# Host discovery ## Network Monitoring **This is a very basic script that runs nmap every day using default ports and then uses ndiff to compare the results.** **We can then take the output of this script and use it to notify our team of new ports discovered daily.** ```bash #!/bin/bash mkdir /opt/nmap_diff d=$(date +%Y-%m-%d) y=$(date -d yesterday +%Y-%m-%d) /usr/bin/nmap -T4 -oX /opt/nmap_diff/scan_$d.xml 10.100.100.0/24 > /dev/null 2>&1 if [ -e /opt/nmap_diff/scan_$y.xml ]; then /usr/bin/ndiff /opt/nmap_diff/scan_$y.xml /opt/nmap_diff/scan_$d.xml > /opt/nmap_diff/diff.txt fi ``` {% hint style="success" %} The same approach can be taken with vulnerability scanners and other tools. {% endhint %} ## Remote Discovery #### **You can use nmap, masscan or unicorn scan for this:** ```tsconfig nmap -sn -T4 -oG 192.168.1.1/24 | grep “Status: Up” | cut -f 2 -d ‘ ‘ > LiveHosts.txt nmap –PE –sn -n 10.50.96.0/23 –oX /root/Desktop/scan.xml ``` The `-PE` enables ICMP Echo request host discovery (Ping scan) The `-sn` option means only do a host discovery and not a port scan ```bash unicornscan 192.168.100.35/24:31 masscan 192.168.2.1/24 -p80,53,443,22 ``` **Masscan is the fastest host discovery tool available, even faster than nmap.** ### Extracting Live IPs from Nmap Scan ```bash nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips ``` ### Simple Port Knocking ```bash for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 1.1.1.1; done ``` ### DNS lookups, Zone Transfers & Brute-Force ```tsconfig whois domain.com dig {a|txt|ns|mx} domain.com dig {a|txt|ns|mx} domain.com @ns1.domain.com host -t {a|txt|ns|mx} megacorpone.com host -a megacorpone.com host -l megacorpone.com ns1.megacorpone.com dnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com dnsenum domain.com nslookup -> set type=any -> ls -d domain.com for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done ``` ## Local Discovery ### Netdiscover **Discover live hosts in LAN and get the internal IP address and MAC address of live hosts in the network.** **It can be used in both active and passive mode.** ```bash netdiscover -i [interface] ``` #### Options: ```tsconfig -i device: your network device -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8 -l file: scan the list of ranges contained into the given file -p passive mode: do not send anything, only sniff -m file: scan the list of known MACs and host names -F filter: Customize pcap filter expression (default: "arp") -s time: time to sleep between each arp request (miliseconds) -n node: last ip octet used for scanning (from 2 to 253) -c count: number of times to send each arp reques (for nets with packet loss) -f enable fastmode scan, saves a lot of time, recommended for auto -d ignore home config files for autoscan and fast mode -S enable sleep time supression betwen each request (hardcore mode) -P print results in a format suitable for parsing by another program -N Do not print header. Only valid when -P is enabled. -L in parsable output mode (-P), continue listening after the active scan is completed ``` #### Active Mode (Run as an ARP scanner) ```atom netdiscover -i eth0 -r 192.168.1.0/24 ``` **Multiple Ranges from a File** ``` netdiscover -l ``` #### **Passive Mode (Run as an ARP sniffer)** ``` netdiscover -p -r ``` #### Parsable Outputs ```tsconfig Syntax: netdiscover -P -N Command: netdiscover-r 192.168.1.1/24 -PN ``` ### Responder **A great discovery tool for Active Directory Environments** ```tsconfig responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding. responder.py -I eth0 -wrf ``` ### Bettercap **Advanced MitM and sniffer tool.** ```tsconfig bettercap -X --proxy --proxy-https -T # better cap in spoofing, discovery, sniffer # intercepting http and https requests, # targetting specific IP only ``` ## Traceroute **Discovers the route that packets take between two system in the network.** **It helps us to construct network architecture diagrams and it is included in most if not all OSs.** **Windows:** ``` tracert [target] ``` **Linux:** ``` traceroute [target] ``` ### Linux traceroute #### Linux traceroute sends packets to target with varying TTLs in the IP header. by default sends UDP packets with incrementing destination ports starting from port 33434 going up by one port for each probe packet sent ( each hope measured three times ). {% embed url="" %} #### Here are some of the most used options: ```tsconfig -f [number]: set the initial TTL for the first packet -g [host list] : specify a loose source route (8 maximum hops) -I : use ICMP echo request instead of UDP -T : use TCP SYN instead of UDP with deafult dest port 80 -m [number] : set the maximum number of hops -n : print numbers instead of names -p [port] : set port ( for UDP sets the base port and increment, for TCP its fixed port -w [number] : wait for N seconds before giving up and writing * (default 5) -4 : force use of IPv4 -6 : force use of IPv6 ``` ### Windows traceroute #### Sends ICMP echo request messages to target, starting with small TTLs. **Some useful options:** ```tsconfig -h [number] : max number of hops (default 30) -d : dont resolve names -j [hostlist] : use loose source routing with a space-separated list of router IPs (up to 9 max) -w [number] : wait for N milliseconds before givving up and writing a * (default is 4000) -4 : force use of IPv4 -6 : force use of IPv6 ``` ### Web based traceroute services #### Instead of tracing from your address to target various websites allow you to trace from them to the target. #### So you can traceroute from around the world. by domain name or IP address. this is very useful in seeing if you are being shunned during a test. {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Network Mapping ### Traceroute **For best performance and mapping the network hops use traceroute with these three options and compare the results:** ```tsconfig traceroute target traceroute -T target traceroute -T -p [test multiple ports] target traceroute -I target ``` **For an all in one command you can use this chain of commands:** ```tsconfig traceroute target.com > 1 && traceroute -T target.com > 2 && traceroute -I target.com > 3 && traceroute target.com -T 80 > 4 && cat 1 2 3 4 | grep -v '*' | sort -n -k 1 -u | sort -g ``` **This will run a traceroute with multiple methods and combine the results for better view.**

**Using this method we can minimize the chance of lost hopes in the route ( the \* signs).** **Here is the bash script you can use with the target domain or IP as an argument to perform the same task:** ```bash #!/bin/bash if [ $# -ne 1 ] then echo "usage: $0 " exit 1 fi echo "[*] Using UDP with incremental from 33434 " traceroute $1 | tee -a tmp1 echo "[*] Using TCP SYN port 80" traceroute -T $1 | tee -a tmp2 echo "[*] Using ICMP echo request" traceroute -I $1 | tee -a tmp3 echo "[*] Using TCP SYN port 443" traceroute $1 -T 443 | tee tmp4 echo echo "[+] Multi-route finished [+]" echo "[+] Results saved to $1.txt file [+]" cat tmp1 tmp2 tmp3 tmp4 | grep -v '*' | sort -n -k 1 -u | sort -g | tee -a $1.txt rm -rf tmp1 tmp2 tmp3 tmp4 ``` ### Zenmap you can also use Zen map for network mapping which is a GUI for Nmap tool and can be downloaded from [here](https://nmap.org/zenmap/). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://smadi0x86-blog.gitbook.io/smadi0x86-playground/offensive-security/recon/active/host-discovery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.