following command will use nmap port scan to detect the service and OS:

```
nmap -sV -O [target ip address]
```

* Can also use the -A option in Nmap. The A stands for aggressive scan options and enables OS detection, script scanning and traceroute.

```
nmap -A [target ip address]
```

#### Scanning port ranges with Nmap

* By default nmap will only scan the most 1000 common ports. To override the default use the -p

```
nmap -p 1-100 [target host]
nmap -p 137-139,445 [target host]
```

### NSE

* Web Application Vulnerability scan:

```
nmap --script=http-vuln* 10.10.10.10
```

* Location of scripts

```
/usr/share/nmap/scripts
```

* Scripts are sorted by protocol, can sort by service

```
ls -l /usr/share/nmap/scripts/ftp*
```

* Nmap script help

```
nmap --script-help ftp-anon
```

* Nmap script execution

```
nmap --script=[script name] [target host]
```

* The following command executes a script names http-robots.txt on port 80:

```
nmap --script=http-robots.txt.nse [target host]
```

### Detecting Linux Version from nmap SSH output

* If ssh is running on the target, and it can fingerprint the service you have a good chance of detecting the operating system version:

```
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
|   256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_  256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)

```

* Take a look at the part `4ubuntu0.5`
* If you google that and select the `launchpad.net` link it will tell you the OS version
* <https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.5>

<figure><img src="/files/dhYINikM9Sszbbq4UsSM" alt=""><figcaption></figcaption></figure>

### Nmap Output Parsing

Extract open ports and services from greppable output:

```bash
nmap -A -T4 TARGET -oA nmap_output

# Extract open TCP services from .gnmap output
egrep -v "^#|Status: Up" nmap_output.gnmap | cut -d' ' -f2,4- | \
  sed -n -e 's/Ignored.*//p' | \
  awk '{print "Host: " $1 " Ports: " NF-1; for(i=2;i<=NF;i++){print "\t"$i}}' | \
  sed -e 's/\/open\//\t/g' -e 's/\/\///g' -e 's/|/\t/g'
```

This extracts a clean list of hosts with their open ports, services, and versions from the `.gnmap` file.

***

## Vulnerability Scanning

* Good nmap command

```
nmap -T4 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' [ip]
```

```
nmap -p 80 --script=all $ip - Scan a target using all NSE scripts. May take an hour to complete.
nmap -p 80 --script=*vuln* $ip - Scan a target using all NSE vuln scripts.
nmap -p 80 --script=http*vuln* $ip  - Scan a target using all HTTP vulns NSE scripts.
nmap -p 21 --script=ftp-anon $ip/24 - Scan entire network for FTP servers that allow anonymous access.
nmap -p 80 --script=http-vuln-cve2010-2861 $ip/24 - Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/recon-enumeration/scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.