Host Discovery

Netdiscover

For wireless networks without dhcp server, it also works on hub/switched networks.

GitHub - netdiscover-scanner/netdiscover: Netdiscover, ARP Scanner (official repository)GitHub

$ sudo netdiscover
Currently scanning: 172.16.129.0/16 | Screen View: Unique Hosts
13 Captured ARP Req/Rep packets, from 4 hosts. Total size: 780
------------------------------------------------------------------------------
IP At MAC Address Count Len MAC Vendor / Hostname
------------------------------------------------------------------------------
192.168.195.2 00:50:56:f0:23:20 6 360 VMware, Inc.
192.168.195.130 00:0c:29:74:7c:5d 4 240 VMware, Inc.
192.168.195.132 00:0c:29:85:40:c0 2 120 VMware, Inc.
192.168.195.254 00:50:56:ed:c0:7c 1 60 VMware, Inc.

Ping Sweep

It is possible that a ping sweep may not result in successful replies on the first attempt, especially when communicating across networks. This can be caused by the time it takes for a host to build it's arp cache. In these cases, it is good to attempt our ping sweep at least twice to ensure the arp cache gets built

meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

[*] Performing ping sweep for IP range 172.16.5.0/23

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

cmd

for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

powershell

1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

Nmap

Putting It All Together: Host Discovery Strategies | Nmap Network Scanning

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

SilentListener

Dismap

GitHub - zhzyker/dismap: Asset discovery and identification tools 快速识别 Web 指纹信息，定位资产类型。辅助红队快速定位目标资产信息，辅助蓝队发现疑似脆弱点GitHub

NetScan - From Windows Host

SoftPerfect Network Scanner : fast, flexible, advanced

Active hosts

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

sudo nmap 10.129.2.18 -sn -oA host -PE --reason

Operating systems - TTL

Linux/MAC OS – 64
Windows – 128
Cisco Routers – 255
DNS – depends on the DNS resolver (can range from 128 to 86400)

What is Time to Live (TTL) | TTL Best Practices | CDN Guide | ImpervaLearning Center

Source: https://ostechnix.com/identify-operating-system-ttl-ping/

nmap --script smb-os-discovery 10.129.221.57 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-04 02:41 EDT
Nmap scan report for 10.129.221.57
Host is up (0.064s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
10001/tcp open  scp-config

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: nix-nmap-easy
|   NetBIOS computer name: NIX-NMAP-EASY\x00
|   Domain name: \x00
|   FQDN: nix-nmap-easy
|_  System time: 2024-04-04T08:41:54+02:00

Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds

Port scan

Port Scan

Web Host

Information gathering

Information Gathering

EyeWitness
Aquatone - See Information gathering
Hackerurl

Httpx

Internal pentest

Internal Pentest

Wireshark, tcpdump

$ sudo tcpdump -i ens224

Netminer

Responder - analysis mode

sudo responder -I ens224 -A

Fping

$ fping -asgq 172.16.5.0/23

172.16.5.5
172.16.5.25
172.16.5.50
172.16.5.100
172.16.5.125
172.16.5.200
172.16.5.225
172.16.5.238
172.16.5.240

     510 targets
       9 alive
     501 unreachable
       0 unknown addresses

    2004 timeouts (waiting for response)
    2013 ICMP Echos sent
       9 ICMP Echo Replies received
    2004 other ICMP received

 0.029 ms (min round trip time)
 0.396 ms (avg round trip time)
 0.799 ms (max round trip time)
       15.366 sec (elapsed real time)

PreviousFingerprinting / Crawling NextProtocols

Last updated 4 months ago