Penetration testers often find themselves in situations where they have limited access to tools and utilities on the compromised system. In these cases, having a tool that relies on basic built-in features like bash, ping, /dev/tcp, and nc (netcat) allows the tester to perform essential network reconnaissance without arousing suspicion or attracting unwanted attention.
lolnetscan is a simple yet powerful network scanner written in Bash. It allows you to scan hosts for open ports using TCP or UDP protocols. The tool is designed to be lightweight and efficient, making it useful for various network scanning tasks.
The benefits of using lolnetscan in penetration testing include:
- Stealthy Reconnaissance: The script leverages common Linux utilities and basic network commands, making it less likely to raise suspicions during a security assessment.
- Minimizes Footprint: Since it uses existing tools and features, there's no need to upload additional scanning tools, minimizing the digital footprint on the target system.
- Quick Assessment: The script allows for quick assessment of live hosts and open ports, enabling penetration testers to focus on further exploitation.
- Customization: Penetration testers can modify the script according to their specific requirements and add features as needed.
- Resource-Friendly: The script is lightweight and doesn't require extensive system resources, making it suitable for low-resource environments.
- Learning Experience: Developing and using a custom script like this can enhance the penetration tester's understanding of network scanning techniques and bash scripting.
To scan for open ports on one or more target hosts, run the lolnetscan.sh script with the appropriate options:
./lolnetscan.sh -host <target> [-p <ports>] [-u]Options:
-host <target>: Specify the target host(s) using comma, dash, or CIDR notation.-p <ports>: Specify the port number(s) using comma or dash.-u: Use UDP protocol for port scanning (default is TCP).
For example, to scan TCP ports 80 and 443 on hosts 192.168.0.1 and 192.168.0.2, use:
./lolnetscan.sh -host 192.168.0.1,192.168.0.2 -p 80,443Port range separated by dash also supported
To scan UDP ports 53, 123, and 161 on a range of hosts, use:
./lolnetscan.sh -host 192.168.0.1-192.168.0.10 -p 53,123,161 -uCIDR notation also supported (Ex: 192.168.0.1/24)
You can run the lolnetscan script directly from GitHub without downloading or installing it on the target system. Use the following one-liner command:
bash <(curl -sSL https://raw.githubusercontent.com/ousbaailyas/lolnetscan/master/lolnetscan) -host <target> [-p <ports>] [-u]Installing it
git clone https://github.com/ousbaailyas/lolnetscan
chmod +x lolnetscan/lolnetscan
lolnetscan/lolnetscan -host <target> [-p <ports>] [-u]Here's an example of the output you may see while running the script:
[INF] Host 192.168.0.1 is alive
[INF] Open TCP port 192.168.0.1:80
[INF] Closed or filtered UDP port 192.168.0.1:443- This tool uses the
bashshell's built-in/dev/tcpfeature for TCP ornetcatfor UDP protocols without usingping. - Option to discover live hosts without port enumeration using
ping
This project is licensed under the MIT License.
Contributions are welcome! If you find any issues or want to add features or improvements, feel free to create a pull request.