# Host Discovery

## Host Discovery

This is the initial phase of the engagement. The way you will discover the hosts you will be attacking depends on the type of engagement, scope of the engagement. Sometimes the target will provide a list of IP addresses and or domain names they want you to target. This will be the scope of your engagement and you may not be able to go outside of that scope. Other times you may have to find all the assets associated with the target without having any information other that what is publicly available.

Even if you are given a list of hosts for your engagement, you should attempt to use basic host discovery techniques to determine the visibility of the targets.

### Basic Host Discovery Techniques

#### Ping Sweep

There are a few ways to conduct a ping sweep of a given IP space.

**NMAP**

```bash
sudo nmap -sN <FIRST 3 OCTETS>.0/24
```

**Bash**

```bash
for ip in {1..255}; do ping -w 2 -c 1 <FIRST 3 OCTETS>.$ip >/dev/null && echo host <FIRST 3 OCTETS>.$ip is up; done
```

**CMD (TODO)**

```bash
for /L %i in (1,1,255) do @ping -n 1 -w 200 <FIRST 3 OCTETS>.%i > nul && echo 192.168.0.%i is up
```

**PowerShell (TODO)**

```bash
1..255 | ForEach-Object {"<FIRST 3 OCTETS>.$_: $(Test-Connection -count 1 -comp <FIRST 3 OCTETS>.$_ -quiet)"}
```

#### DNS

Not all systems will respond to ICMP; however, they may have a DNS record. This is a two step process: 1.) Find DNS server(s) 2.) Query reverse DNS lookup.

1.) Find DNS Server

```bash
sudo nmap -p 53 -oG tcp53.gnmap <IP/CDR>
cat tcp53.gnmap | grep Host | grep open | cut -d ' ' -f 2 >> possible-dns-servers.txt

sudo nmap -p 53 -sU -oG udp53.gnmap <IP/CDR>
cat udp53.gnmap | grep Host | grep open | cut -d ' ' -f 2 >> possible-dns-servers.txt

sort -t . -k 3,3n -k 4,4n possible-dns-servers.txt | uniq > sorted-possible-dns-servers.txt
```

```bash
for $ip in $(cat sorted-possible-dns-servers.txt); do echo "\n\n------Trying: $ip------" host <KNOWN IP> $ip; done
```

With this you should be able to tell what ip addresses are responding to requests.

2.) Query the DNS server

```bash
for ip in {1..255}; do host <FIRST 3 OCTETS>.$ip <DNS SERVER IP> >> resolved-ips.txt; done

cat hostnames.txt | grep 'domain name pointer' | awk '{print $1 "," $5}' | column -t -s ',' > filtered-hostnames.txt
```

Keep in mind that the IP address is reversed. The IP 192.168.0.1 will show up as 1.0.168.192.

### My Process

## Steps

1. Find live hosts (10.11.1.1-10.11.1.254) 1. nmap sn scan for hosts that respond to ICMP

   ```bash
    sudo nmap -sn -oG nmap-ping-sweep.gnmap 10.11.1.1-254
   ```

   1. Create a list of IP addresses from the ping sweep

      ```bash
      grep Up nmap-ping-sweep.gnmap | cut -d ' ' -f 2 >> ip-addresses.txt
      ```
   2. nmap scan specifically to find the potential Name Server(s).

      ```bash
      sudo nmap -iL ip-addresses.txt -p 53 -oG possible-NS-TCP.gnmap
      sudo nmap -iL ip-addresses.txt -sU -p 53 -oG possible-NS-UDP.gnmap

      cat possible-NS-UDP.gnmap possible-NS-TCP.gnmap | grep -i open | cut -d ' ' -f 2 | sort -t . -k 3,3n -k 4,4n -u
      ```
   3. Identify the Name Server(s)

      ```bash
      for ip in '10.11.1.71'; do for ns in $(cat possible-NS-ips.txt); do echo 'trying '$ns; host $ip $ns 2>/dev/null 1>/dev/null && echo $ns | tee -a ns-servers-ip.txt || echo $ns 'does not respond' ; done; done
      ```
   4. Resolve hosts in the IP range.
      1. For this keep in mind that not all of the live hosts may have responded to ICMP; however they may have a PTR record in DNS. For that reason, we will scan the entire range again.

         ```bash
         for ip in {1..254}; do for ns in $(cat ns-servers-ips.txt); do host 10.11.1.$ip $ns | tee -a resolve-attempt.txt; done; done
         ```

         Address needs to be one that you feel will resolve. Otherwise, you can use a list or use the ip-address.txt list.&#x20;
   5. Combine the lists

      ```bash
      for line in $(cat resolve-attempt.txt | grep pointer | awk '{print $1 "," $5}' | sed s/.$//); do ip=$(echo $line | cut -d ',' -f 1 | awk -F '.' '{print $4 "." $3 "." $2 "." $1}'); hostname=$(echo $line | cut -d ',' -f 2) ; echo "$ip,$hostname" ; done
      ```

      This crazy loop is going to take the DNS lookup and turn it into a comma separated value of IP,hostname.

      ```bash
      for ip in $(cat ip-addresses.txt); do match='false'; for host in $(cat resolved.csv); do [[ $host = ${ip},* ]] && match='true' && echo $host >> ips.txt && break; done; [[ $match = 'false' ]] && echo $ip >> ips.txt; done
      ```

      ```bash
      for host in $(cat resolved.csv); do grep $host ips.txt 2>/dev/null 1>/dev/null || echo $host >> ips.txt; done

      cat ips.txt | sort -t '.' -k 3,3n -k 4,4n > sorted-ips.txt
      ```

      These two loops will combine the two lists created earlier from the ping sweep and the resolving scan.

      ```bash
      cat sorted-ips.txt | awk -F ',' '{ print "|" $1 "|" $2 "|||||||" }'
      ```

      Format this in a markdown table format.
2. Create the folder structure for analyzing the systems

   ```bash
   for ip in $(cat sorted-ips.txt | cut -d ',' -f 1); do mkdir -p hosts/$ip/{exploit,www,nmap}; done
   ```
3. Scan all the hosts&#x20;

   &#x20;Although this is technically getting into information-gathering (ports and services), I will include the initial scanning here.&#x20;

   1. There are a couple of approaches you can take with this:&#x20;
      1. Scan for only a specific ports of interest

         &#x20;`21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080`

         &#x20;The good thing about this method is that you get to start poking at services fast.

         &#x20;The bad thing about this method is that you may forget to go back and scan for all the other open ports which may lead to being stuck in rabbit holes.&#x20;

         &#x20;The next question for this method is if we should scan for versions and run default scripts or not. I would suggest, scanning for versions and default scripts. Although it will be slower, it will still get you a lot of information in a shortish period of time.&#x20;

         ```bash
         for ip in $(cat sorted-ips.txt | cut -d ',' -f 1); do sudo nmap -sC -sV -oG hosts/$ip/nmap/interesting.gnmap -oN hosts/$ip/nmap/interesting.nmap -p 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 --open $ip; done
         ```
      2. Scan for all ports on all found IP addresses
         1. This will take a long time so fire and go do something else.
         2. The pro for doing this is that you will have all the opened ports already.
         3. The negative for this is that you have to wait for a long time.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.dragonsploit.com/pentest-methodology/host-discovery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.