(Also posted this on VipHackforums and Ubers)
Well, I got a lot of questions about my personal host discovery.
That's why I made this tutorial on how to discover specific hosts.
NMAPWell first we need to know in what kind of subnet we are.
How to do this?
Well, launch a terminal and type:
ifconfigYou will see a output like this:
Lets grab 2 things:
your address: 192.168.178.19
Subnetmask: 225.225.225.0
What does this mean?
Well, the address and the subnet belong together in a class.
You can define the classes with A, B, C, D and E but we will discuss A, B, C because they are the most common.
Class---- Range ----------- SubnetA ---------1 – 126* -------- 255.0.0.0
B -------- 128 – 191--------255.255.0.0
C -------- 192 – 223 ------ 255.255.255.0
What do you notice here? My address starts with 192. That means it is a class C address. A class C address comes along with the subnet 255.255.255.0.
Now we need to convert our subnet address to binary to know our CIDR
255.255.255.0 = 11111111.11111111.11111111.0
Now count the 1's and your see a class C address has a CIDR of /24 (so 24 1's)
Now perform a NMAP scan with the options:
-PR = ARP scan
-O = OS
-ns = no ports(If you don't want to search for a specific host you don't have to add this one)(I use a ARP scan so it will be less "troublesome". I'm also quite a fan of TCP SYN scans(-sS) But I prefer this scan
Now, launch the NMAP command with the options and your address / CIDR:
The output will be like this:
Now lets say I want to find the user's PC of RB.
What do we now? Well we know he runs his PC on Windows 7
We see that 192.168.178.17 runs on this. Mhh lets perform a smb os discovery.
Run the command:
nmap --script=smb-os-discovery 192.168.178.17The output is this:
Now, we know 192.168.178.17 is the host we were looking for = RB
running: Windows 7 Home Premium 7601 Service Pack 1 (Windows 7 Home Premium 6.1)
