Hacking Notes
  • What is this?
  • Reconnaissance 🗣
    • Information Gathering 🗣
  • Enumeration 🎯
    • Host Discovery 🛎
    • DNS Enumeration
    • OS Discovery 🖥
    • Port Scanning 📟
    • WAF Evasion
  • Web 📱
    • Unrestricted File Upload
    • Templates Injections ✖️
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation 💀
    • Port Forwarding and Tunneling
    • Transfering Files 📤
    • Reverse Shell 🔙
    • Crypto 101 👁
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • 🖥️AD Attacks
Powered by GitBook
On this page
  • Live Hosts
  • ICMP Ping Sweep
  • Most common ports

Was this helpful?

  1. Enumeration 🎯

Host Discovery 🛎

When we have our pool of IP addresses, we have to identify the devices and the roles played by each IP in the target organization.

Live Hosts

There are different methods that one can use to identify live hosts.

ICMP Ping Sweep

The most common is the ICMP ping sweep. It consists of ICMP ECHO requests sent to multiple hosts. If a given host is alive, it will return an ICMP ECHO reply.

fping -a -g [IP-Range]/[Mask]

nmap -sn [IP-Range]/[Mask] -oG ping-sweep.nmap
grep "Up" ping-sweep.nmap | cut -d " " -f 2

Note: For internal Audits, when a host reply a ping shown by fping and doesn't reply for nmap command this could be a router or switch.

Other technic to detect live hosts with ICMP Ping sweep is with this script:

#!/bin/bash

for i in $(seq 1 255); do
    timeout 1 bash -c "ping -c 1 10.10.10.$i" > /dev/null && echo "10.10.10.$i - Active" &
done; wait

Most common ports

The second technique is doing a most common port scanner with the following ports:

  • 22 - SSH

  • 80 - HTTP

  • 443 - HTTPS

  • 445 - SMB

nmap -p 22,445,80,443 [IP-Range]/[Mask]
PreviousInformation Gathering 🗣NextDNS Enumeration

Last updated 3 years ago

Was this helpful?