Enumeration Cheatsheets

Network Enumeration and Host Discovery Cheatsheet

This post contains various commands and methods for performing enumeration of a network. This article will be expanded upon as time goes on.

Quick Host Discovery using ARP Protocol

Using NETDISCOVER to perform an ARP scan:
sudo netdiscover -i <interface> -r <targetSubnet>

Using ARP-SCAN to perform an ARP scan:
sudo arp-scan -I <interface> <targetSubnet>

Identifying your Immediate Routes and Gateways

Windows will show the default gateway:
ipconfig /all

In Linux, you can use TRACEROUTE:
traceroute <targetIP> -m 5

In Linux, you can look at the routing table:

To see which routes you may have access to:
ip route show dev <interface>

Portscanning with Nmap and Hping


My go-to nmap command:
sudo nmap -sV -sC -p- <ipAddr> -oA nmap/top1000

Using Nmap for a pingsweep without port discovery:
sudo nmap -PE -sn -n <ipRange> -oA nmap/pingsweep

Using Nmap for pingsweep, with top 20 port discovery:
sudo nmap -PE -n <ipRange> --top-ports 20

Using Nmap to scan UDP ports:
sudo nmap -sU <ipRange>

Using Nmap for ARP Scan:
sudo nmap -PR -sn <ipRange>

Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Nmap command to scan DNS port 53 with a source port of 53:
sudo nmap -sS --source-port 53 -p 53 <ipRange> -oA nmap/dns-servers


Hping is also useful as its always a good idea to get a 2nd opinion. The following will scan a specific port with 3 SYN packets.
sudo hping3 -S <ipAddr> -p <port> -c 3

To use Hping to scan a port range, but exclude port 525:
sudo hping3 -S --scan '80,445,500-550,!525' <ipAddr> -V

To use Hping for UDP scans:
sudo hping3 -2 --scan 1-1000 <ipAddr>

Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Hping command to scan DNS port 53 with a source port of 53:
sudo hping3 -S -s 53 -k -p 53 <ipAddr>

Host Enumeration Using FPing

We can leverage fPing to do a quick search on the network for alive hosts.
fping -A <targetIP>

We can also add an option to limit the number of retries attempted, speeding up the execution.
fping -A <targetIP> -r 0

Adding another option will allow us to view the time it took to retrieve the reply.
fping -A <targetIP> -e

To sweep a network efficiently, without retires, and only display the alive hosts:
fping -q -a -g -r 0 -e

From within a Meterpreter session:

Display the network adapters and their associated IP addresses:

Display nearby machines on the network:

Display entries on the local routing table:

Perform an ARP scan for a given IP range:
run arp_scanner -r

View existing configured routes in Metasploit:
route print

Forward specific port to a remote host, through the Meterpreter session. Any traffic send to the local port of our localsystem will route through the Meterpreter session.
portfwd add -l <localPort> -p <remotePort> <destinationIP>

Handy Metasploit modules:

Run a ping sweep through a compromised system:
use post/multi/gather/ping_sweep

Configure a Metasploit route for pivoting:
use post/multi/manage/autoroute

You can also configure a route while interacting with a Meterpreter session:
run autoroute -s <subnet>

Run a TCP port scan (you may want to configure a route first):
use auxiliary/scanner/portscan/tcp

Configure a Socks4 proxy for pivoting. Any traffic routed through the proxy will route through the Metasploit routing table:

Windows Utilities (LOLbins)

Display network adapters, DNS servers, and additional details:
ipconfig /all

Identify details about the DNS cache:
ipconfig /displaydns

To view details about ports and services on the system:
netstat -ano

Tips & Tricks

Quickly Formatting Nmap Output to Comma Separate Open Ports

There are times where you want to run a quick Nmap scan to see what ports are open, and then rerun a more in-depth Nmap scan on those specific ports. Doing it this way will allow you to lessen the amount of time it takes to run the scan, as you aren’t wasting time trying to run Nmap scripts or enumerate version information on ports that aren’t open.

Your initial scan make look something like this.

sudo nmap -p- <target> -oA nmap/quick

You can then run the following to retrieve a command separated list of open ports you can copy/paste to your next command.

cat nmap/quick | grep open | awk -F/ '{print $1}' ORS=','; echo

Tips & Tricks

Searching for NSE Scripts Built-in to Nmap

Using the following line of code will help you search through the available NSE scripts built into the nmap tool.

locate -r nse$|grep <term>

For example, we could search through LDAP related scripts with:

locate -r nse$|grep ldap

You can then use one of the scripts using -- script <scriptname>

For example, if we wanted to run the script /usr/share/nmap/scripts/ldap-search.nse, we would use the following command.

nmap -p 389 --script ldap-search -Pn

Note: -Pn just skips the host discovery portion of the process. I did this because I know the box is already alive with that port at that address.