CHAPTER 4Looking for Network Activity (Advanced NMAP Techniques)
This chapter focuses on identifying active hosts and ports using advanced NMAP scanning techniques. For almost every engagement, NMAP is the holy grail of “which tool to use first” to look for active hosts.
Because NMAP is such an unavoidable tool in every hacker’s and investigator's arsenal, I feel it has already been covered to death in a multitude of other books. Rather than rehash the basics of performing NMAP scans, this chapter will focus on several advanced use cases and techniques that I have used to discover host activity, even through the most challenging firewalls.
Getting Started
A significant amount of critical data can be derived from performing NMAP scans, which can really set the tone for the rest of your engagement. Before we get started, this book assumes you have a basic understanding of NMAP—what it is, how it works, and how to use it. If you are new to NMAP, you might want to check out some free online tutorials; or if you're like me, just play around with it.
Preparing a List of Active Hosts
This is typically the first scan I run. It is designed to scan all of the local IP space and come back with a nicely formatted list of which hosts are active. I use this for internal penetration tests, but it can easily be adapted to find which external addresses are live.
I use the following command to get a list of all active hosts on an internal network:
root@OSINT: nmap -n -sn 10.0.0.0/8 172.16.0.0/12 ...
Get Hunting Cyber Criminals now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.