zerodumb@hacking-journal:~/tools$
Nmap Full Port Scan Script
· 13 min read
enumerationnmappentestingscriptingbashreconnaissance
“When you need to leave no stone unturned, you scan every port.”
Sometimes the quick scan isn’t enough. When you need comprehensive reconnaissance or when initial scans reveal unexpected services, you need to go deeper. This full port scan script emerged from the need to discover every possible entry point, every hidden service, and every potential vulnerability that might be lurking on non-standard ports.
What This Script Does
This is the comprehensive version of the nmap scanning toolkit. It performs thorough enumeration that:
- Scans all 65535 ports for complete coverage
- Runs comprehensive vulnerability scripts on every open service
- Performs detailed service enumeration with version detection
- Checks for uncommon ports that might hide interesting services
- Generates multiple output formats for different analysis needs
- Provides detailed exploit suggestions based on discovered services
Download
or find the repo at nmap-quick
When to Use Full Scan vs Quick Scan
Quick Scan (nmap-quick-scan.sh)
- Default 1000 ports - covers most common services
- Faster execution - typically 5-15 minutes
- Good for initial reconnaissance and time-sensitive assessments
- Suitable for most targets where standard services are expected
Full Scan (nmap-full-scan.sh)
- All 65535 ports - leaves nothing undiscovered
- Longer execution - typically 30+ minutes
- Comprehensive enumeration for thorough assessments
- Discovers hidden services on non-standard ports
- Required for compliance or detailed security audits
Key Features
Comprehensive Service Detection
The script detects and analyzes a wide range of services:
- Database Services: MySQL, PostgreSQL, Redis, MongoDB
- Web Services: HTTP, HTTPS, WebDAV, custom web apps
- Remote Access: SSH, Telnet, RDP, VNC
- File Services: FTP, SMB, NFS, AFP
- Directory Services: LDAP, Kerberos, Active Directory
- Messaging: SMTP, POP3, IMAP, XMPP
- Custom Applications: Any service on any port
Advanced Exploit Checking
# Extended service detection beyond quick scan
case "$service" in
"dns")
print_warning "DNS detected on port $port"
print_status "Common DNS exploits:"
echo " - Zone transfer attempts"
echo " - DNS enumeration"
echo " - Cache poisoning"
;;
"ldap"|"ldaps")
print_warning "LDAP detected on port $port"
print_status "Common LDAP exploits:"
echo " - Anonymous bind"
echo " - Weak passwords"
echo " - Information disclosure"
;;
"kerberos")
print_warning "Kerberos detected on port $port"
print_status "Common Kerberos exploits:"
echo " - AS-REP roasting"
echo " - Kerberoasting"
echo " - Golden ticket attacks"
;;
"msrpc"|"rpc")
print_warning "MSRPC detected on port $port"
print_status "Common MSRPC exploits:"
echo " - Null sessions"
echo " - User enumeration"
echo " - Share enumeration"
;;
esac
Uncommon Port Detection
def check_uncommon_ports() {
# List of common ports for comparison
local uncommon_ports=(21 22 23 25 53 80 110 143 443 993 995 1433 1521 3306 3389 5432 5900 6379 8080 8443 27017)
# Check each open port against common list
grep -E "open.*tcp" "$output_file" | while read -r line; do
port=$(echo "$line" | awk '{print $1}' | cut -d'/' -f1)
if [[ ! " ${uncommon_ports[@]} " =~ " ${port} " ]]; then
print_warning "Uncommon port $port detected!"
echo " $line"
fi
done
}
Usage
Basic Usage
# Scan all ports with default settings
./nmap-full-scan.sh 10.10.10.10
# Scan with custom output filename
./nmap-full-scan.sh 10.10.10.10 my_comprehensive_scan
Prerequisites
# Install nmap (if not already installed)
sudo apt update
sudo apt install nmap
# Install exploitdb for additional exploit checking
sudo apt install exploitdb
The Full Scan Process
1. Pre-Scan Confirmation
# Script asks for confirmation due to long runtime
read -p "Are you sure you want to scan all 65535 ports? This will take a long time! (y/N): " -n 1 -r
2. Comprehensive Scanning
# Full port scan with optimized settings
sudo nmap -sS -sV -O -p- --script=vuln,auth,default,discovery,version \
--script-args=unsafe=1 \
--min-rate=1000 \
--max-retries=2 \
-oN "$output_file" \
-oX "${output_file%.txt}.xml" \
-oG "${output_file%.txt}.gnmap" \
"$target"
3. Detailed Analysis
- Service enumeration on every open port
- Version detection for all discovered services
- Vulnerability assessment using nmap scripts
- Exploit suggestions based on service and version
- Uncommon port identification for further investigation
Example Output
[*] Starting HTB Nmap Full Scan
[*] Target: 10.10.10.10
[*] Output file: nmap_full_scan_20240101_143022.txt
[!] This scan will take a very long time (30+ minutes)
Are you sure you want to scan all 65535 ports? This will take a long time! (y/N): y
[*] Starting nmap full scan on 10.10.10.10...
[*] Scanning all 65535 ports with service detection and vulnerability scripts...
[!] This scan will take significantly longer than a quick scan!
[+] Nmap full scan completed successfully!
