Host Discovery
Outside Discovery
In this situation you have some scope of IPs (maybe even several ranges) and you just to find which IPs are responding
ICMP
You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response.
You could also use nmap to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).
ping -c 1 199.66.11.4 # 1 echo request to a host
fping -g 199.66.11.0/24 # Send echo requests to ranges
nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
nmap -sn -n <CIDR> <CIDR> <CIDR> -oG - | \ awk 'UP$/{print $2}' > outputfile.txt # Use -sS if ping is disable
nmap -T4 -sF --send-ip --reason 1.2.3.4/24 -oX new-out.xml # filter for resets responds to determine the statusTCP Port Discovery
It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up trying to find open ports.
#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24UDP Port Discovery
nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probableHTTP Port Discovery
This is just a TCP port discovery useful when you want to focus on discovering HTTP services:
masscan -p80,443,8000-8100,8443 199.66.11.0/24SCTP Port Discovery
#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>Inside Discovery
If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:
nmap -sn 192.168.16.0/24
netdiscover -r 192.168.16.0/24
arp-scan 192.168.16.0/24
nbtscan -r 192.168.16.0/24
alive6 eth0 ---> Send a pingv6 to multicast.
Last updated