Scanning Open Ports/Services

Open ports can reveal HTTP servers operating on non-standard ports, wich might be overlooked in standard scans.

1. Scanning open ports with Masscan

masscan --open-only <CIDR> -p1-65535 --rate=10000 \
    --http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" \
    -oL scan_results.txt

2. Detecting HTTP services with HTTPX

While Masscanreveals open ports, it does not specifies wich of these ports are running HTTP services. To determine this, HTTPX can be applied to the output file of Masscan.

The following command search for TCP ports in Masscan output file and then formats each IP address and Port to be used by HTTPX .

cat scan_results.txt | grep tcp | awk '{print $4,":",$3}' | tr -d ' ' \
    | httpx -title -sc -cl

3. Scanning for Service Versions

We have already identified the web servers on each IP address, the next step would be to perform a service version scan. For this task, Nmap is the right choice.

3.1. Manul testing

For each HTTPX hit we can run a service scan with Nmap:

nmap -sC -sV <IP> -T4

3.2. Automated testing

The optimal approach is to chain the HTTPX result with Nmap, i.e. to perform only a service scan on those detected ports hosting HTTP services.

In this manner, we do not extend the scanning time by scanning ports that are of no interest to us.

Underconstruction automation

Tools

Masscan -> https://github.com/robertdavidgraham/masscan
HTTPX -> https://github.com/projectdiscovery/httpx

PreviousReverse IP Lookup NextSubdomain Enumeration

Last updated 9 months ago

Was this helpful?