[*] Results saved to:
- nmap_full_scan_20240101_143022.txt (normal format)
- nmap_full_scan_20240101_143022.xml (XML format)
- nmap_full_scan_20240101_143022.gnmap (grepable format)
[*] Parsing nmap results and checking for exploits...
[+] Found ssh on port 22 (version: OpenSSH 7.2p2)
[+] Found http on port 80 (version: Apache httpd 2.4.18)
[+] Found mysql on port 3306 (version: MySQL 5.7.28)
[+] Found redis on port 6379 (version: Redis 5.0.7)
[+] Found http on port 8080 (version: nginx 1.16.1)
[!] Uncommon port 1337 detected!
[+] Found tcpwrapped on port 1337 (version: unknown)
[*] Checking for uncommon ports...
[!] Uncommon port 1337 detected!
tcpwrapped tcp 1337 open
[*] Generating summary report...
[+] Summary report saved to: nmap_full_scan_20240101_143022_summary.txt
[+] Full scan completed! Check the output files for detailed results.
Technical Details
Scan Optimization
# Optimized settings for comprehensive scanning
--min-rate=1000 # Minimum scan rate for efficiency
--max-retries=2 # Reduce retries to speed up scan
-p- # Scan all 65535 ports
--script=vuln,auth,default,discovery,version # Comprehensive script suite
Output Formats
- Normal format (
.txt): Human-readable output - XML format (
.xml): Machine-readable for automation - Grepable format (
.gnmap): Easy parsing with grep - Summary report (
.txt): Key findings and statistics
Performance Considerations
- Scan time: 30+ minutes for full port scan
- Network impact: High bandwidth usage
- Target impact: May trigger IDS/IPS alerts
- Resource usage: High CPU and memory consumption
Code Preview
#!/bin/bash
# HTB Nmap Full Scan Script
# Scans all 65535 ports with service enumeration and exploit checking
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Function to run nmap full scan
run_nmap_full_scan() {
local target="$1"
local output_file="$2"
print_status "Starting nmap full scan on $target..."
print_status "Scanning all 65535 ports with service detection and vulnerability scripts..."
print_warning "This scan will take significantly longer than a quick scan!"
# Run nmap with comprehensive options for full port scan
sudo nmap -sS -sV -O -p- --script=vuln,auth,default,discovery,version \
--script-args=unsafe=1 \
--min-rate=1000 \
--max-retries=2 \
-oN "$output_file" \
-oX "${output_file%.txt}.xml" \
-oG "${output_file%.txt}.gnmap" \
"$target"
}
# Function to check for uncommon ports
check_uncommon_ports() {
local output_file="$1"
print_status "Checking for uncommon ports..."
# List of uncommon ports that might be interesting
local uncommon_ports=(21 22 23 25 53 80 110 143 443 993 995 1433 1521 3306 3389 5432 5900 6379 8080 8443 27017)
grep -E "open.*tcp" "$output_file" | while read -r line; do
port=$(echo "$line" | awk '{print $1}' | cut -d'/' -f1)
# Check if port is not in common list
if [[ ! " ${uncommon_ports[@]} " =~ " ${port} " ]]; then
print_warning "Uncommon port $port detected!"
echo " $line"
fi
done
}
# Main script with confirmation
main() {
# ... validation and setup ...
# Ask for confirmation due to long runtime
read -p "Are you sure you want to scan all 65535 ports? This will take a long time! (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
print_status "Scan cancelled. Consider using the quick scan script instead."
exit 0
fi
# Execute full scan
run_nmap_full_scan "$target" "$output_file"
parse_and_check_exploits "$output_file"
check_uncommon_ports "$output_file"
generate_summary "$output_file" "$target"
}
Ethical Considerations
This script is designed for:
- Comprehensive security assessments and penetration testing
- Compliance audits requiring full port enumeration
- Thorough reconnaissance when quick scans are insufficient
- Research and educational purposes in network security
Important Notes:
- Long scan time - plan accordingly
- High network impact - may trigger security alerts
- Use responsibly - only on authorized targets
- Consider timing - avoid peak usage hours
Troubleshooting
Scan Taking Too Long
# Check network connectivity
ping $target
# Verify nmap is working
nmap -p 80 $target
Memory Issues
# Monitor system resources
htop
free -h
Network Timeouts
# Adjust scan rate
--min-rate=500 # Slower but more reliable
--max-retries=1 # Fewer retries
No Results
- Check if target is reachable
- Verify firewall settings
- Ensure proper permissions for SYN scanning
Integration with Other Tools
This script works well with:
- Quick scan results: Use full scan to investigate findings
- Service-specific tools: Follow up on discovered services
- Vulnerability scanners: Complement with detailed assessments
- Manual testing: Guide focused exploitation efforts
Next Steps
After completing a full scan:
- Analyze uncommon ports for hidden services
- Research discovered services for specific vulnerabilities
- Run service-specific enumeration tools
- Plan targeted exploitation based on findings
- Document all findings for comprehensive reporting
Remember: A full port scan is a powerful tool, but it’s just the beginning. The real work starts with understanding and exploiting what you’ve discovered.
This script is part of my comprehensive reconnaissance toolkit. It’s designed for thorough enumeration when you need to leave no stone unturned.
Question loudly so others can learn quietly. Stay curious. Stay loud.
Don’t Be A Skid -Zero