# Host Discovery ## IP Local IP ``` ip addr show dev tun0 ``` ipv6 ``` ip -6 addr show dev tun0 ``` Find local hosts: `ip neigh` IPv6 hosts: `ip -6 neigh` #### How do I change the state of the device to UP or DOWN? The syntax is as follows:\ `ip link set dev {DEVICE} {up|down}` ## Nmap Useful parameters: | Parameter | Info | | ---------------------- | ------------------------------------------------------------------ | | -sS | Syn Scan | | -v | Verbose | | -A | OS, Scripts and service scan | | -p- | Full port Scan | | -sU | UDP Scan | | --script=smb-vuln-scan | Run smb script | | --script-args=unsafe=1 | run the script with arguments | | -iL | Scan from a target file | | --exclude | Exclude listed hosts | | --excludefile | Exclude file list | | -sL | No scan list targets only | | -sn | Disable port scanning, host discovery only | | -sV | Attempts to determine the service version | | -T0 to -T5 | Scan speed, 0 the slowest and best at evasion, 5 insane speed scan | | --max-retries | Maximum member of port scan retransmissions | ## netdiscover Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at client site `netdiscover -r 192.168.1.0/24` **Results:** ``` Currently scanning: Finished! | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.17.1 00:50:56:c0:00:08 1 60 VMware, Inc. 192.168.17.2 00:50:56:e5:1f:80 1 60 VMware, Inc. 192.168.17.131 00:0c:29:31:8a:2b 1 60 VMware, Inc. 192.168.17.254 00:50:56:f1:23:55 1 60 VMware, Inc. ``` ## ARP ``` root@kali:~/Documents/Training# arp-scan -l -v -I wlan0 Interface: wlan0, datalink type: EN10MB (Ethernet) Using 192.168.1.0:255.255.255.0 for localnet Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.1.1 00:1d:aa:15:e5:28 DrayTek Corp. 192.168.1.2 7c:4c:a5:76:14:54 BSkyB Ltd Padding=0f3d00100000000100000000000000000000 192.168.1.3 c4:71:54:30:5f:cc (Unknown) 192.168.1.11 94:c6:91:a1:1e:c6 (Unknown) 192.168.1.17 f0:03:8c:67:a0:49 AzureWave Technology Inc. Padding=ea92d2071ad532a1a4afe6ff000000000000 192.168.1.17 f0:03:8c:67:a0:49 AzureWave Technology Inc. Padding=882079afbeb6ee4c29bcf66f000000000000 (DUP: 2) 192.168.1.18 98:01:a7:89:5b:e7 Apple, Inc. Padding=6fb47320fa70a613398d8560020405b40402 192.168.1.25 d4:6e:0e:18:40:3b TP-LINK TECHNOLOGIES CO.,LTD. Padding=8aa9f02e679cb9dfd238cef2000000000000 192.168.1.33 98:01:a7:89:5b:e7 Apple, Inc. 192.168.1.12 18:1d:ea:9d:b9:17 (Unknown) --- Pass 1 complete 192.168.1.34 18:1d:ea:9d:b9:17 (Unknown) 192.168.1.21 d4:25:8b:e6:b2:c5 (Unknown) --- Pass 2 complete 12 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.5: 256 hosts scanned in 2.412 seconds (106.14 hosts/sec). 12 responded ``` ## OneLiners - Ping sweep ### Windows `for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up.` ### Linux `for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.newerasec.com/infrastructure-testing/enumeration/host-disocvery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.