> For the complete documentation index, see [llms.txt](https://yashmehta.gitbook.io/ejptv2-cheatsheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yashmehta.gitbook.io/ejptv2-cheatsheet/information-gathering-and-enumeration/reconnaissance/active-information-gathering.md). # Active information gathering ## #HOST DISCOVERY > **`ip`** - show/manipulate routing, network devices, interfaces and tunnels ``` ip -br -c a # -br = brief # -c = color ```

> **`arp-scan`** - send ARP requests to target hosts and display responses ``` sudo arp-scan -I eth1 192.168.31.0/24 ```

### #ping > **`ping`** - send ICMP ECHO\_REQUEST to network hosts ``` ping 192.168.31.2 # Reachable ping 192.168.31.5 # Unreachable ```

## #[fping](https://fping.org/) > **`fping`** - send ICMP ECHO\_REQUEST packets to multiple network hosts ``` fping -I eth1 -g 192.168.31.0/24 -a ```

### Launch `fping` without "Host Unreachable" errors ``` fping -I eth1 -g 192.168.31.0/24 -a 2>/dev/null ```

## [nmap](https://nmap.org/) > **`nmap`** - Network exploration tool and security/port scanner ``` nmap -sn 192.168.31.0/24 # Ping Scan ```

\- Discover all the devices on a target network using a **ping sweep** (ping scan) with Nmap. * `-sn` option - Ping Scan (ping sweep), disable port scan. It finds the responding hosts. **-sn** consist of: * an ICMP echo request * a TCP SYN to port 443 * a TCP ACK to port 80 * an ICMP default timestamp * `-sn` must be run as `sudo` ``` # Check your network IP subnet ip -br -c a lo UNKNOWN 127.0.0.1/8 ::1/128 eth0 DOWN eth1 UP 192.168.31.128/24 fe80::20c:29ff:fe3a:6a12/64 # Current local subnet network is 192.168.31.0/24 sudo nmap -sn 192.168.31.0/24 Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 15:46 CET Nmap scan report for 192.168.31.2 # Default Gateway IP Host is up (0.00021s latency). MAC Address: 00:50:56:F3:CD:3F (VMware) # MAC Address of the manufacturer Nmap scan report for 192.168.31.133 # Ubuntu VM IP Host is up (0.00013s latency). MAC Address: 00:0C:29:C9:89:DE (VMware) Nmap scan report for 192.168.31.254 # Vmware DHCP server IP Host is up (0.00013s latency). MAC Address: 00:50:56:E7:B4:64 (VMware) Nmap scan report for 192.168.31.128 # current Kali VM IP Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds # Only 4 devices are up ``` * Copy the found IPs for future references and move on to the [port scan phase](https://blog.syselement.com/ine/courses/ejpt/assessment-methodologies/1-info-gathering#port-scanning-with-nmap) on each of them. ``` 192.168.31.2 192.168.31.128 192.168.31.133 192.168.31.254 ``` > ## #[**`netdiscover`**](https://www.kali.org/tools/netdiscover/) - an active/passive ARP discovering tool * *it utilizes ARP requests* ``` netdiscover -h Netdiscover 0.10 [Active/passive ARP reconnaissance tool] Written by: Jaime Penalba Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS] -i device: your network device -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8 -l file: scan the list of ranges contained into the given file -p passive mode: do not send anything, only sniff -m file: scan a list of known MACs and host names -F filter: customize pcap filter expression (default: "arp") -s time: time to sleep between each ARP request (milliseconds) -c count: number of times to send each ARP request (for nets with packet loss) -n node: last source IP octet used for scanning (from 2 to 253) -d ignore home config files for autoscan and fast mode -f enable fastmode scan, saves a lot of time, recommended for auto -P print results in a format suitable for parsing by another program and stop after active scan -L similar to -P but continue listening after the active scan is completed -N Do not print header. Only valid when -P or -L is enabled. -S enable sleep time suppression between each request (hardcore mode) If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses. ``` ### netdiscover -i eth1 -r 192.168.31.0/24

nmap cheatsheet {% embed url="" %} **nmap different scanning techniques** | **SWITCH** | **EXAMPLE** | **DESCRIPTION** | | ---------- | -------------------- | ------------------------------------------------------ | | -sS | nmap 192.168.1.1 -sS | TCP SYN port scan (Default) | | -sT | nmap 192.168.1.1 -sT | TCP connect port scan (Default without root privilege) | | -sU | nmap 192.168.1.1 -sU | UDP port scan | | -sA | nmap 192.168.1.1 -sA | TCP ACK port scan | | -sW | nmap 192.168.1.1 -sW | TCP Window port scan | | -sM | nmap 192.168.1.1 -sM | TCP Maimon port scan | **#NMAP HOST DISCOVERY** ``` # HOST DISCOVERY ## Ping scan sudo nmap -sn ## ARP scan netdiscover -i eth1 -r # NMAP PORT SCAN nmap ## Skip ping nmap -Pn ## Scan all ports nmap -p- ## Port 80 only scan nmap -p 80 ## Custom list of ports scan nmap -p 80,445,3389,8080 ## Custom ports range scan nmap -p1-2000 ## Fast mode & verbose scan nmap -F -v ## UDP scan nmap -sU ## Service scan nmap -sV ## Service + O.S. detection scan sudo nmap -sV -O ## Default Scripts scan nmap -sC nmap -Pn -F -sV -O -sC ## Aggressive scan nmap -Pn -F -A ## Timing (T0=slow ... T5=insanely fast) scan nmap -Pn -F -T5 -sV -O -sC -v ## Output scan nmap -Pn -F -oN outputfile.txt nmap -Pn -F -oX outputfile.xml ## Output to all formats nmap -Pn -sV -sC -O -oA outputfile nmap -Pn -sV -sC -O -oA outputfile nmap -A -oA outputfile ``` ## #Metasploit port scanning

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yashmehta.gitbook.io/ejptv2-cheatsheet/information-gathering-and-enumeration/reconnaissance/active-information-gathering.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.