This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Enumeration

Gathering information that can lead to the discovery of vulnerabilities or aid in our exploitation process.

Gathering information is the first and one of the most vital stage of penetration testing. It helps to learn about the target systems we are assessing, as well as revealing information that could aid to the discovery and/or exploitation of vulnerabilities.

Enumeration methodologies varies by the environment. Below are high-level summaries for three main types of environment.

1 - Nmap

Discover open ports and available services on your targets with Nmap

Nmap is the go-to port scanner for security professionals and researchers for many years. It allows open ports on computers to be discovered over the network by sending packets to each port and analyze how the host responds.

Penetration Testers often use port scanners like Nmap to conduct Active Recon on the targets being assessed.

TL;DR

Here are a few commands to get you started with nmap quickly:

Basic run:

nmap <hosts>

My favorite Nmap scan command for CTFs and exams:

  • -sVC: Service enumeration + default NSE scripts
  • -T4: Timing template 4, a relatively fast scanning pace
  • -oN <filename>: Save output in normal plaintext
sudo nmap -sVC -T4 -oN <filename> <hosts>

Ippsec’s Nmap scan command as seen in his HTB walkthroughts:

  • -vv: Double verbose output
  • -oA nmap/<filename_prefix>: Save output in all three formats (normal, greppable, XML) to a directory
sudo nmap -sC -sV -vv -oA nmap/<filename_prefix> <hosts>

References for This Section

1.1 - Nmap Basic Usage

Discover hosts and open ports with Nmap

Basic Scan

To begin a basic Nmap scan, simply provide it with the host(s) you wish to scan:

nmap <hosts>

The above command starts a port scan against the host(s) specified:

$ nmap 10.129.197.123
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-31 20:58 -0500
Nmap scan report for 10.129.197.123
Host is up (0.057s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds

The <hosts> argument can be:

  • Individual IP addresses: 10.129.2.18 10.129.2.19 10.129.2.20
  • A range of IP addresses: 10.129.2.18-20
  • CIDR: 10.129.2.0/24
  • Hostnames: example.com

To have Nmap read the list of host to scan from the a file, use -iL to specify the filename:

$ cat hosts.txt
10.129.2.18
10.129.2.19
10.129.2.20

nmap -sn -iL hosts.txt

Port Specification

To specify specific ports and ranges to scan, use the -p argument:

nmap -p <ports> <hosts>

The -p argument accepts

  • Individual port numbers: 80, 22,80
  • Ranges of ports: 1-1000
  • Combination of both: 22,80,100-500

For a complete scan of all ports (1-65535), use the -p- flag for a short hand.

nmap -p- <number> <hosts>

Alternatively, use --top-ports to specify the number of top common ports to scan. By default, Nmap scans the top 1000 common ports.

nmap --top-ports <number> <hosts>

-F flag is equivalent to --top-ports 100 for Nmap.

nmap -F <hosts>

Port Scanning without Ping Probes

Nmap performs a ping probe to ensure the host is up and reachable before beginning a port scan. However, certain operating systems (like on Windows by default) may not respond to ping. As a result, it may cause Nmap to conclude that the host is not up.

$ nmap 10.10.65.55
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-27 20:58 -0500
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.02 seconds

As its output suggest, we can re-scan the host with the -Pn option, which bypasses the ping probe and starts the port scan right away.

$ nmap 10.10.65.55 -Pn
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-27 21:23 -0500
Nmap scan report for 10.10.65.55
Host is up (0.15s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5357/tcp open  wsdapi
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 12.92 seconds

Verbose Output

Use -v/-vv flags to increase the verbosity of Nmap’s output, which shows us open ports directly when Nmap detects them.

$ sudo nmap 10.129.2.28 -p- -sV -v

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:03 CEST
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 20:03
Scanning 10.129.2.28 [1 port]
Completed ARP Ping Scan at 20:03, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:03
Completed Parallel DNS resolution of 1 host. at 20:03, 0.02s elapsed
Initiating SYN Stealth Scan at 20:03
Scanning 10.129.2.28 [65535 ports]
Discovered open port 995/tcp on 10.129.2.28
Discovered open port 80/tcp on 10.129.2.28
Discovered open port 993/tcp on 10.129.2.28
Discovered open port 143/tcp on 10.129.2.28
Discovered open port 25/tcp on 10.129.2.28
Discovered open port 110/tcp on 10.129.2.28
Discovered open port 22/tcp on 10.129.2.28
<SNIP>

Host Discovery

Use the -sn flag to disable port-scanning for Nmap and only perform ping probes against the host(s) specified

nmap -sn <hosts>

Perfomance Tuning

Nmap gives 6 templates to tune the aggresiveness of our scans, from 0 being the slowest and 5 being the fastest. However, a more aggresive profile could cause Nmap to have more false negatives as it sets a shorter timeout for the host to respond.

Choose a timing template with -T

  • -T0 / -T paranoid
  • -T1 / -T sneaky
  • -T2 / -T polite
  • -T3 / -T normal
  • -T4 / -T aggressive
  • -T5 / -T insane

By default, Nmap uses -T3. But for certification exams and CTFs, -T4 is a good balance between speed and consistency.

1.2 - Nmap Scan Types

Nmap’s scan methods and their pros and cons

Nmap offers a variety of port scan methods, each with its own pros and cons. Some types may see odd at first, but they often shine at specific use cases.

TCP Connection Scan

By default, nmap uses TCP Connection Scan when ran without root privileges, which establishes:

  • The port as open if the host completes the TCP three-way handshake.
  • The port as closed if the host resets the attempt to connect.
  • The port as filtered if the host rejects or does not respond to the attempt to connect

TCP connection scan can be manually specified using the -sT flag.

nmap -sT <hosts>

Pros: Highly Accurate

Cons: Noisy, Slow

TCP SYN Scan

Instead of completing a three-way handshake like the TCP Connection Scan, the SYN Scan resets the three-way handshake when it receives the SYN-ACK packet from the host, and concludes that port as open. This is the default scan type of Nmap when ran with root privileges.

TCP SYN scan can be manually specified with the -sS flag. Note this scan type require privileged access to raw sockets since it needs to manually reset the TCP three-way handshake.

sudo nmap -sS <hosts>

Pros: Fast, Stealthy

Cons: Less accurate, Can still be detected by advanced IDS/IPS systems

Despite its shortcomings, the SYN Scan is the most popular Nmap port scan type.

UDP Scan

Nmap also supports discovering services running on UDP ports. It marks the port as:

  • open if Nmap gets a configured application response.
  • closed if Nmap gets an ICMP Type 3 Error 3 (Host Unreachable) response.
  • open|filtered if Nmap gets other ICMP responses or times out

Use the -sU flag for a UDP scan. Note this scan type requires root privileges.

sudo nmap -sU <hosts>

Note this scan type can take quite a long time due to UDP being a stateless protocol and the need for long timeouts to account for packet loss.

