2 Discovering network hosts

 

This chapter covers

  • Internet Control Message Protocol (ICMP)
  • Using Nmap to sweep IP ranges for live hosts
  • Performance tuning Nmap scans
  • Discovering hosts using commonly known ports
  • Additional host discovery methods

As you’ll recall, the first phase in the four-phase network penetration testing (pentesting) methodology is the information-gathering phase. The goals and objectives for this phase are to gather as much information as possible about your target network environment. This phase is further broken up into three main components or sub-phases. Each sub-phase focuses on discovering information or intelligence about network targets within the following separate categories:

  • Hosts --Sub-phase A: host discovery
  • Services --Sub-phase B: service discovery
  • Vulnerabilities --Sub-phase C: vulnerability discovery
Figure 2.1 The information-gathering phase workflow

Figure 2.1 illustrates the workflow from each sub-phase beginning with host discovery, then service discovery, and ending with vulnerability discovery. In this chapter, you’ll focus on the first sub-phase: host discovery. The purpose of this sub-phase is to discover as many possible network hosts (or targets) as possible within a given range of IP addresses (your scope). You want to produce two primary outputs during this component:

  • A targets.txt file containing IP addresses that you will test throughout the engagement
  • An ignore.txt file containing IP addresses that you will avoid touching in any way

2.1 Understanding your engagement scope

2.1.1 Black-box, white-box, and grey-box scoping

2.1.2 Capsulecorp

2.1.3 Setting up the Capsulecorp Pentest environment

2.2 Internet Control Message Protocol

2.2.1 Using the ping command

2.2.2 Using bash to pingsweep a network range

2.2.3 Limitations of using the ping command

2.3 Discovering hosts with Nmap

2.3.1 Primary output formats

2.3.2 Using remote management interface ports

sitemap