> For the complete documentation index, see [llms.txt](https://hackzzz.gitbook.io/welcome/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hackzzz.gitbook.io/welcome/everything-about-and-notes/network-pentesting/host-discovery.md). # Host Discovery ## Outside Discovery In this situation you have some **scope of IPs** (maybe even several **ranges**) and you just to find **which IPs are responding** ### ICMP You could try to send some **ICMP** packets and **expect responses**. The easiest way is just sending an **echo request** and expect from the response. You could also use **nmap** to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response). ```bash ping -c 1 199.66.11.4 # 1 echo request to a host fping -g 199.66.11.0/24 # Send echo requests to ranges nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests nmap -sn -n -oG - | \ awk 'UP$/{print $2}' > outputfile.txt # Use -sS if ping is disable nmap -T4 -sF --send-ip --reason 1.2.3.4/24 -oX new-out.xml # filter for resets responds to determine the status ``` ### TCP Port Discovery It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up **trying to find open ports**. ```bash #Using masscan to scan top20ports of nmap in a /24 range (less than 5min) masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24 ``` ### UDP Port Discovery ``` nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24 # The -sV will make nmap test each possible known UDP service packet # The "--version-intensity 0" will make nmap only test the most probable ``` ### HTTP Port Discovery This is just a TCP port discovery useful when you want to **focus on discovering HTTP** **services**: ```bash masscan -p80,443,8000-8100,8443 199.66.11.0/24 ``` ### SCTP Port Discovery ```bash #Probably useless, but it's pretty fast, why not trying? nmap -T4 -sY -n --open -Pn ``` ## Inside Discovery If you are inside the network one of the first things you will want to do is to **discover other hosts**. Depending on **how much noise** you can/want to do, different actions could be performed: {% tabs %} {% tab title="Active - ARP scans" %} nmap -sn 192.168.16.0/24 netdiscover -r 192.168.16.0/24 arp-scan 192.168.16.0/24 nbtscan -r 192.168.16.0/24 alive6 eth0 **---> Send a pingv6 to multicast.** {% endtab %} {% tab title="Passive" %} netdiscover -p p0f -i eth0 -p -o /tmp/p0f.log {% endtab %} {% endtabs %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://hackzzz.gitbook.io/welcome/everything-about-and-notes/network-pentesting/host-discovery.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.