Host Discovery

IP

Local IP

ip addr show dev tun0

ipv6

ip -6 addr show dev tun0

Find local hosts:

ip neigh

IPv6 hosts:

ip -6 neigh

How do I change the state of the device to UP or DOWN?

The syntax is as follows: ip link set dev {DEVICE} {up|down}

Nmap

Useful parameters:

Parameter

Info

-sS

Syn Scan

-v

Verbose

-A

OS, Scripts and service scan

-p-

Full port Scan

-sU

UDP Scan

--script=smb-vuln-scan

Run smb script

--script-args=unsafe=1

run the script with arguments

-iL

Scan from a target file

--exclude

Exclude listed hosts

--excludefile

Exclude file list

-sL

No scan list targets only

-sn

Disable port scanning, host discovery only

-sV

Attempts to determine the service version

-T0 to -T5

Scan speed, 0 the slowest and best at evasion, 5 insane speed scan

--max-retries

Maximum member of port scan retransmissions

netdiscover

Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at client site

netdiscover -r 192.168.1.0/24

Results:

 Currently scanning: Finished!   |   Screen View: Unique Hosts                  
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                
 _____________________________________________________________________________ 
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname       
 ----------------------------------------------------------------------------- 
 192.168.17.1    00:50:56:c0:00:08      1      60  VMware, Inc.                 
 192.168.17.2    00:50:56:e5:1f:80      1      60  VMware, Inc.                 
 192.168.17.131  00:0c:29:31:8a:2b      1      60  VMware, Inc.                 
 192.168.17.254  00:50:56:f1:23:55      1      60  VMware, Inc.

ARP

root@kali:~/Documents/Training# arp-scan -l -v -I wlan0  
Interface: wlan0, datalink type: EN10MB (Ethernet) 
Using 192.168.1.0:255.255.255.0 for localnet 
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 
192.168.1.1 00:1d:aa:15:e5:28 DrayTek Corp. 
192.168.1.2 7c:4c:a5:76:14:54 BSkyB Ltd Padding=0f3d00100000000100000000000000000000 
192.168.1.3 c4:71:54:30:5f:cc (Unknown) 
192.168.1.11 94:c6:91:a1:1e:c6 (Unknown) 
192.168.1.17 f0:03:8c:67:a0:49 AzureWave Technology Inc.  
Padding=ea92d2071ad532a1a4afe6ff000000000000 
192.168.1.17 f0:03:8c:67:a0:49 AzureWave Technology Inc.  
Padding=882079afbeb6ee4c29bcf66f000000000000 (DUP: 2) 
192.168.1.18 98:01:a7:89:5b:e7 Apple, Inc. Padding=6fb47320fa70a613398d8560020405b40402 
192.168.1.25 d4:6e:0e:18:40:3b TP-LINK TECHNOLOGIES CO.,LTD.  
Padding=8aa9f02e679cb9dfd238cef2000000000000 
192.168.1.33 98:01:a7:89:5b:e7 Apple, Inc. 
192.168.1.12 18:1d:ea:9d:b9:17 (Unknown) 
--- Pass 1 complete 
192.168.1.34 18:1d:ea:9d:b9:17 (Unknown) 
192.168.1.21 d4:25:8b:e6:b2:c5 (Unknown) 
--- Pass 2 complete 

12 packets received by filter, 0 packets dropped by kernel 
Ending arp-scan 1.9.5: 256 hosts scanned in 2.412 seconds (106.14 hosts/sec). 12 responded

OneLiners - Ping sweep

Windows

for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up.

Linux

for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done

PreviousPacket Capture NextServices / Ports

Last updated 5 years ago

Was this helpful?