TCP ACK Scan

The TCP ACK is not commonly used, but is nonetheless valuable as it helps to enumerate firewall rules on a host while evading IDS/IPS systems. It sends an TCP ACK packet instead of initiating a three-way handshake. If the the port is unfiltered, the host would reset the connection in response, allowing Nmap to conclude that connections to a particular port is not obstructed by firewall rules. This makes it harder for simple firewalls to block.

Use the -sA flag for a TCP ACK scan. This scan type also requires root privileges

sudo nmap -sA <hosts>

1.3 - Nmap Service and Host Enumeration

Footprint network services and the hosts running them

Although there is a convention for the port number of common services, we should strive to more accurately identify the services running instead of just taking guesses. Nmap can helps us by performing service numeration on open ports.

Nmap Service Enumeration

Use the -sV flag to tell Nmap to perform Service enumeration on each of the ports it detects to be open:

nmap -sV <hosts>

Nmap’s service enumeration attempts to give us with the type and version of service running.

$ sudo nmap 10.129.2.28 -p- -sV

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:00 CEST
Nmap scan report for 10.129.2.28
Host is up (0.013s latency).
Not shown: 65525 closed ports
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp    open     smtp         Postfix smtpd
80/tcp    open     http         Apache httpd 2.4.29 ((Ubuntu))
110/tcp   open     pop3         Dovecot pop3d
139/tcp   filtered netbios-ssn
143/tcp   open     imap         Dovecot imapd (Ubuntu)
445/tcp   filtered microsoft-ds
993/tcp   open     ssl/imap     Dovecot imapd (Ubuntu)
995/tcp   open     ssl/pop3     Dovecot pop3d
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host:  inlane; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.73 seconds

Nmap Service Enumeration relies on two mechanisms:

  • Banner Grabbing: Nmap establishes a connection to the service and wait for it to present it with its banner, which often contains service information like type and version.
  • Service Signature Footprinting: In the case that Nmap doesn’t receive a banner within the timeout limit, it conducts footprinting against the service and analyzes the signature of its response. This makes the service enumeration process much longer.

Manual Banner Grabbing

There are times where Nmap may be unable to enumerate the service type and version. We can manually grab the banner by connecting to the service with Netcat:

$ nc -nv 10.129.2.28 25

Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)

Nmap Script Scanning

Nmap also provides scripting capabilities with its Nmap Scripting Engine (NSE). Nmap includes a series of scripts when you install it. They are stored under /usr/share/nmap/scripts/

$ ls -l /usr/share/nmap/scripts
total 5024
-rw-r--r-- 1 root root  3901 Sep 29 02:24 acarsd-info.nse
-rw-r--r-- 1 root root  8749 Sep 29 02:24 address-info.nse
-rw-r--r-- 1 root root  3345 Sep 29 02:24 afp-brute.nse
-rw-r--r-- 1 root root  6463 Sep 29 02:24 afp-ls.nse
-rw-r--r-- 1 root root  7001 Sep 29 02:24 afp-path-vuln.nse
-rw-r--r-- 1 root root  5600 Sep 29 02:24 afp-serverinfo.nse
-rw-r--r-- 1 root root  2621 Sep 29 02:24 afp-showmount.nse
-rw-r--r-- 1 root root  2262 Sep 29 02:24 ajp-auth.nse
-rw-r--r-- 1 root root  2983 Sep 29 02:24 ajp-brute.nse
[...]

The scripts fall into 14 categories:

CategoryDescription
authDetermination of authentication credentials.
broadcastScripts which are used for host discovery by broadcasting; the discovered hosts can be automatically added to the remaining scans.
bruteExecutes scripts that try to log in to the respective service by brute-forcing with credentials.
defaultDefault scripts executed by using the -sC option.
discoveryEvaluation of accessible services.
dosThese scripts are used to check services for denial of service vulnerabilities and are used less as they harm the services.
exploitThis category of scripts tries to exploit known vulnerabilities for the scanned port.
externalScripts that use external services for further processing.
fuzzerUses scripts to identify vulnerabilities and unexpected packet handling by sending different fields; this can take much time.
intrusiveIntrusive scripts that could negatively affect the target system.
malwareChecks if some malware infects the target system.
safeDefensive scripts that do not perform intrusive or destructive actions.
versionExtension for service detection.
vulnIdentification of specific vulnerabilities.

To specify specific scripts or categories of scripts to be run on a specific port, use the --script flag. To run multiple scripts or categories, separate them by a comma.

nmap --script <script>,<script> -p <port> <hosts>

To automatically let Nmap run a set of default scripts on open ports, use the -sC flag.

nmap -sC <hosts>

Sample script scan output:

$ nmap -sC 10.10.122.21
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-27 22:51 -0500
Nmap scan report for 10.10.122.21
Host is up (0.13s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
22/tcp   open     ssh
| ssh-hostkey:
|   256 47:21:73:e2:6b:96:cd:f9:13:11:af:40:c8:4d:d6:7f (ECDSA)
|_  256 2b:5e:ba:f3:72:d3:b3:09:df:25:41:29:09:f4:7b:f5 (ED25519)
53/tcp   open     domain
| dns-nsid:
|   NSID: pdns (70646e73)
|_  id.server: pdns
512/tcp  open     exec
513/tcp  open     login
514/tcp  open     shell
873/tcp  open     rsync
901/tcp  filtered samba-swat
1069/tcp filtered cognex-insight
3000/tcp open     ppp
3306/tcp filtered mysql
8081/tcp filtered blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 33.18 seconds

Commonly, the -sC option is often used alongside -sV. The two options can also combined with a single -sVC flag.

nmap -sVC <hosts>

OS Enumeration

The -O option tells Nmap to detect the operating system of the host(s) being scanned based on the fingerprints gathered. This option requires root privileges to be ran, and the target should have at least one open port and one closed port that Nmap can detect.

sudo nmap -O <hosts>

To combine service enumeration, default script scanning, and OS detection, we can use the aggressive scan option (-A). This scan type requires root privileges and generates a lot of traffic.

sudo nmap -A <hosts>

1.4 - Saving Nmap Output

Learn to how save Nmap outputs in different formats

Nmap supports three types of output format:

Normal (plaintext, .nmap extension):

nmap -oN <filename> <hosts>

Sample:

# Nmap 7.98 scan initiated Thu Oct 30 16:45:40 2025 as: nmap -p- -T5 -oA html_result 10.129.2.49
Warning: 10.129.2.49 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.129.2.49
Host is up (0.056s latency).
Not shown: 64140 closed tcp ports (reset), 1388 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
31337/tcp open  Elite

