Network Discovery
Host Discovery
| Command | Description |
|---|---|
nmap -sn -n <CIDR> | Ping sweep - discover live hosts without port scanning. |
nmap -sn -n --disable-arp-ping <CIDR> | Ping sweep disabling ARP (useful on some network configs). |
nmap -sn -n -PE <CIDR> | ICMP echo only host discovery. |
netdiscover -r <CIDR> | ARP-based host discovery (layer 2, requires same subnet). |
Port Scanning
| Command | Description |
|---|---|
nmap -p- --open -sS --min-rate 5000 -n -Pn <IP> | Full TCP SYN scan - all ports, fast, no ping. |
nmap -p- --open -sT --min-rate 5000 -n -Pn <IP> | Full TCP connect scan - required through proxychains. |
nmap -p<ports> -sCV <IP> -oN targeted | Service and version detection on specific ports. |
nmap -p<ports> -sCV <IP> -oG output | Grepable output format. |
nmap -p- -sS -T4 <CIDR> | Full scan across a subnet (slower but thorough). |
Metasploit - Scanning Through a Pivot
| Command | Description |
|---|---|
use post/multi/gather/ping_sweep | ICMP ping sweep via Meterpreter session - works through autoroute. |
set RHOSTS 192.168.0.1-254 | Target range for the sweep. |
set SESSION <id> | Meterpreter session to pivot through. |
use auxiliary/scanner/portscan/tcp | TCP port scanner through autoroute. |
set PORTS 22,80,135,139,443,445,3306,3389,5985,8080,10000 | Common ports to scan. |
set THREADS 10 | Concurrent threads (keep low through pivot). |
Note:
arp_sweepoperates at layer 2 and does not work through autoroute. Always useping_sweeporportscan/tcpwhen pivoting.
Output & Parsing
| Command | Description |
|---|---|
nmap -sn <CIDR> -oG - | grep "Up" | Extract only live hosts from a ping sweep. |
grep "open" targeted | Filter open ports from a targeted scan. |
cat allPorts | grep "Host:" | List all hosts with open ports from grepable output. |