Active information gathering

#HOST DISCOVERY

ip - show/manipulate routing, network devices, interfaces and tunnels

ip -br -c a
# -br = brief
# -c  = color

arp-scan - send ARP requests to target hosts and display responses

sudo arp-scan -I eth1 192.168.31.0/24

#ping

ping - send ICMP ECHO_REQUEST to network hosts

ping 192.168.31.2
# Reachable

ping 192.168.31.5
# Unreachable

#fping

fping - send ICMP ECHO_REQUEST packets to multiple network hosts

fping -I eth1 -g 192.168.31.0/24 -a

Launch fping without "Host Unreachable" errors

fping -I eth1 -g 192.168.31.0/24 -a 2>/dev/null

nmap

nmap - Network exploration tool and security/port scanner

nmap -sn 192.168.31.0/24
# Ping Scan

- Discover all the devices on a target network using a ping sweep (ping scan) with Nmap.

  • -sn option - Ping Scan (ping sweep), disable port scan. It finds the responding hosts. -sn consist of:

    • an ICMP echo request

    • a TCP SYN to port 443

    • a TCP ACK to port 80

    • an ICMP default timestamp

    • -sn must be run as sudo

# Check your network IP subnet
ip -br -c a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
eth0             DOWN           
eth1             UP             192.168.31.128/24 fe80::20c:29ff:fe3a:6a12/64
# Current local subnet network is 192.168.31.0/24

sudo nmap -sn 192.168.31.0/24
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 15:46 CET
    Nmap scan report for 192.168.31.2 # Default Gateway IP
    Host is up (0.00021s latency).
    MAC Address: 00:50:56:F3:CD:3F (VMware) # MAC Address of the manufacturer
    Nmap scan report for 192.168.31.133 # Ubuntu VM IP
    Host is up (0.00013s latency).
    MAC Address: 00:0C:29:C9:89:DE (VMware)
    Nmap scan report for 192.168.31.254 # Vmware DHCP server IP
    Host is up (0.00013s latency).
    MAC Address: 00:50:56:E7:B4:64 (VMware)
    Nmap scan report for 192.168.31.128 # current Kali VM IP
    Host is up.
    Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds
# Only 4 devices are up

  • Copy the found IPs for future references and move on to the port scan phase on each of them.

192.168.31.2
192.168.31.128
192.168.31.133
192.168.31.254

#netdiscover - an active/passive ARP discovering tool

  • it utilizes ARP requests

netdiscover -h 
    Netdiscover 0.10 [Active/passive ARP reconnaissance tool]
    Written by: Jaime Penalba <jpenalbae@gmail.com>
    Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS]
      -i device: your network device
      -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
      -l file: scan the list of ranges contained into the given file
      -p passive mode: do not send anything, only sniff
      -m file: scan a list of known MACs and host names
      -F filter: customize pcap filter expression (default: "arp")
      -s time: time to sleep between each ARP request (milliseconds)
      -c count: number of times to send each ARP request (for nets with packet loss)
      -n node: last source IP octet used for scanning (from 2 to 253)
      -d ignore home config files for autoscan and fast mode
      -f enable fastmode scan, saves a lot of time, recommended for auto
      -P print results in a format suitable for parsing by another program and stop after active scan
      -L similar to -P but continue listening after the active scan is completed
      -N Do not print header. Only valid when -P or -L is enabled.
      -S enable sleep time suppression between each request (hardcore mode)
    If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses.

netdiscover -i eth1 -r 192.168.31.0/24

nmap cheatsheet

LogoNmap Cheat SheetStation X

nmap different scanning techniques

SWITCH

EXAMPLE

DESCRIPTION

-sS

nmap 192.168.1.1 -sS

TCP SYN port scan (Default)

-sT

nmap 192.168.1.1 -sT

TCP connect port scan (Default without root privilege)

-sU

nmap 192.168.1.1 -sU

UDP port scan

-sA

nmap 192.168.1.1 -sA

TCP ACK port scan

-sW

nmap 192.168.1.1 -sW

TCP Window port scan

-sM

nmap 192.168.1.1 -sM

TCP Maimon port scan

#NMAP HOST DISCOVERY

# HOST DISCOVERY

## Ping scan
sudo nmap -sn <TARGET_IP/NETWORK>
## ARP scan
netdiscover -i eth1 -r <TARGET_IP/NETWORK>

# NMAP PORT SCAN
nmap <TARGET_IP>
## Skip ping
nmap -Pn <TARGET_IP>
## Scan all ports
nmap -p- <TARGET_IP>
## Port 80 only scan
nmap -p 80 <TARGET_IP>
## Custom list of ports scan
nmap -p 80,445,3389,8080 <TARGET_IP>
## Custom ports range scan
nmap -p1-2000 <TARGET_IP>
## Fast mode & verbose scan
nmap -F <TARGET_IP> -v
## UDP scan
nmap -sU <TARGET_IP>
## Service scan
nmap -sV <TARGET_IP>
## Service + O.S. detection scan
sudo nmap -sV -O <TARGET_IP>
## Default Scripts scan
nmap -sC <TARGET_IP>
nmap -Pn -F -sV -O -sC <TARGET_IP>
## Aggressive scan
nmap -Pn -F -A <TARGET_IP>
## Timing (T0=slow ... T5=insanely fast) scan
nmap -Pn -F -T5 -sV -O -sC <TARGET_IP> -v
## Output scan
nmap -Pn -F -oN outputfile.txt <TARGET_IP> 
nmap -Pn -F -oX outputfile.xml <TARGET_IP> 
## Output to all formats
nmap -Pn -sV -sC -O -oA outputfile <TARGET_IP>
nmap -Pn -sV -sC -O -oA outputfile <TARGET_IP>
nmap -A -oA outputfile <TARGET_IP>

#Metasploit port scanning

PreviousPassive information gatheringNextEnumeration

Last updated