IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [host-discovery]

It is the phase of a penetration test where a network scanning tool is used to find out the live hosts on a network.

Host discovery is one of the very first steps to be carried out while performing a pen-test. The purpose is to guess the IP address range being used by the network and find out the live systems.

The results of a particular scan may not be always accurate because of advanced host based firewall configurations. The ideal approach would be to start with basic ping sweep/SYN scan and if it doesn't work try guessing the applications that may be running on the hosts and probe the corresponding ports.Sometimes more than one tool may be used for host discovery to get more accurate results. further reading...

23 questions
302
votes
8 answers

How to find live hosts on my network?

I am trying to find the live hosts on my network using nmap. I am scanning the network in Ubuntu using the command sudo nmap -sP 192.168.2.1/24. However, I am unable to find the live hosts. I just get the network address of my own PC as live. When I…
TheRookierLearner
  • 4,222
  • 8
  • 24
  • 28
8
votes
1 answer

Strange responses from an unfamiliar HTTP server

I noticed an unfamiliar device when scanning my local wireless network. It had two open (listening?) TCP ports; TCP/80 (http?) & TCP/443 (https?). In an effort to identify the unfamiliar device; I exercised some basic banner-grabbing techniques,…
voices
  • 1,649
  • 7
  • 22
  • 36
7
votes
2 answers

NMAP host discovery reporting discrepant results between NAT and Bridged mode

I figured this would be the most relevant place to ask this question. I'm using a Kali VM to run some network scans. The results are different depending on whether my network interface is bridged or NATed. Running this scan nmap -sn 192.168.1.0/24…
Juicy
  • 1,407
  • 4
  • 16
  • 31
7
votes
1 answer

Exploring unknown service

I'm fairly new to network stuff and currently exploring a Wi-Fi radio device in my home network. In this process I noticed an open port. 58028/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version,…
try_some_ubik
  • 71
  • 1
  • 3
5
votes
2 answers

How to scan 20k hosts to check if they're up?

I have a list of about 20000 hostnames and I need to check which ones are up. I would say 98% of them are down. I have already tried powershell and python scripts without much success (couldn't set a decent timeout in each). I'm trying to use NMap…
Lucas Cioffi
  • 177
  • 1
  • 6
5
votes
3 answers

nmap to scan all resolved ip addresses for a given domain name?

I'm using nmap to scan a given domain name example.com, which resolves to 2 ip addresses, then nmap chooses only one ip address to scan for example: #nmap -vv -sV scanme.nmap.org Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-01 15:52 CET NSE:…
ksr
  • 51
  • 1
  • 1
  • 3
4
votes
5 answers

Determining false positives when scanning for live hosts with Nmap

When doing a vulnerability assessment on a large network, it seems general practice to determine which hosts on the network are live. This can be done in various ways. From what I have read it is good to do some ICMP scans, perhaps use a…
Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56
4
votes
1 answer

Get Device names of surrounding WIFI devices without authentication

I am looking to get a list of devices which are in range of my Wifi antenne (monitor mode). For example: "Tom's Iphone" I can get the MAC's of these devices, but is it possible to get the name of these devices without them actually connect to my…
VC_work
  • 481
  • 4
  • 7
3
votes
2 answers

Best practice to discover network hosts?

I'm creating a python networking program and need to discover all the usable hosts on the network such as phones and desktops on Linux. What works better, NMAP, Arp-Scan, arp, or something else? I've tried this to discover hosts with NMAP: nmap -n…
Seth Painter
  • 143
  • 1
  • 5
3
votes
1 answer

NMAP discovery scan reporting host offline, pinging the same host gets ICMP responses

I ran an nmap -sn scan on a host, and nmap reported the host as down. I then pinged the same host with ping and got ICMP responses. I'm confused, because I was sure that -sn among other things, did an ICMP echo request. Output from my two…
Juicy
  • 1,407
  • 4
  • 16
  • 31
3
votes
1 answer

How to discover technologies?

When I audit a service I come across the problem I have to figure out what is the product a website is using, to search for possible vulnerabilities afterwards. What I do is to look for server responses using a proxy like Burp, or taking a look to…
aDoN
  • 283
  • 1
  • 3
  • 10
2
votes
2 answers

Is an ARP scan stealthy?

If you want to discover the live hosts on your subnetwork how can you exploit the ARP protocol in order to scan stealthily? Would an arp scan be picked up as suspicious activity? Could you spoof the source address of ARP requests to remain…
ellefc
  • 499
  • 2
  • 6
  • 14
1
vote
1 answer

Bypass Text Plain Rule

I want to know if I can allow uploading all types of scripts and add these rules to a virtual host configuration; so please advise and tell me if there will be some exploits that can be used to bypass this security rules ( if yes please how to…
WMax
  • 31
  • 4
1
vote
2 answers

Web application discovery: Can there be virtual hosts configured even when there is a response without host header?

I'm currently learning how to discover web applications running on a machine using port scanning, vhost bruteforcing and directory fuzzing. When it comes to port scanning, there is one thing I can't wrap my head around. Let's say I have scanned all…
Sven
  • 115
  • 3
1
vote
0 answers

Why ever "trust" Nmap's reverse lookup for system hostname when doing host discovery?

Quick question. I was scanning a lab network with Nmap just doing host discovery to see what hosts were out there. I got a list of hosts, ips, hostnames, ports open, services, etc. Upon further investigation, though, I discovered discrepancies…
5lb Bass
  • 111
  • 2
1
2