๐Ÿ› ๏ธ Hosts discovery

Theory

When targeting machines connected to a network, identifying which hosts are up and running (and their IP address) is the first step in getting to know the attack surface. There are multiple active and passive ways to discover hosts in a network, each relying on specific protocols that may be used in the network.
Once the hosts are identified, attackers then usually proceed to port scanning to attempt at compromising them.
Alternatively, there are common scenarios where most of the hosts and services are managed by a central set of services like Active Directory Domain Services (AD-DS). In this case, attackers usually try to compromise those services first as it would grant them control over many hosts without having to attack them all. A whole category of The Hacker Recipes is dedicated to Active Directory Domain Services (and other associated AD services).

Practice

//// WIP : add p0f, bettercap

ARP discovery

1
# (active) scan all private ranges (i.e. 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8)
2
netdiscover -i $INTERFACE
3
โ€‹
4
# (active) scan a given range (e.g. 192.168.0.0/24)
5
netdiscover -i $INTERFACE -r $RANGE
6
โ€‹
7
# passive scan (doesn't send packets)
8
netdiscover -i $INTERFACE -p
9
โ€‹
10
# (active) scan a given range
11
nmap -sn $RANGE
Copied!

NBT discovery

It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).
1
nbtscan -r $RANGE
Copied!

ICMP discovery

1
# Send one echo request to a host
2
(Windows) ping -n 1 $HOST
3
(UNIX) ping -c 1 $HOST
4
โ€‹
5
# Send echo requests to ranges
6
fping -g $RANGE
7
โ€‹
8
# Send ICMP echo, timestamp, and netmask request discovery probes to a range
9
nmap -PE -PP -PM -sP $RANGE
Copied!

ICMPv6 discovery

1
โ€‹
Copied!

Resources

Pentesting Network
HackTricks