# Nmap done at Thu Oct 30 16:46:36 2025 -- 1 IP address (1 host up) scanned in 55.94 seconds

Grepable (plaintext, .gnmap extension):

nmap -oG <filename> <hosts>

Sample:

# Nmap 7.98 scan initiated Thu Oct 30 16:45:40 2025 as: nmap -p- -T5 -oA html_result 10.129.2.49
Host: 10.129.2.49 ()	Status: Up
Host: 10.129.2.49 ()	Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 110/open/tcp//pop3///, 139/open/tcp//netbios-ssn///, 143/open/tcp//imap///, 445/open/tcp//microsoft-ds///, 31337/open/tcp//Elite///
# Nmap done at Thu Oct 30 16:46:36 2025 -- 1 IP address (1 host up) scanned in 55.94 seconds

XML (.xml extension)

<?xml version="1.0" encoding="utf-8"?>
<!doctype nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- nmap 7.98 scan initiated thu oct 30 16:45:40 2025 as: nmap -p- -t5 -oa html_result 10.129.2.49 -->
<nmaprun scanner="nmap" args="nmap -p- -t5 -oa html_result 10.129.2.49" start="1761860740" startstr="thu oct 30 16:45:40 2025" version="7.98" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="0"/>
<debugging level="0"/>
<hosthint><status state="up" reason="unknown-response" reason_ttl="0"/>
<address addr="10.129.2.49" addrtype="ipv4"/>
<hostnames>
</hostnames>
</hosthint>
<host starttime="1761860741" endtime="1761860796"><status state="up" reason="echo-reply" reason_ttl="63"/>
<address addr="10.129.2.49" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports><extraports state="closed" count="64140">
<extrareasons reason="reset" count="64140" proto="tcp" ports="1-21,23-58,60-79,81,83-86,88-109,111-138,140-142,144-182,184-185,187-217,219-268,270-353,355-356,358-359,361-375,377-399,401-415,417-434,436-444,446-449,452-564,566-699,701-711,713-743,745-774,776-898,900-1016,1018-1065,1067-1106,1108-1143,1145-1175,1177-1309,1311-1351,1353-1405,1407-1433,1435-1467,1469-1546,1548-1592,1594-1696,1698-1734,1736-1740,1742-1761,1763-1788,1790-1817,1819-1893,1895-1932,1934-1952,1954-2014,2016-2019,2021-2038,2040-2057,2059-2062,2064-2066,2068-2276,2278-2299,2301-2319,2321-2392,2394-2440,2442-2554,2556-2570,2572,2574-2627,2629-2660,2662-2710,2712-2717,2719-2739,2741-2752,2754-2795,2797-2862,2864-2882,2884-2913,2915-2973,2975-3011,3013-3019,3021-3032,3034-3079,3081-3095,3097-3147,3149-3190,3192-3202,3204-3330,3332-3356,3358-3436,3438-3521,3523-3585,3587-3633,3635-3677,3679-3733,3735-3738,3740-3802,3804-3814,3816-3817,3819-3829,3831-3906,3908-3912,3914-4001,4003-4031,4033-4039,4041-4061,4063-4088,4090-4154,4156-4197,4199,4201-4232,4234-4294,4296-4344,4346-4405,4407-4527,4529-4549,4551-4554,4556-4599,4601-4695,4697-4789,4791-4835,4837-4841,4843-4865,4867-4878,4880-4890,4892-4953,4955-4973,4975-4983,4986-5009,5011-5031,5033-5045,5047-5061,5063-5077,5079-5191,5193-5206,5208-5246,5248-5367,5369-5431,5433-5487,5489-5504,5506-5536,5538-5548,5550,5552-5612,5614-5619,5621-5742,5744-5779,5781,5783-5784,5786-5813,5815-5853,5855-5860,5862-5864,5866-5867,5869-5943,5945-5949,5951-5956,5958-5966,5968-5994,5996-6039,6041-6076,6078-6105,6107-6143,6145-6156,6158-6177,6179-6234,6236-6244,6246-6262,6264-6336,6338,6340-6421,6423-6472,6474-6556,6558-6656,6658-6697,6699-6702,6704-6723,6725-6768,6770-6883,6885-6953,6955-7025,7027-7044,7046-7050,7052-7060,7062-7079,7081-7113,7115-7116,7118,7120-7124,7126-7156,7158-7166,7168-7179,7181-7205,7207-7230,7232-7240,7242-7273,7275-7289,7291-7323,7325-7333,7335-7355,7357-7365,7367-7369,7371-7372,7374-7450,7452-7536,7538-7555,7557-7573,7575-7619,7621-7789,7791-7846,7848-7864,7866-7998,8000-8031,8033-8072,8074-8106,8108-8161,8163-8211,8213-8247,8249-8259,8261-8296,8298-8326,8328-8339,8341-8508,8510-8526,8528,8530-8621,8623-8653,8655-8683,8685-8687,8689-8706,8708-8751,8753-8785,8787-8807,8809-8815,8817-8844,8846,8848-8896,8898-8995,8997-9073,9075-9082,9084-9136,9138-9147,9149-9159,9161-9177,9179-9189,9191-9217,9219-9220,9222-9254,9256-9280,9282-9283,9285-9298,9300,9302-9374,9376-9393,9395-9420,9422-9471,9473-9491,9493-9528,9530-9542,9544-9646,9648-9666,9668-9673,9675-9696,9698-9812,9814-9850,9852-9901,9903-9949,9951-10032,10034-10039,10041-10064,10066-10092,10094-10124,10126-10128,10130-10197,10199-10262,10264-10286,10288-10301,10303-10332,10334-10369,10372,10374-10401,10403-10431,10433-10556,10558-10596,10598-10662,10664-10667,10669-10681,10683-10704,10706-10723,10725-10778,10780-10783,10785-10808,10811-10835,10837-10866,10868-10877,10879-10888,10890-10909,10911-10936,10938-10960,10962-10971,10973-10983,10985-11085,11087-11101,11103-11153,11155-11210,11212,11214-11297,11299-11318,11320-11332,11334-11385,11387-11587,11589-11592,11594-11613,11615-11620,11623-11659,11661-11671,11673-11735,11737-11748,11750,11752-11766,11768-11778,11780-11836,11838-11946,11948-11975,11977,11979-12128,12130-12131,12133-12155,12157-12176,12178-12180,12182-12203,12205-12240,12242-12279,12281-12302,12304-12329,12331-12332,12334,12336-12371,12373-12383,12385-12446,12448-12480,12482-12483,12485-12489,12491-12514,12516-12530,12533-12615,12617-12627,12629-12655,12657-12740,12742-12744,12746-12759,12761-12836,12838-12859,12861-12883,12885-12907,12909-12924,12926-12935,12937-12958,12960-12969,12971-12982,12984-13000,13002-13059,13061-13081,13083-13120,13122-13292,13294-13303,13305-13382,13384-13399,13401-13424,13426-13443,13445-13481,13483-13502,13504-13507,13509-13515,13517-13600,13602