Host Discovery

Ping Sweep

It is possible that a ping sweep may not result in successful replies on the first attempt, especially when communicating across networks. This can be caused by the time it takes for a host to build it's arp cache. In these cases, it is good to attempt our ping sweep at least twice to ensure the arp cache gets built

meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

[*] Performing ping sweep for IP range 172.16.5.0/23

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

cmd

for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

powershell

1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

Nmap

Putting It All Together: Host Discovery Strategies | Nmap Network Scanning

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

SilentListener

Active hosts

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

sudo nmap 10.129.2.18 -sn -oA host -PE --reason 

Operating systems - TTL

• Linux/MAC OS – 64

• Windows – 128

• Cisco Routers – 255

• DNS – depends on the DNS resolver (can range from 128 to 86400)

What is Time to Live (TTL) | TTL Best Practices | CDN Guide | ImpervaLearning Center

Source: https://ostechnix.com/identify-operating-system-ttl-ping/

nmap --script smb-os-discovery 10.129.221.57 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-04 02:41 EDT
Nmap scan report for 10.129.221.57
Host is up (0.064s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
10001/tcp open  scp-config

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: nix-nmap-easy
|   NetBIOS computer name: NIX-NMAP-EASY\x00
|   Domain name: \x00
|   FQDN: nix-nmap-easy
|_  System time: 2024-04-04T08:41:54+02:00

Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds

Port scan

Port Scan

Web Host

• Information gathering

Information Gathering

• EyeWitness

• Aquatone - See Information gathering

• Hackerurl

GitHub - hakluke/hakcheckurl: Takes a list of URLs and returns their HTTP response codesGitHub

hackcheckurl

• Httpx

Internal pentest

Internal Pentest

Wireshark, tcpdump

$ sudo tcpdump -i ens224 

Netminer

NetMiner - NetMiner - Product - NetMiner

Netminer

Responder - analysis mode

sudo responder -I ens224 -A 

Fping

$ fping -asgq 172.16.5.0/23

172.16.5.5
172.16.5.25
172.16.5.50
172.16.5.100
172.16.5.125
172.16.5.200
172.16.5.225
172.16.5.238
172.16.5.240

     510 targets
       9 alive
     501 unreachable
       0 unknown addresses

    2004 timeouts (waiting for response)
    2013 ICMP Echos sent
       9 ICMP Echo Replies received
    2004 other ICMP received

 0.029 ms (min round trip time)
 0.396 ms (avg round trip time)
 0.799 ms (max round trip time)
       15.366 sec (elapsed real time)