2 Discovering network hosts
This chapter covers
- Internet Control Message Protocol (ICMP)
- Using nmap to sweep IP ranges for live hosts
- Performance tuning nmap scans
- Discovering hosts using commonly known ports
- Additional host discovery methods
As you’ll recall, the first phase in the four-phase network penetration testing methodology is the information-gathering phase. The goals and objectives for this phase are to gather as much information as possible about your target network environment. This phase is further broken up into three main components or sub-phases. Each sub-phase focuses on discovering information or intelligence about network targets within the following separate categories:
- Hosts: sub-phase A. Host Discovery
- Services: sub-phase B. Service Discovery
- Vulnerabilities: sub-phase C. Vulnerability Discovery
Figure 2.1 The Information-gathering phase workflow
In this chapter, you’ll focus on the first sub-phase: Host discovery. The purpose of this sub-phase is to discover as many possible network hosts (or targets) within your given range of IP addresses (your scope). There are two primary outputs that you’ll want to produce during this component:
- A targets.txt file containing IP addresses that you will test throughout the engagement
- An ignore.txt file containing IP addresses that you will avoid touching in any way