io.kent Posted June 28, 2014 Report Share Posted June 28, 2014 (Also posted this on VipHackforums and Ubers)Well, I got a lot of questions about my personal host discovery.That's why I made this tutorial on how to discover specific hosts.NMAPWell first we need to know in what kind of subnet we are.How to do this?Well, launch a terminal and typeifconfigYou will see a output like this:your address: 192.168.178.19Subnetmask: 225.225.225.0What does this mean?Well, the address and the subnet belong together in a class.You can define the classes with A, B, C, D and E but we will discuss A, B, C because they are the most common.Class---- Range ----------- SubnetA ---------1 – 126* -------- 255.0.0.0 B -------- 128 – 191--------255.255.0.0 C -------- 192 – 223 ------ 255.255.255.0What do you notice here? My address starts with 192. That means it is a class C address. A class C address comes along with the subnet 255.255.255.0.Now we need to convert our subnet address to binary to know our CIDR255.255.255.0 = 11111111.11111111.11111111.0Now count the 1's and your see a class C address has a CIDR of /24 (so 24 1's)Now perform a NMAP scan with the options:-PR = ARP scan-O = OS-ns = no ports(If you don't want to search for a specific host you don't have to add this one)(I use a ARP scan so it will be less "troublesome". I'm also quite a fan of TCP SYN scans(-sS) But I prefer this scanNow, launch the NMAP command with the options and your address / CIDR:The output will be like this:Now lets say I want to find the user's PC of RB.What do we now? Well we know he runs his PC on Windows 7We see that 192.168.178.17 runs on this. Mhh lets perform a smb os discovery.Run the command: nmap --script=smb-os-discovery 192.168.178.17Now, we know 192.168.178.17 is the host we were looking for = RBrunning: Windows 7 Home Premium 7601 Service Pack 1 (Windows 7 Home Premium 6.1) Quote Link to comment Share on other sites More sharing options...