Automate Host Discovery and Enumeration
While practicing in the provided labs for the eLearnSecurity Junior Penetration Tester (eJPT) certificate exam, I wanted to automate the mundane task of discovering which hosts are up in a given network.
So I cracked open Vim and wrote a short bash script. It’s essentially a wrapper
for fping and nmap. The code can be viewed on my GitHub or viewed below.
I named the script eEnum.sh in reference to the lowercase “e” in eLearnSecurity.
#!/bin/bash
# A wrapper for fping and nmap to help automate host enumeration.
TARGET=$1
HOST_FILE="alive_hosts.txt"
OUT_FILE="nmap_scan.txt"
print_usage()
{
echo "Usage: $0 <TARGET range>"
}
scan()
{
echo "++ starting fping scan ++"
fping -a -g $TARGET 2>/dev/null | tee $HOST_FILE;
echo ""
echo "++ starting nmap scan ++"
sudo nmap -p- -A -T4 -iL $HOST_FILE -oN $OUT_FILE;
}
if [ -z "$TARGET" ]; then
print_usage
exit 1
fi
scan
Quick Explanation
Let’s take a look at the call to fping:
- fping: like ping, but can scan more than one host
- -a: only show alive (aka running) hosts
- -g: scan a range of addresses
- 2>/dev/null: do not show any errors
The results are printed to stdout and saved to a file with the tee command.
Now for the nmap flags:
- -p-: scan all 65535 ports
- -A-: tell me the service version info (-sV), operating system (-O), run scripts (-sC), and traceroute info.
- -iL: use results from fping as our input list
- -oN: save results to a file
All the other code is just there to make the output look prettier.
eExtend
The script show today was super simple, and I created it primarily for the eJPT exam. However, it can easily be extended to discover more host and network information.
For example, add a -oG (output Grepable) flag to nmap and pass the results to nikto to
scan for vulnerablilities in web servers.
I encourage you to find a repetitive pen testing task and automate it yourself. It is a lot of fun!