# Active information gathering

## #<mark style="color:orange;">HOST DISCOVERY</mark>

> **`ip`** - show/manipulate routing, network devices, interfaces and tunnels

```
ip -br -c a
# -br = brief
# -c  = color
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-f39a3e0182bcf87fd96aa723ada34e38485ccf06%252Fimage-20230210205600329.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=b2d650efd222a45b31f09c1bff44a1bef559c38f9ebfc9ea539e1a8b59a48d8e" alt=""><figcaption></figcaption></figure>

> **`arp-scan`** - send ARP requests to target hosts and display responses

```
sudo arp-scan -I eth1 192.168.31.0/24
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-f836ab649ff9f816e29894883ec5214917e3bfd9%252Fimage-20230210205813009.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=98e3ee93dd4c7e1964c19bb2ef42cbcaa18be0c85f5530f4e40f00a1a77be382" alt=""><figcaption></figcaption></figure>

### #ping <a href="#ping" id="ping"></a>

> **`ping`** - send ICMP ECHO\_REQUEST to network hosts

```
ping 192.168.31.2
# Reachable

ping 192.168.31.5
# Unreachable
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-5beff2d40240f5cd8b57203932041e2bfdd5799a%252Fimage-20230210213222404.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=0a9b1b53409c71411916a09df0ca3e98b62b8ce983c01baaad9853716be9abb0" alt=""><figcaption></figcaption></figure>

## #[fping](https://fping.org/) <a href="#fping" id="fping"></a>

> **`fping`** - send ICMP ECHO\_REQUEST packets to multiple network hosts

```
fping -I eth1 -g 192.168.31.0/24 -a
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-222a9f58008f2fdba60ffdae4770529ff49c4ffb%252Fimage-20230210214736256.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=5b7bebee331eaa1248a3139e95d3c1581e307a1b227b2f1ff5c5182faeb59aef" alt=""><figcaption></figcaption></figure>

### Launch `fping` without "Host Unreachable" errors

```
fping -I eth1 -g 192.168.31.0/24 -a 2>/dev/null
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-f7037f27bcb4e6d4d699e2e9ed53a70b6f03f087%252Fimage-20230210214856675.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=ff586316cc04fd3398bf16f85252b1e4f99c67ff3396be73b0050b23d8970ea1" alt=""><figcaption></figcaption></figure>

## [nmap](https://nmap.org/) <a href="#nmap" id="nmap"></a>

> **`nmap`** - Network exploration tool and security/port scanner

```
nmap -sn 192.168.31.0/24
# Ping Scan
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-5901c738eca87ead652a0eae95d3b0aa7bb955b5%252Fimage-20230210215143505.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=a5e0c7f012e1ab0a1ef85f7e66f0eb005e0a07817e24fd23fd89c830c6386684" alt=""><figcaption></figcaption></figure>

\- Discover all the devices on a target network using a **ping sweep** (ping scan) with Nmap.

* `-sn` option - Ping Scan (ping sweep), disable port scan. It finds the responding hosts. **-sn** consist of:
  * an ICMP echo request
  * a TCP SYN to port 443
  * a TCP ACK to port 80
  * an ICMP default timestamp
  * `-sn` must be run as `sudo`

```
# Check your network IP subnet
ip -br -c a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
eth0             DOWN           
eth1             UP             192.168.31.128/24 fe80::20c:29ff:fe3a:6a12/64
# Current local subnet network is 192.168.31.0/24

sudo nmap -sn 192.168.31.0/24
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 15:46 CET
    Nmap scan report for 192.168.31.2 # Default Gateway IP
    Host is up (0.00021s latency).
    MAC Address: 00:50:56:F3:CD:3F (VMware) # MAC Address of the manufacturer
    Nmap scan report for 192.168.31.133 # Ubuntu VM IP
    Host is up (0.00013s latency).
    MAC Address: 00:0C:29:C9:89:DE (VMware)
    Nmap scan report for 192.168.31.254 # Vmware DHCP server IP
    Host is up (0.00013s latency).
    MAC Address: 00:50:56:E7:B4:64 (VMware)
    Nmap scan report for 192.168.31.128 # current Kali VM IP
    Host is up.
    Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds
# Only 4 devices are up
```

* Copy the found IPs for future references and move on to the [port scan phase](https://blog.syselement.com/ine/courses/ejpt/assessment-methodologies/1-info-gathering#port-scanning-with-nmap) on each of them.

```
192.168.31.2
192.168.31.128
192.168.31.133
192.168.31.254
```

