Network Mapping & Traversal - NMAP & Netdiscover

Educational Purposes Only! ‎‏‏‎

"Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts." -

NMAP (ICMP Ping Based) Examples
//to find network address segment to start looking, based of attacker location, you can always also guess other network segments to scan later.
wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500  
        inet  netmask  broadcast
        inet6 fe80::daa9:97f:e49:74a7  prefixlen 64  scopeid 0x20<link>
        ether 38:ba:f8:79:73:9a  txqueuelen 1000  (Ethernet)
        RX packets 38616  bytes 44083665 (42.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21495  bytes 2530134 (2.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Host discovery

nmap -sn  
//192.168.43 is the network portion, .1 is the host, so we test all the possible hosts on the network. Add -n to port scan each.
Starting Nmap 7.40 ( ) at 2019-11-20 00:37 GMT  
Nmap scan report for  <-- Actual VM  
Host is up (0.0041s latency).  
Nmap scan report for  -<-- Computer hosting VM  
Host is up (0.00026s latency).  
Nmap done: 254 IP addresses (2 hosts up) scanned in 11.97 seconds  

Intense/noisy scan

nmap -sC -sV -vvv -oA  ~/Documents/nmapscan.txt  
Starting Nmap 7.40 ( ) at 2019-11-20 00:44 GMT  
Nmap scan report for  
Host is up (0.021s latency).  <-- host is up and responding  
Not shown: 999 closed ports  
53/tcp open  domain  dnsmasq 2.51  <-- Useful Info  
| dns-nsid:
| bind.version: dnsmasq-2.51

Service detection performed. Please report any incorrect results at .  
Nmap done: 1 IP address (1 host up) scanned in 15.49 seconds  

Top tip - You can use NSE scripts to test if something is vulnerable:
nmap --script ftp-vsftpd-backdoor -p 21

Netdiscover (ARP Based) Example
sudo netdiscover -r (if you know your subnet segment, use the above, and then find other machines easier!)  
Currently scanning: Finished!  |  Screen View: Unique Hosts               

3 Captured ARP Req/Rep packets, from 1 hosts.  Total size: 126  
  IP            At MAC Address    Count    Len  MAC Vendor / Hostname     
-----------------------------------------------------------------------------    b4:c4:fc:f8:63:7e      3    126  Unknown vendor  <-- My VM  (must be on the same network, and subnet, accomodation wifi likes to mess with this)  

The above mainly assumes DHCP because user defined static IPs tend to be harder to track.

Useful Link: