# Host Discovery ## Outside Discovery In this situation you have some **scope of IPs** (maybe even several **ranges**) and you just to find **which IPs are responding** ### ICMP You could try to send some **ICMP** packets and **expect responses**. The easiest way is just sending an **echo request** and expect from the response. You could also use **nmap** to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response). ```bash ping -c 1 199.66.11.4 # 1 echo request to a host fping -g 199.66.11.0/24 # Send echo requests to ranges nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests nmap -sn -n -oG - | \ awk 'UP$/{print $2}' > outputfile.txt # Use -sS if ping is disable nmap -T4 -sF --send-ip --reason 1.2.3.4/24 -oX new-out.xml # filter for resets responds to determine the status ``` ### TCP Port Discovery It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up **trying to find open ports**. ```bash #Using masscan to scan top20ports of nmap in a /24 range (less than 5min) masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24 ``` ### UDP Port Discovery ``` nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24 # The -sV will make nmap test each possible known UDP service packet # The "--version-intensity 0" will make nmap only test the most probable ``` ### HTTP Port Discovery This is just a TCP port discovery useful when you want to **focus on discovering HTTP** **services**: ```bash masscan -p80,443,8000-8100,8443 199.66.11.0/24 ``` ### SCTP Port Discovery ```bash #Probably useless, but it's pretty fast, why not trying? nmap -T4 -sY -n --open -Pn ``` ## Inside Discovery If you are inside the network one of the first things you will want to do is to **discover other hosts**. Depending on **how much noise** you can/want to do, different actions could be performed: {% tabs %} {% tab title="Active - ARP scans" %} nmap -sn 192.168.16.0/24 netdiscover -r 192.168.16.0/24 arp-scan 192.168.16.0/24 nbtscan -r 192.168.16.0/24 alive6 eth0 **---> Send a pingv6 to multicast.** {% endtab %} {% tab title="Passive" %} netdiscover -p p0f -i eth0 -p -o /tmp/p0f.log {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hackzzz.gitbook.io/welcome/everything-about-and-notes/network-pentesting/host-discovery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.