search

Host Discovery

hashtag
Host Discovery

This is the initial phase of the engagement. The way you will discover the hosts you will be attacking depends on the type of engagement, scope of the engagement. Sometimes the target will provide a list of IP addresses and or domain names they want you to target. This will be the scope of your engagement and you may not be able to go outside of that scope. Other times you may have to find all the assets associated with the target without having any information other that what is publicly available.

Even if you are given a list of hosts for your engagement, you should attempt to use basic host discovery techniques to determine the visibility of the targets.

hashtag
Basic Host Discovery Techniques

hashtag
Ping Sweep

There are a few ways to conduct a ping sweep of a given IP space.

NMAP

sudo nmap -sN <FIRST 3 OCTETS>.0/24

Bash

for ip in {1..255}; do ping -w 2 -c 1 <FIRST 3 OCTETS>.$ip >/dev/null && echo host <FIRST 3 OCTETS>.$ip is up; done

CMD (TODO)

for /L %i in (1,1,255) do @ping -n 1 -w 200 <FIRST 3 OCTETS>.%i > nul && echo 192.168.0.%i is up

PowerShell (TODO)

1..255 | ForEach-Object {"<FIRST 3 OCTETS>.$_: $(Test-Connection -count 1 -comp <FIRST 3 OCTETS>.$_ -quiet)"}

hashtag
DNS

Not all systems will respond to ICMP; however, they may have a DNS record. This is a two step process: 1.) Find DNS server(s) 2.) Query reverse DNS lookup.

1.) Find DNS Server

With this you should be able to tell what ip addresses are responding to requests.

2.) Query the DNS server

Keep in mind that the IP address is reversed. The IP 192.168.0.1 will show up as 1.0.168.192.

hashtag
My Process

hashtag
Steps

  1. Find live hosts (10.11.1.1-10.11.1.254) 1. nmap sn scan for hosts that respond to ICMP

    1. Create a list of IP addresses from the ping sweep

    2. nmap scan specifically to find the potential Name Server(s).

    3. Identify the Name Server(s)

    4. Resolve hosts in the IP range.

      1. For this keep in mind that not all of the live hosts may have responded to ICMP; however they may have a PTR record in DNS. For that reason, we will scan the entire range again.

        Address needs to be one that you feel will resolve. Otherwise, you can use a list or use the ip-address.txt list.

    5. Combine the lists

      This crazy loop is going to take the DNS lookup and turn it into a comma separated value of IP,hostname.

      These two loops will combine the two lists created earlier from the ping sweep and the resolving scan.

      Format this in a markdown table format.

  2. Create the folder structure for analyzing the systems

  3. Scan all the hosts

    Although this is technically getting into information-gathering (ports and services), I will include the initial scanning here.

    1. There are a couple of approaches you can take with this:

      1. Scan for only a specific ports of interest

        21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080

        The good thing about this method is that you get to start poking at services fast.

        The bad thing about this method is that you may forget to go back and scan for all the other open ports which may lead to being stuck in rabbit holes.

        The next question for this method is if we should scan for versions and run default scripts or not. I would suggest, scanning for versions and default scripts. Although it will be slower, it will still get you a lot of information in a shortish period of time.

      2. Scan for all ports on all found IP addresses

        1. This will take a long time so fire and go do something else.

        2. The pro for doing this is that you will have all the opened ports already.

        3. The negative for this is that you have to wait for a long time.

PreviousPenetration Testing MethodologyNextInformation Gathering

Last updated