About
If a target IP address is not provided, like how THM and HTB explicitly tell you the IP of the machine, discovering hosts on the network may be important. Typically, in an exam you will either be given an attack box already on the network or a VPN file with which you will connect to the remote network. Your Rules of Engagement will outline the networks you’re allowed to attack.
ip addr will reveal our attack box’s IP address and subnet. With this, we can then run our host discovery scan with nmap (or rustscan, which I will detail later).
Nmap
Basic Ping Sweep
nmap -sn <IP/CIDR>
<IP/CIDR>will look something like192.168.0.0/24if you have an IP address of 192.168.0.x and a subnet mask of 255.255.255.0-sndisables port scanning- Sometimes ICMP will be blocked by the firewall of a host
SYN Sweep
nmap -sn -PS <IP/CIDR>
- Uses SYN packets
- Scans port 80 by default, but can be customized.
ACK Sweep
nmap -sn -PA <IP/CIDR>
-PAperforms an ACK scan.- This will receive a RST packet if the host is up
- May get blocked by Windows Firewall
Common Port Check
nmap -sn -T4 -PS21,22,25,80,445,3389,8080 -PU137,138 <IP/CIDR>
- Checks 2 common UDP ports
- Checks 7 common TCP ports
- By no means exhaustive, but likely the most common ports to be found. Works as a fast scan for the usual culprits.
What Next
After the hosts on a network are discovered, I personally use obsidian and give each host IP its own folder. Within that folder I will create notes labeled ‘Port Scan’, ‘Accounts Found’, ‘Enumeration’, ‘Exploits Found’, and ‘Method’. I cannot recommend enough that you take comprehensible notes.