search

Host Discovery

hashtag
Outside Discovery

In this situation you have some scope of IPs (maybe even several ranges) and you just to find which IPs are responding

hashtag
ICMP

You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response.

You could also use nmap to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
nmap -sn -n <CIDR> <CIDR> <CIDR> -oG - | \ awk 'UP$/{print $2}' > outputfile.txt # Use -sS if ping is disable 
nmap -T4 -sF --send-ip --reason 1.2.3.4/24 -oX new-out.xml # filter for resets responds to determine the status

hashtag
TCP Port Discovery

It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up trying to find open ports.

#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24

hashtag
UDP Port Discovery

hashtag
HTTP Port Discovery

This is just a TCP port discovery useful when you want to focus on discovering HTTP services:

hashtag
SCTP Port Discovery

hashtag
Inside Discovery

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

nmap -sn 192.168.16.0/24

netdiscover -r 192.168.16.0/24

arp-scan 192.168.16.0/24

nbtscan -r 192.168.16.0/24

alive6 eth0 ---> Send a pingv6 to multicast.

PreviousNetwork PentestingNextScanning Hosts

Last updated