Educational Purposes Only!
NMAP ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. NMAP uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. - https://nmap.org/
NMAP (ICMP Ping Based) Examples
ifconfig //to find network address segment to start looking, based of attacker location, you can always also guess other network segments to scan later.
wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.57 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 fe80::daa9:97f:e49:74a7 prefixlen 64 scopeid 0x20<link>\n ether 38:ba:f8:79:73:9a txqueuelen 1000 (Ethernet)
RX packets 38616 bytes 44083665 (42.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21495 bytes 2530134 (2.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
nmap -sn 192.168.43.1-254 //192.168.43 is the network portion, .1 is the host, so we test all the possible hosts on the network. Add -n to port scan each.
Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-20 00:37 GMT
Nmap scan report for 192.168.43.1 <-- Actual VM
Host is up (0.0041s latency).
Nmap scan report for 192.168.43.57 <-- Computer hosting VM
Host is up (0.00026s latency).
Nmap done: 254 IP addresses (2 hosts up) scanned in 11.97 seconds
nmap -sC -sV -vvv -oA ~/Documents/nmapscan.txt 192.168.43.1
Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-20 00:44 GMT
Nmap scan report for 192.168.43.1
Host is up (0.021s latency). <-- host is up and responding
Not shown: 999 closed ports
PORT STATE SERVICE VERSION\n53/tcp open domain dnsmasq 2.51 <-- Useful Info
| bind.version: dnsmasq-2.51
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.49 seconds
Top tip - You can use NSE scripts to test if something is vulnerable:
nmap --script ftp-vsftpd-backdoor -p 21
Netdiscover (ARP Based) Example
sudo netdiscover -r 192.168.43.0 (if you know your subnet segment, use the above, and then find other machines easier!)
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 1 hosts. Total size: 126
IP At MAC Address Count Len MAC Vendor / Hostname
192.168.43.1 b4:c4:fc:f8:63:7e 3 126 Unknown vendor <-- My VM (must be on the same network, and subnet, accomodation wifi likes to mess with this)
The above mainly assumes DHCP because user defined static IPs tend to be harder to track.
Useful Link: https://pentester.land/tips-n-tricks/2018/06/26/How-to-get-the-IP-address-of-a-downloaded-vulnerable-machine.html