πIP & Network Enumeration
fping Scan
fping Host Discovery Scan
fping -a -g <network> 2>/dev/null
network ==> Network for Host Discovery
Eg : 192.168.99.0/24
192.168.99.0-24
-a ==> Show only Live hosts
-g ==> perform ping sweep rather than standard pingOffline OS Fingerprinting tools
[1] p0f [<http://lcamtuf.coredump.cx/p0f3/>]Nmap Scanning
Basic Nmap Syntax
nmap <ip-address>
Notations
Basic Nmap Commands used during INE Labs
Host Discovery Scan
sudo nmap -sn -T5 10.100.13.0/24 -v -oN ./nmap/host_discovery.txt
sudo nmap -sn -iL -T5 network_list.txt -v -oN ./nmap/host_discovery.txt
Live Hosts Detailed Scan
sudo nmap -sC -sV -O -Pn -T5 -v -iL active_hosts.txt -oN ./nmap/live_host_detail-nmap.txt
All Port Scan
sudo nmap -sC -sV -T5 -Pn -p- -v -iL active_hosts.txt -oN ./nmap/live_hosts_detail_scan-nmap.txt
Dump Active Hosts from Nmap Host Discovery Output File
cat ./nmap/host_discovery.txt | grep "Nmap scan report for" | grep -v "host down" | cut -d " " -f 5 > active_hosts.txt
Here, active_hosts.txt contains the IP-Addresses of the provided machines to test.
Sample Table of Nmap data
β 22 β SSH β
β 53 β DNS β
β 80, 443 β HTTP/HTTPS web server β
β 445 β Windows shares (SMB), also Linux equivalent -Samba service β
β 25 β SMTP (Simple Mail Transfer Protocol) β
β 21 β FTP (File Transfer Protocol) β
β 137-139 β Windows NetBIOS services β
β 1433-1434 β 1433-1434 MSSQL Database β
β 3306 β MySQL Database β
β 8080, 843 β HTTP(s) web server, HTTP Proxy β
Last updated
Was this helpful?