IP & Network Enumeration

fping Scan

fping Host Discovery Scan

fping -a -g <network> 2>/dev/null

network ==> Network for Host Discovery
						Eg : 192.168.99.0/24
						     192.168.99.0-24

-a ==> Show only Live hosts
-g ==> perform ping sweep rather than standard ping

Offline OS Fingerprinting tools

[1] p0f [<http://lcamtuf.coredump.cx/p0f3/>]

Nmap Scanning

Basic Nmap Syntax

nmap <ip-address>

Notations

-sV ==> Service Version detection Scan
-sC ==> SYN Scan
-sT ==> TCP connect Scan
-O ==> OS Fingerprinting
-oN <File-Name> ==> Save the scan output to a file
-sn ==> ping Scan for host Discovery
-Pn ==> Skip ping scan for host discovery
-v ==> Verbosity Level 1
-vv ==> Verbosity Level 2
-p ==> Port Scan
-p 80 ==> Scan port 80 of the provided IP-Address
-p1-100 ==> Portscan from 1 to 100
-p- ==> Scan every port
-iL <IP-List-File>==> Get IP from defined file name
--reason ==> Show explanation of any error occured

Basic Nmap Commands used during INE Labs

Host Discovery Scan

sudo nmap -sn -T5 10.100.13.0/24 -v -oN ./nmap/host_discovery.txt

sudo nmap -sn -iL -T5 network_list.txt -v -oN ./nmap/host_discovery.txt

Live Hosts Detailed Scan

sudo nmap -sC -sV -O -Pn -T5 -v -iL active_hosts.txt -oN ./nmap/live_host_detail-nmap.txt

All Port Scan

sudo nmap -sC -sV -T5 -Pn -p- -v -iL active_hosts.txt -oN ./nmap/live_hosts_detail_scan-nmap.txt

Dump Active Hosts from Nmap Host Discovery Output File

cat ./nmap/host_discovery.txt | grep "Nmap scan report for" | grep -v "host down" | cut -d " " -f 5 > active_hosts.txt

Here, active_hosts.txt contains the IP-Addresses of the provided machines to test.

Sample Table of Nmap data

║ 22 ║ SSH ║

║ 53 ║ DNS ║

║ 80, 443 ║ HTTP/HTTPS web server ║

║ 445 ║ Windows shares (SMB), also Linux equivalent -Samba service ║

║ 25 ║ SMTP (Simple Mail Transfer Protocol) ║

║ 21 ║ FTP (File Transfer Protocol) ║

║ 137-139 ║ Windows NetBIOS services ║

║ 1433-1434 ║ 1433-1434 MSSQL Database ║

║ 3306 ║ MySQL Database ║

║ 8080, 843 ║ HTTP(s) web server, HTTP Proxy ║

PreviousSystem Commands NextSQL Injection

Last updated 1 year ago

Was this helpful?