-13603,13605-13623,13625-13648,13650-13707,13709-13721,13723-13724,13726-13758,13760-13792,13794-13880,13882-13917,13919-13923,13925-13984,13986-13991,13993-13998,14000-14002,14004-14008,14010-14022,14024-14028,14030-14060,14062-14104,14106-14174,14176-14180,14182-14213,14215-14301,14303-14307,14311-14324,14326-14338,14340-14352,14354-14398,14400-14420,14422-14460,14462-14464,14466-14472,14474-14501,14503-14549,14551-14571,14573-14574,14576-14593,14595-14635,14637-14652,14654-14695,14697-14754,14756-14837,14839-14881,14883-14905,14907,14909-14912,14914-14963,14965-14975,14977-14980,14982-14986,14988-15052,15055-15104,15107-15234,15236-15361,15363-15389,15391-15407,15409-15425,15427-15430,15432-15556,15558-15628,15630-15697,15699-15717,15719-15768,15770-15800,15802-15845,15847-15882,15884-15906,15908-15930,15933-15944,15946-15948,15950-15993,15995-16003,16005-16089,16091-16109,16111-16114,16117-16121,16124-16129,16131-16144,16146-16158,16160-16207,16209-16308,16310-16394,16396-16582,16584-16591,16593-16600,16602-16673,16675-16693,16695-16714,16716-16728,16730-16757,16759-16769,16771-16780,16782-16835,16837-16890,16892-16952,16954-16982,16984-17046,17048-17060,17062-17079,17081-17101,17103-17105,17107-17114,17116-17182,17184-17256,17258-17264,17266-17314,17316-17338,17340-17348,17350-17416,17418-17447,17449-17502,17504-17516,17518-17543,17545-17583,17585-17587,17590-17658,17660-17708,17710-17746,17748-17780,17782-17805,17807-17814,17816-17821,17823-17941,17943-17944,17946-18011,18013-18033,18035-18115,18117-18119,18121-18128,18130-18135,18137-18157,18159-18178,18180-18230,18232-18263,18265-18273,18275,18277-18325,18327-18329,18331-18374,18376-18439,18441-18488,18490,18492-18499,18501-18586,18588-18621,18623-18627,18629-18664,18666-18677,18679-18726,18728-18741,18743-18860,18862-18864,18866-18905,18907-18930,18932-18962,18964-19002,19004-19027,19029-19037,19039-19044,19046-19059,19061-19115,19117-19249,19251-19356,19358-19381,19383-19388,19390-19393,19395-19506,19508-19511,19513-19548,19550-19562,19564-19625,19627-19631,19633-19639,19641-19750,19752-19794,19796-19808,19810-19968,19970-19988,19990-20027,20029-20051,20053-20119,20121-20140,20142-20189,20191-20356,20358-20361,20363-20443,20445-20451,20453-20480,20482-20511,20513-20547,20549-20608,20610-20711,20713-20735,20737-20776,20778-20792,20794-20835,20837-20941,20943-21021,21023-21065,21067-21134,21136-21183,21185-21195,21197-21262,21264-21319,21321-21332,21334-21346,21348-21561,21563-21646,21648-21706,21708-21790,21792-21809,21811-21830,21832-21870,21872-21902,21904-21992,21994-22071,22073-22113,22115-22196,22198-22395,22397-22556,22558-22573,22575-22584,22586-22653,22655-22816,22818-22837,22839-22947,22949-23009,23011-23038,23040-23075,23077-23147,23149,23151-23178,23180-23240,23242-23372,23374-23425,23427-23522,23524-23577,23579-23611,23613-23629,23631-23747,23749-23781,23783-23797,23799-23825,23827-23844,23846-23866,23868-23894,23896-23943,23945-23980,23982-24029,24031-24040,24042-24056,24058-24071,24073-24082,24084-24112,24114-24136,24138-24147,24149-24184,24186-24190,24192-24300,24302-24362,24364-24465,24467-24559,24561-24571,24573-24656,24658-24698,24700-24729,24731-24852,24854-24865,24867-24915,24917-24934,24936-24991,24993-25024,25026-25066,25068-25095,25097-25118,25120-25285,25287-25365,25368-25479,25481-25525,25527-25567,25569-25722,25724-25737,25739-25769,25771-25826,25828-25886,25888-26194,26196-26211,26213-26231,26233-26293,26295-26311,26313-26404,26406-26479,26481-26537,26539-26544,26546-26548,26550-26717,26719-26816,26818-26954,26956-26982,26984-27000,27002-27118,27120-27287,27289,27291-27308,27310-27316,27318-27494,27496-27508,27510-27532,27534-27586,27588-27624,27626-27703,27705-27740,27742-27772,27774-27808,27810-27881,27883-27951,27953-28165,28167-28344,28346,28348-28503,28505-28557,28559-28571,28573-28754,28756-28777,28779-28828,28830-28993,28995-29013,29015-29097,29099-29155,29157-29266,29268-29310,29312-29318,29320-29350,29353-29374,29376-29407,29409-29570,29572-29577,29579-29587,29589-29638,29640-29647,29649-29684,29686-29909,29911-30028,30030-30091,30093-30098,30100-30175,30177-30202,30204-30268,30270-30283,30285-30363,30365-30399,30401-30510,30512-30570,30572-30582,30584-30604,30606-30657,30659-30661,30663-30665,30667-30671,30673,30675,30677-30697,30699-30737,30739-30786,30788-30849,30851-30852,30854-30885,30887-31007,31009-31037,31039-31139,31141-31259,31261-31313,31315-31336,31338-31404,31406-31506,31508-31525,31527-31609,31611-31698,31700-31826,31828-31855,31857-31878,31880-31909,31911-31914,31916-32094,32096-32105,32107-32141,32143-32173,32175-32190,32192-32234,32236-32337,32339-32370,32372-32387,32389-32454,32456-32624,32626-32718,32720-32763,32765-32799,32801-32889,32891-32946,32948-32984,32986-33057,33059-33176,33178-33228,33230-33252,33254-33279,33281-33348,33350-33363,33365-33372,33374-33490,33492-33503,33505-33674,33676-33784,33786-33809,33811-33878,33880-33890,33892-34011,34013-34014,34016-34031,34033-34055,34057-34086,34088-34130,34132-34245,34247-34268,34270-34305,34307-34309,34311-34382,34384-34491,34493-34572,34574-34620,34622-34634,34636-34643,34645-34662,34664-34704,34706-34877,34879-34890,34892-34980,34982-35141,35143-35207,35209-35229,35231-35250,35252-35253,35255-35307,35309