Hacking Notes
  • Hacking Notes
  • Penetration Testing Methodology
    • Host Discovery
    • Information Gathering
    • Exploit Research
    • Exploit Development
    • Exploit Testing
    • Exploiting
    • Information Gathering
    • Privilege Escalation
  • Shells
    • Reverse Shell Cheat Sheet
    • Bind Shell Cheat Sheet
    • Webshells
    • C Shell
  • Stuck?
  • LICENSE
  • Windows
    • Windows Information Gathering
    • Windows PrivEsc
      • Method
      • PE Scripts
      • Potatos
      • Windows Privs
    • Transferring Files
    • Active Directory
      • ad-attacks
      • auth-enumeration
      • unauth-enumeration
      • authentication-delegation
      • reference
      • Kerberos
        • Authentication Delegation
      • mind-map
    • LNK Files
    • SCF Files
    • Compile Code
    • Tips & Tricks
  • Linux
    • Linux OS Information Gathering
    • Linux PrivEsc
      • methodology
      • Privilege Escalation Scripts
        • LinEnum
    • Hosting Files
    • Linux File System
    • Scheduling Jobs
    • POSIX
      • Scripting
      • Notes
  • Web Application Testing
    • Methodology
    • Enumeration
    • Attacks
      • SQLi
      • File Inclusion
      • Directory Traversal
      • Cross-Site Scripting
      • Login Forms
      • Content Injection
      • XSS
    • Assessment Tools
      • ZAP
      • ffuf
      • Nikto
      • wpscan
      • zap
    • Wordpress
      • wpscan
    • Apache
    • Nostromo
  • Services
    • Services
      • Active Directory Administration
      • Cups
      • DFSR
      • DHCP Client
      • DHCP Server
      • DNS
      • FTP
      • HTTP
      • HTTP(S)
      • IIS
      • Imap Encrypted
      • IMAP
      • IPsec
        • Kerberos
        • LDAP
        • ldaps
        • MSRPC
        • MSSQL
        • MySQL
        • Netbios Datagram Service
        • Netbios Name Service
        • Netbios Session Service
        • NFS
        • NNTP
        • NTP
        • Oracle
        • POP3
        • POP3 Encrypted
        • RDP
      • Redis
        • RFSP
        • RPCbind / Portmapper
        • RSIP
        • RTSP
      • RSYNC
        • SMB
        • SMTP
        • SNMP
        • SSH
        • Telnet
        • TFTP
        • VNC
      • VNC Remote Desktop
      • VNC Web Interface
        • WinRM
      • Wins
  • Containers
    • Docker
  • Buffer Overflow
    • Buffer Overflow
    • win32
  • Tools
    • Windows
      • chisel
      • mimikatz
      • mssqlclient.py
      • plink
      • psexec.py
      • smbeagle
      • winexe
    • Linux
      • chisel
      • evil-winrm
      • exiftool
      • Impacket
        • GetADUsers
        • GetNPUsers
        • getST
        • getTGT
        • GetUserSPNS
        • secretsdump
        • smbclient
        • wmiexec
      • jd-gui
      • ldapsearch
      • strings
      • smbeagle
      • Helpful Sites
  • Misc
    • Tunneling
    • Cryptography
    • Regex
    • Tools to Checkout
  • Password Cracking
    • Hashcat
    • John The Ripper
  • Tunneling
    • Tunnels
  • Web3
    • Introduction
    • Audit Process
    • Report Writing
    • List of Tools
    • Web3 References
Powered by GitBook
On this page
  • Host Discovery
  • Basic Host Discovery Techniques
  • My Process
  • Steps

Was this helpful?

  1. Penetration Testing Methodology

Host Discovery

Host Discovery

This is the initial phase of the engagement. The way you will discover the hosts you will be attacking depends on the type of engagement, scope of the engagement. Sometimes the target will provide a list of IP addresses and or domain names they want you to target. This will be the scope of your engagement and you may not be able to go outside of that scope. Other times you may have to find all the assets associated with the target without having any information other that what is publicly available.

Even if you are given a list of hosts for your engagement, you should attempt to use basic host discovery techniques to determine the visibility of the targets.

Basic Host Discovery Techniques

Ping Sweep

There are a few ways to conduct a ping sweep of a given IP space.

NMAP

sudo nmap -sN <FIRST 3 OCTETS>.0/24

Bash

for ip in {1..255}; do ping -w 2 -c 1 <FIRST 3 OCTETS>.$ip >/dev/null && echo host <FIRST 3 OCTETS>.$ip is up; done

CMD (TODO)

for /L %i in (1,1,255) do @ping -n 1 -w 200 <FIRST 3 OCTETS>.%i > nul && echo 192.168.0.%i is up

PowerShell (TODO)

1..255 | ForEach-Object {"<FIRST 3 OCTETS>.$_: $(Test-Connection -count 1 -comp <FIRST 3 OCTETS>.$_ -quiet)"}

DNS

Not all systems will respond to ICMP; however, they may have a DNS record. This is a two step process: 1.) Find DNS server(s) 2.) Query reverse DNS lookup.

