Bug Bounty Hub
  • 🚀WELCOME
    • Bug Bounty Hub
    • BBH - Values
    • About the author
  • 🕸️PENTESTING WEB
    • Information Gathering
      • Enumerating ASN and IP blocks
      • Reverse IP Lookup
      • Scanning Open Ports/Services
      • Subdomain Enumeration
        • Active Subdomain Enumeration
        • Passive Subdomain Enumeration
        • Subdomain Permutations
        • Check Alive Subdomains
      • Subdomain Takeover
      • Fuzzing
      • JavaScript Files
      • Endpoints
      • Input Parameters
      • Mapping Attack Surface - Crawling/Spider
      • Fingerprinting
      • Potential Vulnerabilities - Nuclei
    • Client-Side Injection Attacks
    • Server-Side Vulnerabilities
      • Path Traversal/File Inclusion
      • Access Control
      • Authentication
      • Server-side Request Forgery (SSRF)
      • File upload vulnerabilities
      • OS Command Injection
      • SQL Injection
        • MySQL Injection
        • SQLi with SQLMap
    • Authentication
    • Insecure Direct Object Reference (IDOR)
    • Cross-Site Request Forgery Attacks
    • Business Logic Flaws
    • HTTP Verb Tampering
    • Bypass 401 & 403
    • Evading WAFs
    • Reporting
  • 🐣THE BASICS OF WEB
    • HTTP Methods
    • HTTP Response Codes
    • HTTP Headers
      • AWS S3 Buckets Headers
    • HTTP Cookies
    • Encoding
      • URL encoding
      • HTML encoding
      • Base 64 encoding
      • Unicode encoding
    • Web Browsers
      • Same-Origin Policy (SOP)
      • Content Security Policy (CSP)
      • Subresource Integrity Check (SIC)
    • Web Proxies
  • 📚RESOURCES
    • Books
    • Web resources
    • CTF Platforms
  • 🏔️Bug Bounty Platforms
Powered by GitBook
On this page
  • 1. Scanning open ports with Masscan
  • 2. Detecting HTTP services with HTTPX
  • 3. Scanning for Service Versions
  • 3.1. Manul testing
  • 3.2. Automated testing
  • Tools

Was this helpful?

  1. PENTESTING WEB
  2. Information Gathering

Scanning Open Ports/Services

Open ports can reveal HTTP servers operating on non-standard ports, wich might be overlooked in standard scans.

1. Scanning open ports with Masscan

masscan --open-only <CIDR> -p1-65535 --rate=10000 \
    --http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" \
    -oL scan_results.txt

2. Detecting HTTP services with HTTPX

While Masscanreveals open ports, it does not specifies wich of these ports are running HTTP services. To determine this, HTTPX can be applied to the output file of Masscan.

The following command search for TCP ports in Masscan output file and then formats each IP address and Port to be used by HTTPX . 

cat scan_results.txt | grep tcp | awk '{print $4,":",$3}' | tr -d ' ' \
    | httpx -title -sc -cl

3. Scanning for Service Versions

We have already identified the web servers on each IP address, the next step would be to perform a service version scan. For this task, Nmap is the right choice.

3.1. Manul testing

For each HTTPX hit we can run a service scan with Nmap:

nmap -sC -sV <IP> -T4

3.2. Automated testing

The optimal approach is to chain the HTTPX result with Nmap, i.e. to perform only a service scan on those detected ports hosting HTTP services.

In this manner, we do not extend the scanning time by scanning ports that are of no interest to us.

Underconstruction automation

Tools

  • Masscan -> https://github.com/robertdavidgraham/masscan

  • HTTPX -> https://github.com/projectdiscovery/httpx

PreviousReverse IP LookupNextSubdomain Enumeration

Last updated 6 months ago

Was this helpful?

🕸️