Discovering hosts from the inside
If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:
Passive
You can use these tools to passively discover hosts inside a connected network:
Active
Note that the techniques commented in Discovering hosts from the outside (TCP/HTTP/UDP/SCTP Port Discovery) can be also applied here. But, as you are in the same network as the other hosts, you can do more things:
Active ICMP
Note that the techniques commented in Discovering hosts from the outside (ICMP) can be also applied here. But, as you are in the same network as the other hosts, you can do more things:
If you ping a subnet broadcast address the ping should be arrive to each host and they could respond to you:
ping -b 10.10.5.255
Pinging the network broadcast address you could even find hosts inside other subnets:
ping -b 255.255.255.255
Use the
-PEPM
flag ofnmap
to perform host discovery sending ICMPv4 echo, timestamp, and subnet mask requests:nmap -PEPM -sP –vvv -n 10.12.5.0/24
Wake On Lan
Wake On Lan is used to turn on computers through a network message. The magic packet used to turn on the computer is only a packet where a MAC Dst is provided and then it is repeated 16 times inside the same paket. Then this kind of packets are usually sent in an ethernet 0x0842 or in a UDP packet to port 9. If no [MAC] is provided, the packet is sent to broadcast ethernet (and the broadcast MAC will be the one being repeated).
Last updated