Hosts discovery
Theory
When targeting machines connected to a network, identifying which hosts are up and running (and their IP address) is the first step in getting to know the attack surface. There are multiple active and passive ways to discover hosts in a network, each relying on specific protocols that may be used in the network.
Once the hosts are identified, attackers then usually proceed to port scanning to attempt at compromising them.
Alternatively, there are common scenarios where most of the hosts and services are managed by a central set of services like Active Directory Domain Services (AD-DS). In this case, attackers usually try to compromise those services first as it would grant them control over many hosts without having to attack them all. A whole category of The Hacker Recipes is dedicated to Active Directory Domain Services (and other associated AD services).
Practice
//// WIP : add p0f, bettercap
ARP discovery
NBT discovery
It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).
DNS queries
In Active Directory environnements, machines have their record on the Domain Controller (which usually hosts the DNS service). Through PTR resolution requests, is it then possible to find additional ranges and machines.
ICMP discovery
Ping Sweep on Powershell:
ICMPv6 discovery
Resources
Last updated
Was this helpful?