-35312,35314-35489,35491-35801,35803-35819,35821-35823,35825-35889,35891-35933,35935-35946,35948-35961,35963-36026,36028-36089,36091-36116,36118-36148,36150-36215,36218-36399,36401-36405,36407-36450,36452-36559,36561-36565,36567-36571,36573-36630,36632-36874,36876-36881,36883-37062,37064-37153,37155-37311,37313-37318,37320-37371,37373-37492,37494-37641,37643-37747,37749-37761,37763-37860,37862-38023,38025,38027-38126,38128-38182,38184-38186,38188-38256,38258-38326,38328-38439,38441-38525,38527-38687,38689-38842,38844-38941,38943-38974,38976-39034,39036-39060,39062-39065,39067-39071,39073-39151,39153-39171,39174-39194,39196-39329,39331-39380,39382-39391,39393-39410,39412-39517,39519-39547,39549-39578,39580-39809,39812-39823,39825-39974,39976-40054,40056-40204,40206-40287,40289-40297,40299-40300,40302-40320,40322-40363,40365-40369,40371-40491,40493-40561,40563-40580,40582-40606,40608-40611,40613-40623,40625-40818,40820-40946,40948-40952,40954-40990,40992-40999,41001-41019,41021-41325,41327-41333,41335,41337-41342,41344-41725,41727-41879,41881-41891,41893-41948,41950-42025,42027-42030,42032-42152,42154-42222,42224-42255,42257-42282,42284,42286-42353,42355-42357,42359-42483,42485-42541,42543-42583,42585-42686,42688-42718,42720-42782,42784-42792,42794-42908,42910-42971,42973-43080,43082-43084,43086-43237,43239-43388,43390-43394,43396-43463,43465-43522,43524-43585,43587-43604,43606-43650,43652-43669,43671-43737,43739-43754,43756-43777,43779-43784,43786-43845,43847-44056,44058-44085,44087-44145,44147-44270,44272-44414,44416-44469,44471-44492,44494-44505,44507-44545,44547-44712,44714-44795,44797-44880,44882-44890,44892-45067,45069-45109,45111-45183,45185-45306,45308-45331,45333-45359,45361-45421,45423-45618,45620-45695,45697-45728,45730-45777,45779-45923,45925-45932,45934-45949,45951-46013,46015-46103,46105-46201,46203-46281,46283-46327,46329-46386,46388-46401,46403-46487,46489-46519,46521-46549,46551-46553,46555-46567,46569-46598,46600-46778,46780-46783,46785-46935,46937-46979,46981-47002,47004-47130,47132-47143,47145-47191,47194-47240,47242-47253,47256-47273,47275-47281,47283-47288,47290-47361,47363-47367,47369-47382,47384-47427,47429-47599,47601-47798,47800-47840,47842-47855,47857-48058,48060-48237,48239-48261,48263-48266,48268-48306,48308-48333,48335-48345,48347-48379,48381-48502,48504-48514,48516-48564,48566-48594,48596-48612,48614-48739,48741-48787,48789-48826,48828-48854,48856-48864,48866-48914,48916-48969,48971-48988,48990-49016,49018-49055,49057-49108,49110-49181,49183-49196,49198-49329,49331-49412,49414-49446,49448-49535,49537-49575,49577-49635,49637-49655,49657-49714,49716-49746,49748-49811,49813-50089,50091-50120,50122-50126,50128-50147,50149-50154,50156-50381,50383-50402,50404-50435,50437-50499,50501-50601,50603-50644,50646-50713,50715-50735,50737-50740,50742-50786,50788-50799,50801-50830,50832-50867,50869-50917,50919-50969,50971-51098,51100-51216,51218-51352,51354-51469,51471,51473-51506,51508-51532,51534,51536-51547,51549-51602,51604-51619,51621-51640,51642-51796,51798-51833,51835-51845,51847-51873,51875-51979,51981-51996,51998-52054,52056-52193,52195-52292,52294-52370,52372-52422,52424-52506,52508-52557,52559-52568,52570-52571,52573-52632,52634-52710,52712-52718,52720-52809,52811-52843,52845-52937,52939-52952,52954-53023,53025-53081,53083-53089,53091-53119,53121-53149,53151-53161,53163-53232,53234-53253,53255-53284,53286-53313,53315-53409,53411-53425,53427-53434,53436-53463,53465-53525,53527-53559,53561-53650,53652-53713,53716-53717,53719-53744,53747-53850,53852-53930,53932-54004,54006,54008-54043,54045-54095,54097-54102,54105-54237,54239-54276,54278-54288,54290-54314,54316,54318-54392,54394-54426,54428-54510,54512-54530,54532-54563,54565-54615,54617-54623,54625-54695,54697-54767,54769-54870,54872-54912,54914-55002,55004-55026,55028-55043,55045-55049,55051-55084,55086-55125,55127-55178,55180-55256,55258-55272,55274-55284,55286-55300,55302-55303,55305-55377,55379-55394,55396-55520,55522-55537,55539-55548,55550-55578,55580-55595,55597-55605,55607-55645,55647-55654,55656-55689,55691,55693-55734,55736-55764,55766-55782,55784-55802,55804-55818,55820-55848,55850-55860,55862-55917,55919-55922,55924-55961,55963-55987,55989-56067,56069-56080,56082-56244,56246,56248-56332,56334-56384,56386,56388-56504,56506-56568,56570-56763,56765-56773,56775-56885,56887-56923,56925-56942,56944-56960,56962-57050,57052-57129,57131-57174,57176-57240,57242-57255,57257-57260,57262-57275,57277-57315,57318-57366,57368-57486,57488-57489,57491-57504,57506-57514,57516-57546,57548-57581,57583-57632,57634-57653,57655-57742,57744,57746-57837,57839-57857,57859-57952,57954-58027,58029-58174,58176-58211,58213-58228,58230-58270,58272-58298,58300-58336,58338-58374,58376-58379,58381-58386,58388-58394,58396-58483,58485-58569,58571-58573,58575-58634,58636-58733,58735-58796,58798-58902,58904-58916,58918-58983,58985-59125,59127-59136,59138-59220,59222-59239,59241-59295,59297-59534,59536-59538,59540-59543,59545,59547-59577,59579-59667,59669-59684,59687-59713,59715-59727,59729-59821,59823-59893,59895-59904,59906-59937,59939-59992,59994-60044,60046-60056,60058-60133,60135-60176,60178-60180,60182-60322,60324-60341,60343-60420,60422-60453,60455-60530,60532-60599,60601-60635,60637-60652,60654-60696,60698-60755,60757