HOST DISCOVERY
The first step of a network pentest most times would be to know what targets are alive. Since it is not possible to penetrate a target that is not alive without physical access, we always look for alive targets. We can use a variety of methods and tools for discovering alive targets. One of the most common methods is to use icmp requests, that is, ping requests to check if the system is alive or not.
As we have got a reply, it means that our target is alive. We can also use the –sP flag in nmap in order to check if the target is alive or not. Besides, we can specify network ranges to scan; this would make our work simpler.
Command:
nmap –sP <target Host>
Command:
nmap –sP <target Host>
We can also scan network ranges with nmap on the given network. Here is the command to
scan a host range from nmap:
nmap –sP 192.168.15.1/24
/24 is a CIDR notation; it will scan all the hosts in the range 192.168.15.1 to 192.168.15.255 and return those that are up.
As you can see from the screenshot, the whole range was scanned for alive systems, and three live systems were found on the network.
Nowadays, due to the implementation of IDS, IPS, Firewalls, and other modern defenses on
the network, identifying alive hosts can be a bit trivial. Network administrators commonly block icmp requests, which means that even if the target were alive, we would not be able to figure it out.
Thus, we can use other types of protocols such as tcp and udp in order to figure out if the target is alive or not, since a normal tcp or udp connect may not look suspicious to firewalls and other intrusion detection/prevention devices.
In your penetration testing engagements you will find a lot of scenario’s where you’d encounter against these modern security defenses. For demonstration purposes, we will use a website nameddidx.net. The administrator has blocked icmp requests to its webserver by using IP tables. A normal ping request leads us to the above output.
I sent some icmp requests with nping; you can clearly see that the target is not alive. However, let’s try sending some tcp packets. By looking at the documentation and usage guide of nping, we can see that it also allows host discovery via tcp and udp.
So, I entered the following command in order to perform a simple tcp-based host discovery.nping –tcp didx.net.
I sent some icmp requests with nping; you can clearly see that the target is not alive. However, let’s try sending some tcp packets. By looking at the documentation and usage guide of nping, we can see that it also allows host discovery via tcp and udp.
So, I entered the following command in order to perform a simple tcp-based host discovery.nping –tcp didx.net.
The output shows 0% packet loss with three packets sent and received, indicating that the
target is indeed alive. We can also use udp to perform host discovery; what option you would like to use is up to you.
Alternatively, we can also use the –sP flag query to accomplish this task, because when you
specify the –sP flag query with nmap, it sends not only icmp echo requests but also TCP SYN to port 80 and 443. Therefore, it will also show the host as up or in other words alive.
target is indeed alive. We can also use udp to perform host discovery; what option you would like to use is up to you.
Alternatively, we can also use the –sP flag query to accomplish this task, because when you
specify the –sP flag query with nmap, it sends not only icmp echo requests but also TCP SYN to port 80 and 443. Therefore, it will also show the host as up or in other words alive.
No comments:
Post a Comment