Port Scanning¶
TCP Port Scan¶
The following examples scan TCP ports for both, IPv4 and IPv6:
# scan ports by selection: 80, 443 and 8080
pwncat -z 10.0.0.1 80,443,8080
# scan ports by range: 1-65535
pwncat -z 10.0.0.1 1-65535
# scan ports by increment: 1+1023 (1 and the next 1023 ports)
pwncat -z 10.0.0.1 1+1024
UDP Port Scan¶
The following examples scan UDP ports (-u
) for both, IPv4 and IPv6:
# scan ports by selection: 80, 443 and 8080
pwncat -z 10.0.0.1 80,443,8080 -u
# scan ports by range: 1-65535
pwncat -z 10.0.0.1 1-65535 -u
# scan ports by increment: 1+1023 (1 and the next 1023 ports)
pwncat -z 10.0.0.1 1+1024 -u
IPv4 or IPv6 Port Scan¶
By default the port scanning will scan for both, IPv4 and IPv6. If you want to explicitly scan either of them only, you can append either -4
or -6
. This works for TCP and UDP.
# scan IPv4 ports only
pwncat -z 10.0.0.1 80,443,8080 -4
# scan IPv6 ports only
pwncat -z 10.0.0.1 80,443,8080 -6
Version detection¶
pwncat
also supports basic version detection by grabbing the and parsing the banner of a listening service (--banner
). This of course is not as accurate as nmap
’s version detection as it does not do any fingerprinting, but for basic detection works moderately well.
# Port scan and detect running versions
pwncat -z 10.0.0.1 80,443,8080 --banner
UDP Scan Performance¶
In UDP mode pwncat
is insanely fast detecting open ports compared to other scanners.
Note
Due to its aggressively fast scanning behaviour, pwncat sometimes might give false positive results when detecting open UDP ports.
The following ports are exposed¶
$ sudo netstat -ulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:39856 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 :::1053 :::*
udp6 0 0 :::5353 :::*
udp6 0 0 :::57728 :::*
nmap performance¶
$ time sudo nmap -T5 localhost --version-intensity 0 -p- -sU
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-24 17:03 CEST
Warning: 127.0.0.1 giving up on port because retransmission cap hit (2).
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 65529 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
631/udp open|filtered ipp
1053/udp open|filtered remote-as
5353/udp open|filtered zeroconf
39856/udp open|filtered unknown
40488/udp open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 179.15 seconds
real 2m52.446s
user 0m0.844s
sys 0m2.571s
netcat performance¶
$ time nc -z localhost 1-65535 -u -4 -v
Connection to localhost 68 port [udp/bootpc] succeeded!
Connection to localhost 631 port [udp/ipp] succeeded!
Connection to localhost 1053 port [udp/*] succeeded!
Connection to localhost 5353 port [udp/mdns] succeeded!
Connection to localhost 39856 port [udp/*] succeeded!
real 0m18.734s
user 0m1.004s
sys 0m2.634s
pwncat performance¶
$ time pwncat -z localhost 1-65535 -u -4
Scanning 65535 ports
[+] 68/UDP open (IPv4)
[+] 631/UDP open (IPv4)
[+] 1053/UDP open (IPv4)
[+] 5353/UDP open (IPv4)
[+] 39856/UDP open (IPv4)
real 0m7.309s
user 0m6.465s
sys 0m4.794s