Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  1. OFFENSIVE SECURITY
  2. Internal Infrastructure
  3. General Discovery

Port & Service Discovery

How to find open ports and services on an internal network.

PreviousAD Attack Path DiscoveryNextCredential Discovery

Last updated 12 months ago

NMAP

The best method to find open ports and services remains to be NMAP.

Quick Discovery Scan

This scan will only look for common TCP/UDP ports and uses a faster ping scan method.

nmap -sn -T4 -PE -PM -PP -PU53,69,161,500,514,520,1434 -PA21,22,23,25,53,80,443,513,8080,3389 -PS21,22,23,25,53,80,443,513,8080,3389 -n -r -vv -oA discovery -iL ipfile.txt

This scan will perform a thorough assessment and attempt to find any and all ports.

Longer Full Scan

nmap -sT -n -Pn -p- -T3 --randomize-hosts --min-hostgroup 96 --max-retries 3 --min-parallelism 64 --max-scan-delay=5s --open -oA Full-TCP-Scan -iL ip-list.txt -vvv

https://nmap.org/