Host Discovery

Outside Discovery

In this situation you have some scope of IPs (maybe even several ranges) and you just to find which IPs are responding

ICMP

You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response.

You could also use nmap to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
nmap -sn -n <CIDR> <CIDR> <CIDR> -oG - | \ awk 'UP$/{print $2}' > outputfile.txt # Use -sS if ping is disable 
nmap -T4 -sF --send-ip --reason 1.2.3.4/24 -oX new-out.xml # filter for resets responds to determine the status

TCP Port Discovery

It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up trying to find open ports.

#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24

UDP Port Discovery

nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

HTTP Port Discovery

This is just a TCP port discovery useful when you want to focus on discovering HTTP services:

masscan -p80,443,8000-8100,8443 199.66.11.0/24

SCTP Port Discovery

#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>

Inside Discovery

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

nmap -sn 192.168.16.0/24

netdiscover -r 192.168.16.0/24

arp-scan 192.168.16.0/24

nbtscan -r 192.168.16.0/24

alive6 eth0 ---> Send a pingv6 to multicast.

PreviousNetwork PentestingNextScanning Hosts

Last updated