-60811,60813-60817,60819-60830,60832-60949,60951-60971,60973-61113,61115-61132,61134-61175,61177-61184,61186-61218,61220-61286,61288-61336,61338-61391,61393-61452,61454-61511,61513-61519,61521-61528,61530-61554,61556-61624,61626-61663,61665-61708,61710-61733,61735-61754,61756-61786,61788-61853,61855-61880,61882-61908,61911-61915,61917-61961,61963-61993,61995-62138,62140-62150,62152-62293,62295,62297-62311,62313-62334,62336-62363,62365-62375,62377-62392,62394-62541,62543-62580,62582-62755,62757-62777,62779-62792,62794-62819,62821-62827,62829-62853,62855-62867,62869-62903,62905-62971,62973,62975-63025,63027-63100,63102-63200,63203-63207,63209-63258,63260-63348,63350-63370,63372-63412,63414-63463,63465-63492,63494-63552,63554-63588,63590-63631,63633-63645,63647-63670,63672-63679,63681-63689,63691-63743,63745-63775,63777-63779,63781-63841,63843-63917,63919-64032,64034-64057,64059-64071,64073-64107,64109-64176,64178-64196,64198-64217,64219-64223,64226-64250,64252-64261,64263-64282,64284-64303,64305-64317,64319-64331,64333-64640,64642-64696,64698-64748,64750-64783,64785-64787,64789-64802,64804-64821,64823-64890,64892-64925,64927-64967,64969-64991,64993-65027,65029-65102,65104-65127,65129-65184,65186-65269,65271-65293,65295-65309,65311-65341,65343-65482,65484-65496,65498-65530,65532-65535"/>
</extraports>
<extraports state="filtered" count="1388">
<extrareasons reason="no-response" count="1388" proto="tcp" ports="59,82,87,183,186,218,269,354,357,360,376,400,416,435,450-451,565,700,712,744,775,899,1017,1066,1107,1144,1176,1310,1352,1406,1434,1468,1547,1593,1697,1735,1741,1762,1789,1818,1894,1933,1953,2015,2020,2039,2058,2063,2067,2277,2300,2320,2393,2441,2555,2571,2573,2628,2661,2711,2718,2740,2753,2796,2863,2883,2914,2974,3012,3020,3033,3080,3096,3148,3191,3203,3331,3357,3437,3522,3586,3634,3678,3734,3739,3803,3815,3818,3830,3907,3913,4002,4032,4040,4062,4089,4155,4198,4200,4233,4295,4345,4406,4528,4550,4555,4600,4696,4790,4836,4842,4866,4879,4891,4954,4974,4984-4985,5010,5032,5046,5062,5078,5192,5207,5247,5368,5432,5488,5505,5537,5549,5551,5613,5620,5743,5780,5782,5785,5814,5854,5861,5865,5868,5944,5950,5957,5967,5995,6040,6077,6106,6144,6157,6178,6235,6245,6263,6337,6339,6422,6473,6557,6657,6698,6703,6724,6769,6884,6954,7026,7045,7051,7061,7080,7114,7117,7119,7125,7157,7167,7180,7206,7231,7241,7274,7290,7324,7334,7356,7366,7370,7373,7451,7537,7556,7574,7620,7790,7847,7865,7999,8032,8073,8107,8162,8212,8248,8260,8297,8327,8340,8509,8527,8529,8622,8654,8684,8688,8707,8752,8786,8808,8816,8845,8847,8897,8996,9074,9083,9137,9148,9160,9178,9190,9218,9221,9255,9281,9284,9299,9301,9375,9394,9421,9472,9492,9529,9543,9647,9667,9674,9697,9813,9851,9902,9950,10033,10040,10065,10093,10125,10129,10198,10263,10287,10302,10333,10370-10371,10373,10402,10432,10557,10597,10663,10668,10682,10705,10724,10779,10784,10809-10810,10836,10867,10878,10889,10910,10937,10961,10972,10984,11086,11102,11154,11211,11213,11298,11319,11333,11386,11588,11593,11614,11621-11622,11660,11672,11736,11749,11751,11767,11779,11837,11947,11976,11978,12129,12132,12156,12177,12181,12204,12241,12280,12303,12330,12333,12335,12372,12384,12447,12481,12484,12490,12515,12531-12532,12616,12628,12656,12741,12745,12760,12837,12860,12884,12908,12925,12936,12959,12970,12983,13001,13060,13082,13121,13293,13304,13383,13400,13425,13444,13482,13503,13508,13516,13601,13604,13624,13649,13708,13722,13725,13759,13793,13881,13918,13924,13985,13992,13999,14003,14009,14023,14029,14061,14105,14175,14181,14214,14302,14308-14310,14325,14339,14353,14399,14421,14461,14465,14473,14502,14550,14572,14575,14594,14636,14653,14696,14755,14838,14882,14906,14908,14913,14964,14976,14981,14987,15053-15054,15105-15106,15235,15362,15390,15408,15426,15431,15557,15629,15698,15718,15769,15801,15846,15883,15907,15931-15932,15945,15949,15994,16004,16090,16110,16115-16116,16122-16123,16130,16145,16159,16208,16309,16395,16583,16592,16601,16674,16694,16715,16729,16758,16770,16781,16836,16891,16953,16983,17047,17061,17080,17102,17106,17115,17183,17257,17265,17315,17339,17349,17417,17448,17503,17517,17544,17584,17588-17589,17659,17709,17747,17781,17806,17815,17822,17942,17945,18012,18034,18116,18120,18129,18136,18158,18179,18231,18264,18274,18276,18326,18330,18375,18440,18489,18491,18500,18587,18622,18628,18665,18678,18727,18742,18861,18865,18906,18931,18963,19003,19028,19038,19045,19060,19116,19250,19357,19382,19389,19394,19507,19512,19549,19563,19626,19632,19640,19751,19795,19809,19969,19989,20028,20052,20120,20141,20190,20357,20362,20444,20452,20481,20512,20548,20609,20712,20736,20777,20793,20836,20942,21022,21066,21135,21184,21196,21263,21320,21333,21347,21562,21647,21707,21791,21810,21831,21871,21903,21993,22072,22114,22197,22396,22557,22574,22585,22654,22817,22838,22948,23010,23039,23076,23148,23150,23179,23241,23373,23426,23523,23578,23612,23630,23748,23782,23798,23826,23845,23867,23895,23944,23981,24030,24041,24057,24072,24083,24113,24137,24148,24185,24191,24301,24363,24466,24560,24572,24657,24699,24730,24853,24866,24916,24935,24992,25025,25067,25096,25119,25286,25366-25367,25480,25526,25568,25723,25738,25770,25827,25887,26195,26212,26232,26294,26312,26405,26480,26538,26545,26549,26718,26817,26955,26983,27001,27119,27288,27290,27309,27317,27495,27509,27533,27