Introduction
During the penetration test, you can upload tools to detect host survival based on the situation of the target host, or you can use intranet proxy or routing forwarding to initiate detection of the LAN where the target host is located. Testers can choose ICMP, NetBIOS, UDP, ARP, SNMP, SMB and other network protocols based on the current penetration environment. According to the protocol type, the following describes how to use common tools to discover surviving hosts on the intranet.
Discover live hosts based on ICMP
ICMP (Internet Control Message Protocol) is a sub-protocol of the TCP/IP protocol suite. It is used for communication at the network layer, that is, the transmission of control messages between IP hosts and routers, providing the possibility of friendly communication. Feedback on various issues in the environment. With this information, administrators can diagnose the problem and take appropriate measures to resolve it. In actual use, the ping command can be executed on each IP address in the entire network segment through ICMP loop. All IP addresses that can be pinged are the surviving hosts in the intranet. Execute the following command on the target host:
for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.199.%I| findstr "TTL="
Command parameter analysis: for /L %I in (sequence) do command, for traversal 192.168.199.%I, represents the network segment you want to ping: 192.168.199.0 network segment (1,1,254), the first 1 and the last 254 represent from 1-254, the middle 1 represents, each ping, increment by 1 -n 1, represents the number of echo requests sent -w 60, represents the timeout (milliseconds) for each ping while waiting for a reply
Cyclically detect the surviving hosts in segment C of the entire LAN
Or you can use nmap:
nmap -sP 192.168.204.1/24
Discover surviving hosts based on NetBlOS (Network Basic Input/Output System) protocol
**Computers in the network must know the IP address before they can communicate with each other. But it is difficult for people to remember IP, and NetBIOS computer name is easier to remember. When computers use NetBIOS names to communicate with other computers, the IP address must be found by the NetBIOS name before communicating by the IP address. The operation of finding an IP address from a NetBIOS name is called NetBIOS name resolution. ** NetBIOS (ports: 137~139) provides OSI/RM session layer (included in the application layer in the TCP/IP model) services, allowing different programs running on different computers to connect to each other and share data in the LAN. Strictly speaking, NetBIOS is not a protocol, but an Application Program Interface (API). Almost all LANs work on the basis of the NetBIOS protocol. The operating system can use WINS services, broadcasts, Lmhost files and other modes to resolve NetBIOS names into corresponding IP addresses. **The workflow of NetBIOS is the normal process of machine name resolution, query, and response. In Windows, NetBIOS is automatically installed after TCP/IP is installed by default. **You can use `nbtstat -n` to view netbios information. In actual use, a NetBIOS status query is sent to each IP address on the LAN to obtain host name, MAC address and other information. NBTScan is a program that is used to scan NetBIOS names on Windows networks to discover surviving Windows hosts on the intranet. **NBTScan can send a NetBIOS status query to every IP address in a given IP range and list the received information in an easy-to-read table. For each responding host, its IP address, NetBIOS computer are listed. name, login username and MAC address. **In short, NBTSCAN can obtain the real IP address and MAC address of the PC. ** Upload nbtscan.exe to the target host (just search the web page to download) and execute the following command:
nbtscan-1.0.35.exe 192.168.199.1/24
Discover live hosts based on UDP
UDP (User Datagram Protocol) is a protocol for connectionless transmission at the transport layer. It provides applications with a method to send encapsulated IP data packets without establishing a connection. In actual use, an empty UDP message can be sent to a specific port of the target host. If the port of the target host is closed, the UDP probe will immediately get an ICMP port unreachable response message, which means that the host running. If an open port is reached, most services simply ignore the empty packet without responding. Unicornscan is an information collection tool for the Kali Linux platform that provides network scanning functions. Execute the following command to scan the surviving hosts on the intranet through UDP protocol.
us -mU 192.168.204.1/24
- TCP is a connection protocol, while UDP is connectionless;
- TCP scan detects (ACK SYN) or (RST) messages, while UDP detects ICMP port unreachable messages;
- The TCP protocol is reliable but inefficient. It can effectively carry out port scanning. It has a wide range and low efficiency and can be applied to any network. The UDP protocol is unreliable but efficient. It has a small range and high efficiency. It is generally used inside a local area network. As the network scale increases, the accuracy of UDP port scanning results will become worse and worse. In the extreme case, if UDP port scanning is used on the Internet, the results obtained will definitely be inaccurate.
Discover surviving hosts based on ARP
ARP (Address Resolution Protocol) is a network transmission protocol that finds the data link layer address by parsing the network layer address and is used for network layer communication. When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the LAN and receives a return message to determine the target's physical address. After receiving the return message, the IP address and physical address are stored in the local area network. The machine ARP cache is kept for a certain period of time, and the ARP cache is directly queried on the next request to save resources. In actual utilization, an ARP request can be sent to the network. If the target host is active, it will definitely respond with an ARP response, otherwise no response will be made.
(1) Utilization of ARP-Scan
ARP-Scan is a fast and convenient intranet scanning tool that uses ARP to discover surviving hosts in the intranet. Upload the tool to the target host and execute the following command to scan the surviving hosts in the intranet.
arp-scan.exe -t 192.168.204.1/24
(2) Utilization of PowerShell
The Invoke-ARPScan.ps1 script of the Empire penetration framework can use ARP to discover surviving hosts on the intranet (see the related webpage on Github for the project). When using it, you need to import the script for execution:
Import-Module . \Invoke-ARPScan. ps1
Invoke-ARPScan -CIDR 192.168.204.1/24
Discover surviving hosts based on SMB (Server Message Block, Server Message Block) protocol
SMB (port 445), also known as Common Internet File System (CIFS) protocol, is an application layer transmission protocol. Its main function is to enable machines on the network to share computer files, printers, serial Resources such as ports and communications. CIFS messages are generally sent using NetBIOS or TCP, using port 139 or 445 respectively. Currently, port 445 is preferred. In actual use, the SMB service existing in the LAN can be detected to discover surviving hosts on the intranet, which is mostly suitable for the discovery of Windows hosts. CrackMapExec (CME for short) is a very powerful post-exploitation tool that can be installed directly using the apt-get command on Kali Linux. CrackMapExec can enumerate logged-in users, enumerate SMB service lists, perform WINRM attacks and other functions, and can help testers automatically evaluate the security of large domain networks (see the relevant webpage on Github for details). Execute the following command:
crackmapexec smb 192.168.204.1/24
Detect the SMB service existing in the LAN to discover surviving hosts in the intranet
