Hosts discovery
Last updated
Was this helpful?
Last updated
Was this helpful?
When targeting machines connected to a network, identifying which hosts are up and running (and their IP address) is the first step in getting to know the attack surface. There are multiple active and passive ways to discover hosts in a network, each relying on specific protocols that may be used in the network.
Once the hosts are identified, attackers then usually proceed to to attempt at compromising them.
Alternatively, there are common scenarios where most of the hosts and services are managed by a central set of services like . In this case, attackers usually try to compromise those services first as it would grant them control over many hosts without having to attack them all. A whole category of The Hacker Recipes is dedicated to Active Directory Domain Services (and other associated AD services).
//// WIP : add p0f, bettercap
It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).
In Active Directory environnements, machines have their record on the Domain Controller (which usually hosts the DNS service). Through PTR resolution requests, is it then possible to find additional ranges and machines.
Ping Sweep on Powershell:
