Discovery tools are used to gather information about a target network or system. The tools enable you to easily perform many otherwise manual processes, such as whois queries, DNS zone transfers, SNMP queries, and other information-gathering processes.
Suggested Read: 19 Useful Nmap Commands
The tools help you gather DNS records, contact information, network configuration information, host information, and identify systems that are active on a network. The information you gather will help you determine where a target is located and who is controlling it.
All of this information helps you build a picture of the environment you are testing.
Here is the list of 15 most useful host scanning commands for Kali Linux are as listed below:
- 1. nmap -sn -PE <target>
- 2. netdiscover -r <target>
- 3. crackmapexec <target>
- 4. nmap <target> –top-ports 10 –open
- 5. nmap <target> -p- -sV –reason –dns-server ns
- 6. us -mT -Iv <target>:a -r 3000 -R 3 && us -mU -Iv <target>:a -r 3000 -R 3
- 7. nmap -sS -sV -T4 <target>
- 8. hping3 –scan known <target>
- 9. nc -nvz <target> 1-1024
- 10. nc -nv <target> 22
- 11. nmap -sV <target>
- 12. db_import <file.xml> (For Metasploit Framework)
- 13. nmap -f –mtu=512 <target>
- 14. masscan <network> -p80 –banners –source-ip <target>
- Never ending process………………………..
Example 1 – Active Reconnaissance with Nmap
Attackers can perform network reconnaissance or footprint your network in many different ways. With the help of nmap, you can easily do active reconnaissance against any target as shown below:
Syntax: nmap -sn -PE <target>
Example 2 – Find Alive Hosts with Netdiscover
NetDiscover is a very neat tool for finding hosts on either wireless or switched networks. It can be used both in active or in passive mode.
Syntax – netdiscover -r <target>
Example 3 – Host Discovery with CrackMapExec
CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land“: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
To install crackmapexec, you need to run “apt-get install crackmapexec” command in your linux terminal.
If it doesn’t install using the above command, we recommend doing an “apt-get update && apt-get upgrade” to make sure you have the latest and greatest packages from Offensive Security and the Kali squad.
Syntax: crackmapexec <target>
Example 4 – Find Top 10 Open Ports with Nmap (Fast Scan)
There is a lot more you can do with nmap.
With –top-ports option, you can easily identify the top 10 open ports in any network by typing the below command:
Syntax: nmap <target> –top-ports 10 –open
Currently, –top-ports selects the most popular ports from the nmap-services file or from the list of ports given on the command line.
If any of the ports given on the command line are not listed in the nmap-services file, they will not be scanned.
Example 5 – DNS Reconnaissance with Nmap (Slow Scan)
By default, an Nmap output indicates whether a host is up or not, but does not describe the discovery tests that the host responded to. It can be useful to understand the reason why a port is marked as open, closed, or filtered and why the host is marked as alive. This can be done using the –reason flag. Here is an example:
Syntax: nmap <target> -p- -sV –reason –dns-server ns
DNS information for the target network is often very useful reconnaissance information. DNS information is publicly available information and enumerating it from DNS servers does not require any contact with the target and will not tip off the target company to any activities.
Example 6 – Scanning with Unicornscan
Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient.
Unicornscan defaults to a TCP/UDP scan, unlike nmap. By default, it sends a SYN scan. Let’s say we wanted to scan our IP (192.168.169.138), looking for all ports and sending 3000 packets per second we could write;
Syntax: us -mT -Iv <target>:a -r 3000 -R 3 && us -mU -Iv <target>:a -r 3000 -R 3
Example 7 – TCP Syn Scan with Nmap
The below command determines whether the port is listening. Using this command is a technique called half-open scanning.
It is called half-open scanning because you don’t establish a full TCP connection. Instead, you only send a SYN packet and wait for the response. If you receive a SYN/ACK response that means the port is listening:
With -sV option, you can even print the well known service named from a list of database of about 2,200.
Syntax: nmap -sS -sV -T4 <target>
Example 8 – Scanning with HPING3
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It also supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
Syntax: hping3 –scan known <target>
Example 9 – Port Scanning with Netcat
Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. Although netcat is probably not the most sophisticated tool for the job (nmap is a better choice in most cases), it can perform simple port scans to easily identify open ports by typing the below command:
Syntax: nc -nvz <target> 1-1024
Here -n flag is used to specify that you do not need to resolve the IP address using DNS.
Example 10 – Banner Grabbing with Netcat
Netcat is not restricted to sending TCP and UDP packets. It also can listen on a port for connections and packets. This gives us the opportunity to connect two instances of netcat in a client-server relationship.
With netcat, you can even scan for a particular port number against any target.
Syntax: nc -nv <target> <port number>
Here, we can see that the port 22 on the remote computer fingerprints the service name and version.
Example 11 – Version Scanning with Nmap
While Nmap does many things, its most fundamental feature is port scanning. Point Nmap at a remote machine, and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open.
Using its nmap-services database of more than 2,200 well-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively.
The Nmap version scanning subsystem obtains all of this data by connecting to open ports and interrogating them for further information using probes that the specific services understand. This allows Nmap to give a detailed assessment of what is really running, rather than just what port numbers are open.
Syntax: nmap -sV <target>
Example 12 – Scanning with Metasploit Framework
Upon completion of a basic scan with nmap, you can even import all hosts information into metasploit framework for further exploitation by saving the results into .xml format.
Syntax: db_import <filename.xml>
After importing the file, you can simply execute the hosts command to list the hosts that are in the xml file.
Example 13 – Firewall Bypass
With -f and –mtu option, you can easily bypass the firewall restrictions by packet fragmentation.
Syntax: nmap -f –mtu=512 <target>
The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.
Example 14 – Scanning with Masscan
This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.
Another feature of Masscan is that apart from detecting open/close ports, it can also grab simple “banner” information. The constraint it faces is that Masscan has its own TCP/IP stack.
When the local system received a SYN-ACK from the probed target, it responds with a TST packet that kills the connection before the banner information can be grabbed. The easiest way to prevent this is to assign Masscan with a different IP address:
Syntax: masscan <network> -p80 –banners –source-ip <target>