TryHackMe: Jr. Penetration Tester

author: Nathan Acks
date: 2022-03-31

Nmap Live Host Discovery

Subnetworks

NETWORK SEGMENT: A group of devices connected using a shared medium, such as a switch or wireless access port. A router controls one or more network segments.

ARP packets are bound to a subnet.

Enumerating Targets

Handy nmap flags:

Note that you can put ranges in any octet of an IP address; for example, 10.10.0-255.1-255 will scan 10.10.0.1 - 10.10.255.255.

Nmap Host Discovery Using ARP

When called as the superuser, Nmap uses ARP for local host discovery and a combination of ICMP Echo, TCP SYN to 443, TCP ACK to 80, and ICMP Timestamp requests for remote host discovery.

When called as a normal user, Nmap has more limited options and uses TCP SYN packets sent for ports 80 and 443 for both local and remote host discovery.

Note that even though this Nmap calls host discovery a “ping scan”, ping requests (ICMP echo) are only used in one particular case. Nmap does not perform host discovery when provided with a list of targets (-iL).

A specialized tool for doing ARP scans is (appropriately enough) arp-scan. Use arp-scan -l to scan the entire local network, and arp-scan -I $IFACE -l to scan only the network available on interface $IFACE.

Nmap Host Discovery Using ICMP

Nmap Host Discovery Using TCP and UDP

The masscan utility is basically a very aggressive TCP/UDP scanner. Probably too noisy to use in practice.

Using Reverse-DNS Lookup