1.) Find DNS Server

sudo nmap -p 53 -oG tcp53.gnmap <IP/CDR>
cat tcp53.gnmap | grep Host | grep open | cut -d ' ' -f 2 >> possible-dns-servers.txt

sudo nmap -p 53 -sU -oG udp53.gnmap <IP/CDR>
cat udp53.gnmap | grep Host | grep open | cut -d ' ' -f 2 >> possible-dns-servers.txt

sort -t . -k 3,3n -k 4,4n possible-dns-servers.txt | uniq > sorted-possible-dns-servers.txt
for $ip in $(cat sorted-possible-dns-servers.txt); do echo "\n\n------Trying: $ip------" host <KNOWN IP> $ip; done

With this you should be able to tell what ip addresses are responding to requests.

2.) Query the DNS server

for ip in {1..255}; do host <FIRST 3 OCTETS>.$ip <DNS SERVER IP> >> resolved-ips.txt; done

cat hostnames.txt | grep 'domain name pointer' | awk '{print $1 "," $5}' | column -t -s ',' > filtered-hostnames.txt

Keep in mind that the IP address is reversed. The IP 192.168.0.1 will show up as 1.0.168.192.

My Process

Steps

  1. Find live hosts (10.11.1.1-10.11.1.254) 1. nmap sn scan for hosts that respond to ICMP

     sudo nmap -sn -oG nmap-ping-sweep.gnmap 10.11.1.1-254

    1. Create a list of IP addresses from the ping sweep

      grep Up nmap-ping-sweep.gnmap | cut -d ' ' -f 2 >> ip-addresses.txt

    2. nmap scan specifically to find the potential Name Server(s).

      sudo nmap -iL ip-addresses.txt -p 53 -oG possible-NS-TCP.gnmap
sudo nmap -iL ip-addresses.txt -sU -p 53 -oG possible-NS-UDP.gnmap

cat possible-NS-UDP.gnmap possible-NS-TCP.gnmap | grep -i open | cut -d ' ' -f 2 | sort -t . -k 3,3n -k 4,4n -u

    3. Identify the Name Server(s)

      for ip in '10.11.1.71'; do for ns in $(cat possible-NS-ips.txt); do echo 'trying '$ns; host $ip $ns 2>/dev/null 1>/dev/null && echo $ns | tee -a ns-servers-ip.txt || echo $ns 'does not respond' ; done; done

    4. Resolve hosts in the IP range.

      1. For this keep in mind that not all of the live hosts may have responded to ICMP; however they may have a PTR record in DNS. For that reason, we will scan the entire range again.

        for ip in {1..254}; do for ns in $(cat ns-servers-ips.txt); do host 10.11.1.$ip $ns | tee -a resolve-attempt.txt; done; done

        Address needs to be one that you feel will resolve. Otherwise, you can use a list or use the ip-address.txt list.

    5. Combine the lists

      for line in $(cat resolve-attempt.txt | grep pointer | awk '{print $1 "," $5}' | sed s/.$//); do ip=$(echo $line | cut -d ',' -f 1 | awk -F '.' '{print $4 "." $3 "." $2 "." $1}'); hostname=$(echo $line | cut -d ',' -f 2) ; echo "$ip,$hostname" ; done

      This crazy loop is going to take the DNS lookup and turn it into a comma separated value of IP,hostname.

      for ip in $(cat ip-addresses.txt); do match='false'; for host in $(cat resolved.csv); do [[ $host = ${ip},* ]] && match='true' && echo $host >> ips.txt && break; done; [[ $match = 'false' ]] && echo $ip >> ips.txt; done
      for host in $(cat resolved.csv); do grep $host ips.txt 2>/dev/null 1>/dev/null || echo $host >> ips.txt; done

cat ips.txt | sort -t '.' -k 3,3n -k 4,4n > sorted-ips.txt

      These two loops will combine the two lists created earlier from the ping sweep and the resolving scan.

      cat sorted-ips.txt | awk -F ',' '{ print "|" $1 "|" $2 "|||||||" }'

      Format this in a markdown table format.

  2. Create the folder structure for analyzing the systems

    for ip in $(cat sorted-ips.txt | cut -d ',' -f 1); do mkdir -p hosts/$ip/{exploit,www,nmap}; done

  3. Scan all the hosts

    Although this is technically getting into information-gathering (ports and services), I will include the initial scanning here.

    1. There are a couple of approaches you can take with this:

      1. Scan for only a specific ports of interest

        21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080

        The good thing about this method is that you get to start poking at services fast.

        The bad thing about this method is that you may forget to go back and scan for all the other open ports which may lead to being stuck in rabbit holes.

        The next question for this method is if we should scan for versions and run default scripts or not. I would suggest, scanning for versions and default scripts. Although it will be slower, it will still get you a lot of information in a shortish period of time. 

        for ip in $(cat sorted-ips.txt | cut -d ',' -f 1); do sudo nmap -sC -sV -oG hosts/$ip/nmap/interesting.gnmap -oN hosts/$ip/nmap/interesting.nmap -p 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 --open $ip; done

      2. Scan for all ports on all found IP addresses

        1. This will take a long time so fire and go do something else.

        2. The pro for doing this is that you will have all the opened ports already.

        3. The negative for this is that you have to wait for a long time.

PreviousPenetration Testing MethodologyNextInformation Gathering

Last updated 4 years ago

Was this helpful?