How to detect live hosts in the intranet

During penetration testing, when we take down a server as a springboard to further penetrate the intranet, we often need to collect intranet assets through host survival detection and port scanning.

We can roughly divide the host scanning scenarios into three types: 1) directly execute under the webshell, scan and detect through the system's built-in commands or upload script tools; 2) penetrate the intranet through the rebound shell, and penetration testing frameworks such as msf come with some scanning modules; 3) scan the intranet through the socks proxy (such as proxychains+Nmap scanning).

Choose the most appropriate weapon in the appropriate scenario. For example, protocols that support survival detection include ARP, ICMP, SMB, UDP, NETBIOS, SNMP, etc.; port scanning methods that support port scanning include ACK scanning, SYN scanning, TCP scanning, UDP scanning, ICMP scanning, etc.

1. ping command

We often use ping to check network connectivity and telnet to test the connectivity of a specified port. Using the system's own commands to complete segment C detection is inefficient, but it is not easy to trigger security rules. If the server has a firewall turned on or ping is prohibited, the detection results will be affected.

Use the ping command to scan segment C in Windows:

 for /l %i in (1,1,255) do @ping 192.168.64.%i -w 1 -n 1|find /i " ttl ="

Use the ping command to scan segment C in Linux:

 for k in $( seq 1 255);do ping -c 1 192.168.99.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done

In addition, you can also combine the system's own traceroute, arp, netstat and other commands to collect intranet information, curl and wget can be used for port detection.

2. Powershell

Scan the IP address survival through PowerShell script:

 powershell.exe -exec bypass -Command "Import-Module ./Invoke-TSPingSweep.ps1;Invoke-TSPingSweep -StartAddress 192.168.1.0 -EndAddress 192.168.1.255"

Script download address: https://gallery.technet.microsoft.com/scriptcenter/Invoke-TSPingSweep-b71f1b9b

Use PowerShell to implement basic port scanning functions.

Scanning multiple ports of a single IP:

 PS C:\Users\Bypass > 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.246.44",$_)) "Port $_ is open!"} 2 > $null

Scanning a single port in a certain IP segment:

 foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}

Scanner for a certain IP range & multiple ports

 1..20 | % { $ a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2 > $null}

3. Intranet host detection based on MSF

When using msf to perform a rebound shell to penetrate the intranet, a quick scan is performed through the scanning module that comes with msf.

Host survival detection:

 auxiliary/scanner/discovery/arp_sweep ARP scan
 auxiliary/scanner/discovery/udp_sweep UDP scan
 auxiliary/scanner/netbios/nbname NETBIOS scan
 auxiliary/scanner/snmp/snmp_enum SNMP Scan
 auxiliary/scanner/smb/smb_version SMB Scan

Port Scanning:

 auxiliary/scanner/portscan/ack TCP ACK port scan
 auxiliary/scanner/portscan/ftpbounce FTP bounce port scanning
 auxiliary/scanner/portscan/syn SYN port scan
 auxiliary/scanner/portscan/tcp TCP port scanning
 auxiliary/scanner/portscan/xmas TCP XMas port scanning

4. Nmap scans the intranet

Nmap is a port scanner that can be used for host discovery, port scanning, version detection, OS detection, etc.

Usage scenario: Establish socks proxy, proxychains+Nmap scan intranet.

Support multiple scanning modes:

• -sT: TCP scan
• -sS: SYN scan-
• sA: ACK scan
• -sF: FIN scan
• -sU: UDP scan
• -sR: RPC scan
• -sP: ICMP scan

Quickly scan all ports:

 nmap -sS -p 1-65535 -v 192.168.99.177