# Host Discovery

## Netdiscover

For wireless networks without dhcp server, it also works on hub/switched networks.

{% embed url="<https://github.com/netdiscover-scanner/netdiscover>" %}

```
$ sudo netdiscover
Currently scanning: 172.16.129.0/16 | Screen View: Unique Hosts
13 Captured ARP Req/Rep packets, from 4 hosts. Total size: 780
------------------------------------------------------------------------------
IP At MAC Address Count Len MAC Vendor / Hostname
------------------------------------------------------------------------------
192.168.195.2 00:50:56:f0:23:20 6 360 VMware, Inc.
192.168.195.130 00:0c:29:74:7c:5d 4 240 VMware, Inc.
192.168.195.132 00:0c:29:85:40:c0 2 120 VMware, Inc.
192.168.195.254 00:50:56:ed:c0:7c 1 60 VMware, Inc.
```

## Ping Sweep

{% hint style="warning" %}
*It is possible that a ping sweep may not result in successful replies on the first attempt, especially when communicating across networks. This can be caused by the time it takes for a host to build it's arp cache. In these cases, it is good to attempt our ping sweep at least twice to ensure the arp cache gets built*
{% endhint %}

```shell-session
meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

[*] Performing ping sweep for IP range 172.16.5.0/23
```

```shell-session
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
```

### cmd

```cmd-session
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
```

### powershell

```powershell-session
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
```

## Nmap

{% embed url="<https://nmap.org/book/host-discovery-strategies.html>" %}

```shell-session
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
```

## SilentListener

{% embed url="<https://gist.github.com/Dfte/9cfeb87892557fd098de78f68b1b1390?s=03>" %}

## Dismap

{% embed url="<https://github.com/zhzyker/dismap>" %}

## NetScan - From Windows Host

{% embed url="<https://www.softperfect.com/products/networkscanner/>" %}

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FSK8VgbwoJOce8oxD6NF5%2Fmain_window.png?alt=media&#x26;token=29d1b67d-222d-405e-88b8-a2c398ca94e1" alt=""><figcaption></figcaption></figure>

## Active hosts

```shell-session
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

```

```shell-session
sudo nmap 10.129.2.18 -sn -oA host -PE --reason 
```

## Operating systems - TTL

* **Linux/MAC OS** – 64
* **Windows** – 128
* **Cisco Routers** – 255
* **DNS** – depends on the DNS resolver (can range from 128 to 86400)

{% embed url="<https://www.imperva.com/learn/performance/time-to-live-ttl/>" %}

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2Ffpg5yXzWFHxmUWYy1d5R%2Fimage.png?alt=media&#x26;token=a845c6e0-f75f-46bc-861f-a681b7c55652" alt=""><figcaption></figcaption></figure>

Source: <https://ostechnix.com/identify-operating-system-ttl-ping/>

```
nmap --script smb-os-discovery 10.129.221.57 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-04 02:41 EDT
Nmap scan report for 10.129.221.57
Host is up (0.064s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
10001/tcp open  scp-config

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: nix-nmap-easy
|   NetBIOS computer name: NIX-NMAP-EASY\x00
|   Domain name: \x00
|   FQDN: nix-nmap-easy
|_  System time: 2024-04-04T08:41:54+02:00

Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds

```

## Port scan

{% content-ref url="../protocols/port-scan" %}
[port-scan](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/port-scan)
{% endcontent-ref %}

## Web Host

* Information gathering

{% content-ref url="information-gathering" %}
[information-gathering](https://0xss0rz.gitbook.io/0xss0rz/pentest/recon/information-gathering)
{% endcontent-ref %}

* EyeWitness
* Aquatone - See [Information gathering](https://0xss0rz.gitbook.io/0xss0rz/pentest/recon/information-gathering)
* Hackerurl&#x20;

{% embed url="<https://github.com/hakluke/hakcheckurl>" %}
hackcheckurl
{% endembed %}

* Httpx

## Internal pentest

{% content-ref url="../internal-pentest" %}
[internal-pentest](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest)
{% endcontent-ref %}

### Wireshark, tcpdump

```shell-session
$ sudo tcpdump -i ens224 
```

### Netminer&#x20;

{% embed url="<https://www.netminer.com/en/product/netminer.php>" %}
Netminer
{% endembed %}

### Responder - analysis mode

```bash
sudo responder -I ens224 -A 
```

### Fping

```shell-session
$ fping -asgq 172.16.5.0/23

172.16.5.5
172.16.5.25
172.16.5.50
172.16.5.100
172.16.5.125
172.16.5.200
172.16.5.225
172.16.5.238
172.16.5.240

     510 targets
       9 alive
     501 unreachable
       0 unknown addresses

    2004 timeouts (waiting for response)
    2013 ICMP Echos sent
       9 ICMP Echo Replies received
    2004 other ICMP received

 0.029 ms (min round trip time)
 0.396 ms (avg round trip time)
 0.799 ms (max round trip time)
       15.366 sec (elapsed real time)
```

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FtT3srZzbUxV8iN6zjNrl%2Fimage.png?alt=media&#x26;token=962e4759-e8b9-4e26-b998-6df524fdfaf8" alt=""><figcaption></figcaption></figure>