Host discovery

Passive scanning

If you have internal access to the network, and only passive scanning is in scope, the following tools can be used to achieve passive scanning.

netdiscover -i [nic] -r [range] -p
ettercap -T -i [nic] -q -p

One of my favorite approaches during the host discovery, is to consult the arp cache in order to discover the hosts that my host on the network has connected to. I always discover some new host.

arp -a

Active scanning

Nmap

nmap -sn 192.168.0.0/24 
nmap –sP 192.168.0.0/24

The following nmap switch performs a full TCP scan. This scan is slower then the previous ones but can discover more hosts on the network and bypass the Firewall.

nmap -sT 192.168.0.0/24

The following nmap switches are very useful in case you have a limited scope in your engagement and need to exclude some hosts that are not included in the scope. the "target.txt" is the file containing the ip's that you wan to scan and the "exclude.txt" is the file containing the ip's that you want to exclude.

nmap -sP -iL target.txt -excludefile exclude.txt

PreviousNmap favorites NextPort scanning