Jason Turley's Website

Automate Host Discovery and Enumeration

While practicing in the provided labs for the eLearnSecurity Junior Penetration Tester (eJPT) certificate exam, I wanted to automate the mundane task of discovering which hosts are up in a given network.

So I cracked open Vim and wrote a short bash script. It’s essentially a wrapper for fping and nmap. The code can be viewed on my GitHub or viewed below.

I named the script eEnum.sh in reference to the lowercase “e” in eLearnSecurity.

# A wrapper for fping and nmap to help automate host enumeration.


        echo "Usage: $0 <TARGET range>"

        echo "++ starting fping scan ++"
        fping -a -g $TARGET 2>/dev/null | tee $HOST_FILE;

        echo ""

        echo "++ starting nmap scan ++"
        sudo nmap -p- -A -T4 -iL $HOST_FILE -oN $OUT_FILE;

if [ -z "$TARGET" ]; then
        exit 1


Quick Explanation

Let’s take a look at the call to fping:

The results are printed to stdout and saved to a file with the tee command.

Now for the nmap flags:

All the other code is just there to make the output look prettier.


The script show today was super simple, and I created it primarily for the eJPT exam. However, it can easily be extended to discover more host and network information.

For example, add a -oG (output Grepable) flag to nmap and pass the results to nikto to scan for vulnerablilities in web servers.

I encourage you to find a repetitive pen testing task and automate it yourself. It is a lot of fun!