587,27625,27704,27741,27773,27809,27882,27952,28166,28345,28347,28504,28558,28572,28755,28778,28829,28994,29014,29098,29156,29267,29311,29319,29351-29352,29375,29408,29571,29578,29588,29639,29648,29685,29910,30029,30092,30099,30176,30203,30269,30284,30364,30400,30511,30571,30583,30605,30658,30662,30666,30672,30674,30676,30698,30738,30787,30850,30853,30886,31008,31038,31140,31260,31314,31405,31507,31526,31610,31699,31827,31856,31879,31910,31915,32095,32106,32142,32174,32191,32235,32338,32371,32388,32455,32625,32719,32764,32800,32890,32947,32985,33058,33177,33229,33253,33280,33349,33364,33373,33491,33504,33675,33785,33810,33879,33891,34012,34015,34032,34056,34087,34131,34246,34269,34306,34310,34383,34492,34573,34621,34635,34644,34663,34705,34878,34891,34981,35142,35208,35230,35251,35254,35308,35313,35490,35802,35820,35824,35890,35934,35947,35962,36027,36090,36117,36149,36216-36217,36400,36406,36451,36560,36566,36572,36631,36875,36882,37063,37154,37312,37319,37372,37493,37642,37748,37762,37861,38024,38026,38127,38183,38187,38257,38327,38440,38526,38688,38843,38942,38975,39035,39061,39066,39072,39152,39172-39173,39195,39330,39381,39392,39411,39518,39548,39579,39810-39811,39824,39975,40055,40205,40288,40298,40301,40321,40364,40370,40492,40562,40581,40607,40612,40624,40819,40947,40953,40991,41000,41020,41326,41334,41336,41343,41726,41880,41892,41949,42026,42031,42153,42223,42256,42283,42285,42354,42358,42484,42542,42584,42687,42719,42783,42793,42909,42972,43081,43085,43238,43389,43395,43464,43523,43586,43605,43651,43670,43738,43755,43778,43785,43846,44057,44086,44146,44271,44415,44470,44493,44506,44546,44713,44796,44881,44891,45068,45110,45184,45307,45332,45360,45422,45619,45696,45729,45778,45924,45933,45950,46014,46104,46202,46282,46328,46387,46402,46488,46520,46550,46554,46568,46599,46779,46784,46936,46980,47003,47131,47144,47192-47193,47241,47254-47255,47274,47282,47289,47362,47368,47383,47428,47600,47799,47841,47856,48059,48238,48262,48267,48307,48334,48346,48380,48503,48515,48565,48595,48613,48740,48788,48827,48855,48865,48915,48970,48989,49017,49056,49109,49182,49197,49330,49413,49447,49536,49576,49636,49656,49715,49747,49812,50090,50121,50127,50148,50155,50382,50403,50436,50500,50602,50645,50714,50736,50741,50787,50800,50831,50868,50918,50970,51099,51217,51353,51470,51472,51507,51533,51535,51548,51603,51620,51641,51797,51834,51846,51874,51980,51997,52055,52194,52293,52371,52423,52507,52558,52569,52572,52633,52711,52719,52810,52844,52938,52953,53024,53082,53090,53120,53150,53162,53233,53254,53285,53314,53410,53426,53435,53464,53526,53560,53651,53714-53715,53718,53745-53746,53851,53931,54005,54007,54044,54096,54103-54104,54238,54277,54289,54315,54317,54393,54427,54511,54531,54564,54616,54624,54696,54768,54871,54913,55003,55027,55044,55050,55085,55126,55179,55257,55273,55285,55301,55304,55378,55395,55521,55538,55549,55579,55596,55606,55646,55655,55690,55692,55735,55765,55783,55803,55819,55849,55861,55918,55923,55962,55988,56068,56081,56245,56247,56333,56385,56387,56505,56569,56764,56774,56886,56924,56943,56961,57051,57130,57175,57241,57256,57261,57276,57316-57317,57367,57487,57490,57505,57515,57547,57582,57633,57654,57743,57745,57838,57858,57953,58028,58175,58212,58229,58271,58299,58337,58375,58380,58387,58395,58484,58570,58574,58635,58734,58797,58903,58917,58984,59126,59137,59221,59240,59296,59535,59539,59544,59546,59578,59668,59685-59686,59714,59728,59822,59894,59905,59938,59993,60045,60057,60134,60177,60181,60323,60342,60421,60454,60531,60600,60636,60653,60697,60756,60812,60818,60831,60950,60972,61114,61133,61176,61185,61219,61287,61337,61392,61453,61512,61520,61529,61555,61625,61664,61709,61734,61755,61787,61854,61881,61909-61910,61916,61962,61994,62139,62151,62294,62296,62312,62335,62364,62376,62393,62542,62581,62756,62778,62793,62820,62828,62854,62868,62904,62972,62974,63026,63101,63201-63202,63208,63259,63349,63371,63413,63464,63493,63553,63589,63632,63646,63671,63680,63690,63744,63776,63780,63842,63918,64033,64058,64072,64108,64177,64197,64218,64224-64225,64251,64262,64283,64304,64318,64332,64641,64697,64749,64784,64788,64803,64822,64891,64926,64968,64992,65028,65103,65128,65185,65270,65294,65310,65342,65483,65497,65531"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" method="table" conf="3"/></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" method="table" conf="3"/></port>
<port protocol="tcp" portid="110"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="pop3" method="table" conf="3"/></port>
<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="netbios-ssn" method="table" conf="3"/></port>
<port protocol="tcp" portid="143"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="imap" method="table" conf="3"/></port>
<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="microsoft-ds" method="table" conf="3"/></port>
<port protocol="tcp" portid="31337"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="elite" method="table" conf="3"/></port>
</ports>
<times srtt="56224" rttvar="355" to="57644"/>
</host>
<runstats><finished time="1761860796" timestr="thu oct 30 16:46:36 2025" summary="nmap done at thu oct 30 16:46:36 2025; 1 ip address (1 host up) scanned in 55.94 seconds" elapsed="55.94" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

