Host Discovery 🛎

When we have our pool of IP addresses, we have to identify the devices and the roles played by each IP in the target organization.

Live Hosts

There are different methods that one can use to identify live hosts.

ICMP Ping Sweep

The most common is the ICMP ping sweep. It consists of ICMP ECHO requests sent to multiple hosts. If a given host is alive, it will return an ICMP ECHO reply.

fping -a -g [IP-Range]/[Mask]

nmap -sn [IP-Range]/[Mask] -oG ping-sweep.nmap
grep "Up" ping-sweep.nmap | cut -d " " -f 2

Note: For internal Audits, when a host reply a ping shown by fping and doesn't reply for nmap command this could be a router or switch.

Other technic to detect live hosts with ICMP Ping sweep is with this script:

#!/bin/bash

for i in $(seq 1 255); do
    timeout 1 bash -c "ping -c 1 10.10.10.$i" > /dev/null && echo "10.10.10.$i - Active" &
done; wait

Most common ports

The second technique is doing a most common port scanner with the following ports:

22 - SSH
80 - HTTP
443 - HTTPS
445 - SMB

nmap -p 22,445,80,443 [IP-Range]/[Mask]

PreviousInformation Gathering 🗣NextDNS Enumeration

Last updated 3 years ago

Was this helpful?