First up, we've got this nifty little tool called "fping".
Let me give ya the rundown on this fping tool we're gonna use. It's like sending out these little ICMP echo messages to the other blokes on the network, and then checkin' if they send a response back. Any of those other fellas that respond to the ICMP probe, the fping tool reckons they're active and alive - which means they could be a potential target for ya.
Now, some of these machines might be set up to not respond to the ICMP probes, like if they've got a firewall or some other settings that block it.
Using your IP address, open up a new terminal window in Kali:
Code: Select all
fping -sagq YOUR-IP-ENDING0/24
Let's break down some of the handy fping commands we can use:
s = Print the stats after completion - This one gives us the lowdown on how the whole shebang went down once it's all said and done.
a = Shows active/alive targets - This one highlights the fellas that responded to our ICMP probes, so we know who's fair game.
g = Generate a target list - This one puts together a list of all the potential targets we can have a crack at.
q = Don't show per target list (we don't care about unreachable targets) - This one means we can skip over the blokes that didn't respond, and just focus on the ones that did.
If you want to save the results of your fping shenanigans for later, you can always pipe the output into a file:
Code: Select all
fping -sagq 192.168.0.0/24 > FILE
cat FILE
Alright, the next tool we're gonna be using is called arp-scan. Now, every device on the network should be able to respond to an ARP request, but as we talked about before, it's a good idea to run fping alongside this one to make sure we're covering all our bases.
One thing to keep in mind with arp-scan is that the responses you see might not always be in a particular order. That's because some of those hosts might be quicker to respond than others. No need to stress about it, though - we'll just take it as it comes.
Alright, let's get stuck into it. Open up a new terminal window in Kali:
Code: Select all
sudo arp-scan -l
l = scanning the local subnet.
Alright, let's have a look at the results from the arp-scan tool. See if you can match up each of the hosts it found with a device on your network. How many did it pick up?
Any of those hosts that showed up, we can consider them as active targets and live hosts on the network we're working with. That's good intel to have. Gives us a better idea of what we're dealing with.
arp-scan tool was able to find a whole lot more hosts than the fping tool did. And it even picked up some on the 192.168.128.0/24 and 192.168.129.0/24 subnets. That's thanks to something called CIDR.
Alright, now that we've used fping and arp-scan to get a good handle on the hosts on the network, let's take it to the next level with nmap. This tool is gonna help us dig a bit deeper and discover even more about those potential targets we've identified.
With nmap, we can scan the network and see what ports are open on each host. That's gonna give us a better idea of the attack surface we're dealing with, in case we decide to take things further down the track.
Righto, let's get stuck into it. Open up a new terminal window in Kali:
Code: Select all
nmap -T 5 -Pn -PRV YOUR-IP-ENDING0/24
Let's talk about that nmap command you've got there. Running that is gonna use ICMP and ARP requests to scan the whole subnet, as well as check the top common ports on each host. Now, this method is gonna make a fair bit of noise, and depending on how many hosts are on the network, it might take a while to complete.
The "-T 5" option basically tells nmap to scan as fast as a bloody machine gun. That's great for getting the job done quick, but it's also super detectable, especially on a corporate network. Reckon you'd best steer clear of that "-T 5" business if you're on a company network, mate. Wouldn't want to raise any eyebrows, you know?
Now, if you're on a home network, a coffee shop, or the store, then the "-T 5" option might be alright to include. Just keep in mind that it's gonna be a bit more noticeable than a slower scan. Gotta weigh up the pros and cons, eh?
When you run the command, it's gonna scan the entire subnet and probe the most common ports. But here's the kicker - we're gonna use the "-Pn" option to treat all the hosts as if they're online.
See, the thing is, some of these machines might not be replying to ping requests, so they could appear "offline" even though they're actually up and running. We don't want to miss out on any juicy targets just because they're not responding to ICMP echo requests, you know?
By adding the "-Pn" option, nmap will assume the host is alive and scan it regardless of whether it's replying to pings or not. That way, we can make sure we're not overlooking anything - could be a forgotten web server displaying its home directory contents, or some other silly, insecure thing that's been left wide open.
Let's get a bit more targeted with our nmap scans and focus specifically on finding web servers. We can do that by telling nmap to scan for certain open ports.
In the terminal, go ahead and type:
Code: Select all
nmap -PRV -p80,8080,8000,443 192.168.129.0/24