To have Nmap output in all three formats, use the -oA <filename_prefix> option. The <filename_prefix> portion will be prepended to each of the three type of file extensions in the filenames.

nmap -oA <filename_prefix> <hosts>

Formatting XML into HTML

We can use the XML output from Nmap to create an HTML report that is easy to read. We can use the xsltproc command to do so, which applies a XSTL style sheet to the XML output and generates an HTML file.

xsltproc <xml_filename> -o <html_filename>

View of the sample result on the browser:

2 - Rustscan

Scan ports faster with Rustscan

Rustscan

Rustscan’s project repo describes itself as a modern port scanner. It scans a large batch of ports asynchronously, reducing the overhead from threads and system calls. Thus achieving a scanning speed leagues ahead of Nmap. However, Rustscan is not a direct replacement for Nmap, as the former lacks much of the Service scanning capabilities. Rustscan would in fact feed the ports it found open during its scan into an Nmap scan, allowing the user to use Nmap for service enumeration or Nmap script scans.

Basic Usage

For a basic run, use -a to specify the host(s), which accepts multiple types of arguments:

Single or comma-delimited list of IP addresses:

rustscan -a 127.0.0.1,0.0.0.0

Single or comma-delimited list of hostnames, or hostnames mixed with IP addresses

rustscan -a www.google.com, 127.0.0.1

CIDR subnets:

rustscan -a 192.168.0.0/30

Lastly, the filename of a list of hosts:

# hosts.txt:
192.168.0.1
192.168.0.2
google.com
192.168.0.0/30
127.0.0.1

rustscan -a 'hosts.txt'

Specifying Ports

Use -p to specify individual ports or comma-delimited list of ports:

rustscan -a 127.0.0.1 -p 53

rustscan -a 127.0.0.1 -p 53,80,121,65535

Use -r to specify a range of ports

rustscan -a 127.0.0.1 --range 1-1000

Nmap Arguments

Use the -- to specify the arguments passed to the Nmap run Rustscan initiates after it finishes its own scan.

For example, the following Rustscan command:

rustscan -a 127.0.0.1 -- -A -sC

Runs the Nmap commnad:

nmap -Pn -vvv -p $PORTS -A -sC 127.0.0.1

Performance Tuning

Since Rustscan is very aggressive out of the box, it could potentially trigger defenses to block your IP address. To prevent that from occurring, we can:

  1. Decrease batch size: Use the -b <number> argument to specify a smaller batch size.
  2. Increase timeout: Use the -T <timeout> argument to specify a longer timeout, in milliseconds, so that Rustscan would wait longer for each port.

Config File

Rustscan accepts a TOML configuration file in the user’s home directory, allowing the user to specify certain default arguments for each scan. The config file is read from ~/.rustscan.toml.

The following options can be specified:

  • addresses
  • ports
  • range
  • scan_order
  • command
  • accessible
  • greppable
  • batch-size
  • timeout
  • ulimit

Example config:

addresses = ["127.0.0.1", "192.168.0.0/30", "www.google.com"]
command = ["-A"]
ports = {80 = 1, 443 = 1, 8080 = 1}
range = { start = 1, end = 10 }
greppable = false
accessible = true
scan_order = "Serial"
batch_size = 1000
timeout = 1000
tries = 3
ulimit = 1000

References

3 - Web Recon

Gathering information on web directories, vhosts, subdomains and technologies

The primary goals of web recon are to:

  • Identify assets (web pages, subdomains, IP address, tech stacks, etc.)
  • Discover hidden information
  • Analyze the attack surface
  • Gather information that can be leveraged for further exploitation.

Similar to recon targeted toward other environments and services, web recon can be categorized into passive and active recon.

  • Passive Recon avoids interacting with the target(s) directly.
  • Active Recon interacts with the target(s) directly.

This article will mainly go over Active Recon techniques.

Subdomain Discovery

Subdomains exist as extensions to a main domain. For example, domain example.com may have subdomains blog.example.com, shop.example.com and so on. Subdomains can be set up to point to the same or different IP addresses as the main domain, making it an easy way to organize and access different network resources.

There are many ways to discover subdomains.

Subdomain Brute Forcing

Subdomain brute forcing uses a wordlist of common subdomain names (dev, blog, admin, mail, etc.), prepent each of them to the main domain and queries it against a DNS server, either a public one or a private one on the target network.

Tools such as DNSEnum can be used for subdomain bruteforcing

dnsenum --enum <DOMAIN> -f <WORDLIST>

Certificate Transparency Logs

Certificate Transparency (CT) Logs are public, append-only ledgers that record the issuance of TLS certificates. When a Certificate Authority (CA)issues a new certificate, it must submit it to multiple CT logs for anyone to inspect. CT logs exist to maintain the trust in the Public Key Infrastructure by exposing rogue certificates and the CAs that issues them.

However, CT logs also provides a publically available and definitive list of subdomains to attackers.

crt.sh is a simple, web-based search tool for CT Logs. Below is a search result for haoyingcao.xyz, which discovers subdomains leikah.haoyingcao.xyz and www.haoyingcao.xyz among others.

Virtual Host Discovery

Vitual hosts (vhosts) allow web servers to distinguish between multiple websites or applications sharing the same IP address. They are set up inside the web server’s configuration file. The web server then distinguishes requests for different vhosts via the HTTP Host header.

Gobuster can be used to brute force vhosts on a web server.

gobuster vhost -u http://<target_IP_address> -w <wordlist_file> --append-domain

File/Directory Discovery

Each website or applications contain different files, directories and endpoints. Other than navigating to them like normal users, we can also discover them in multiple ways:

robots.txt

robots.txt is a simple text file placed in the root of the website (e.g. www.example.com/robots.txt). It tells bots and web crawlers of which parts of the website they can or cannot crawl. From the attacker’s perspective, robots.txt can help us discover potentially interesting files and redirectories.

Example robots.txt:

User-agent: *
Disallow: /admin/
Disallow: /private/
Allow: /public/

User-agent: Googlebot
Crawl-delay: 10

Sitemap: https://www.example.com/sitemap.xml

File/Directory Brute Forcing

Directory Brute Forcing is often effective as many website has similar directory naming convention, especially if they use commonly available web technology. Gobuster and Ffuf can be used for this purpose:

Gobuster:

gobuster dir -u <URL> -w <WORDLIST>
  • Useful optional arguments:
    • --follow-redirect: If a certain endpoint returns a redirect status code (301, 302), gobuster will follow the redirect automatically.
    • -x: File extension(s) to add to the brute force, can handle comma-separated list.
    • -t <THREAD_COUNT>: Adjust the amount of threads
    • -k: Skip TLS validation, useful if the website uses a self-signed certificate.
    • -b: Blacklist status codes, can handle comma-separated lists and ranges.
    • --xl: Blacklist responses with a certian length, can handle comma-separated lists and ranges.

Ffuf is a web fuzzer that can also be used for directory busting. It will replace the keyword FUZZ with each entry in the wordlist.

ffuf -w <WORDLIST> -u <URL>/FUZZ