> ## #[**`netdiscover`**](https://www.kali.org/tools/netdiscover/) - an active/passive ARP discovering tool

* *it utilizes ARP requests*

```
netdiscover -h 
    Netdiscover 0.10 [Active/passive ARP reconnaissance tool]
    Written by: Jaime Penalba <jpenalbae@gmail.com>
    Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS]
      -i device: your network device
      -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
      -l file: scan the list of ranges contained into the given file
      -p passive mode: do not send anything, only sniff
      -m file: scan a list of known MACs and host names
      -F filter: customize pcap filter expression (default: "arp")
      -s time: time to sleep between each ARP request (milliseconds)
      -c count: number of times to send each ARP request (for nets with packet loss)
      -n node: last source IP octet used for scanning (from 2 to 253)
      -d ignore home config files for autoscan and fast mode
      -f enable fastmode scan, saves a lot of time, recommended for auto
      -P print results in a format suitable for parsing by another program and stop after active scan
      -L similar to -P but continue listening after the active scan is completed
      -N Do not print header. Only valid when -P or -L is enabled.
      -S enable sleep time suppression between each request (hardcore mode)
    If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses.
```

### netdiscover -i eth1 -r 192.168.31.0/24

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-7d0d1d376ed2bc47759118a25dd9c5943b3300be%252Fimage-20230120155831562.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=577a8ea61f1eb1e64033b7fdb2e1cbd90964c973af5efb12e803c63a7f9acd2c" alt=""><figcaption></figcaption></figure>

nmap cheatsheet

{% embed url="<https://www.stationx.net/nmap-cheat-sheet/>" %}

<mark style="color:orange;">**nmap different scanning techniques**</mark>

| **SWITCH** | **EXAMPLE**          | **DESCRIPTION**                                        |
| ---------- | -------------------- | ------------------------------------------------------ |
| -sS        | nmap 192.168.1.1 -sS | TCP SYN port scan (Default)                            |
| -sT        | nmap 192.168.1.1 -sT | TCP connect port scan (Default without root privilege) |
| -sU        | nmap 192.168.1.1 -sU | UDP port scan                                          |
| -sA        | nmap 192.168.1.1 -sA | TCP ACK port scan                                      |
| -sW        | nmap 192.168.1.1 -sW | TCP Window port scan                                   |
| -sM        | nmap 192.168.1.1 -sM | TCP Maimon port scan                                   |

<mark style="color:orange;">**#NMAP HOST DISCOVERY**</mark>

```
# HOST DISCOVERY

## Ping scan
sudo nmap -sn <TARGET_IP/NETWORK>
## ARP scan
netdiscover -i eth1 -r <TARGET_IP/NETWORK>

# NMAP PORT SCAN
nmap <TARGET_IP>
## Skip ping
nmap -Pn <TARGET_IP>
## Scan all ports
nmap -p- <TARGET_IP>
## Port 80 only scan
nmap -p 80 <TARGET_IP>
## Custom list of ports scan
nmap -p 80,445,3389,8080 <TARGET_IP>
## Custom ports range scan
nmap -p1-2000 <TARGET_IP>
## Fast mode & verbose scan
nmap -F <TARGET_IP> -v
## UDP scan
nmap -sU <TARGET_IP>
## Service scan
nmap -sV <TARGET_IP>
## Service + O.S. detection scan
sudo nmap -sV -O <TARGET_IP>
## Default Scripts scan
nmap -sC <TARGET_IP>
nmap -Pn -F -sV -O -sC <TARGET_IP>
## Aggressive scan
nmap -Pn -F -A <TARGET_IP>
## Timing (T0=slow ... T5=insanely fast) scan
nmap -Pn -F -T5 -sV -O -sC <TARGET_IP> -v
## Output scan
nmap -Pn -F -oN outputfile.txt <TARGET_IP> 
nmap -Pn -F -oX outputfile.xml <TARGET_IP> 
## Output to all formats
nmap -Pn -sV -sC -O -oA outputfile <TARGET_IP>
nmap -Pn -sV -sC -O -oA outputfile <TARGET_IP>
nmap -A -oA outputfile <TARGET_IP>
```

## #Metasploit port scanning

<figure><img src="https://2323754756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqOzKV4VHdQXzOvQKF5XH%2Fuploads%2Fwn2peFacRFV7tP5Rw1FX%2Fimage.png?alt=media&#x26;token=1646ce00-c34c-446f-94ae-fe27a9b496ab" alt="" width="563"><figcaption></figcaption></figure>