PARALLEL SCANNING - Run these simultaneously in separate terminals
Rustscan all TCP ports ~10 min vs nmap full
Phase 0 (Immediate) — Scans all 65535 in seconds, then runs nmap scripts on open ports
rustscan -a $IP -- -sC -sV -oN rustscan.txt
Example Output
Open 10.10.10.5:22,80,445,8080
nmap scan on 4 ports...
Quick nmap while rustscan runs Redundancy
Phase 0 (Immediate) — Backup scan in case rustscan misses filtered ports
nmap -sC -sV -p- --min-rate 5000 $IP -oN full_tcp.txt
Example Output
Use --min-rate 5000 for speed
Still catches filtered ports rustscan may miss
UDP top 20 (background) Runs while you work
Phase 0 (Immediate) — Run in background with &, check later. SNMP/TFTP/DNS are common wins
nmap -sU --top-ports 20 --min-rate 5000 $IP -oN udp.txt &
Example Output
53/udp open domain
161/udp open snmp
(Check these immediately)
Parallel service enum 50% faster overall
Phase 1 (After ports) — Never enumerate one service at a time. Always have 2-3 terminals running different services
# Terminal 1: web enum
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt,html -t 50 -o dirs.txt
# Terminal 2: SMB enum
enum4linux -a $IP | tee smb.txt
# Terminal 3: check exploits
searchsploit <service versions>
Example Output
While gobuster runs:
- Read SMB shares
- Research CVEs
- Check other ports
Auto-scope gobuster to tech stack ~5 min per scan
Phase 1 — Wrong extensions = wasted scan time. Check tech stack FIRST with whatweb or headers
# PHP site:
gobuster dir -x php,php.bak,txt,html,conf
# ASP/IIS site:
gobuster dir -x asp,aspx,config,txt,html
# Java site:
gobuster dir -x jsp,do,action,xml,properties
Example Output
whatweb says PHP/Apache:
Only use php,txt,html extensions
Don't waste time on asp,aspx
Immediate credential check Prevents hours of unnecessary enum
Phase 1 — The SECOND you find any credential, spray it everywhere before doing anything else
# Run against ALL services with found creds
crackmapexec smb $IP -u found_user -p found_pass
crackmapexec winrm $IP -u found_user -p found_pass
crackmapexec ssh $IP -u found_user -p found_pass
smbclient -L //$IP -U found_user%found_pass
Example Output
Found admin:admin on FTP
Try on SSH -> WORKS!
(Skip the web app entirely)