Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.Examples of tools and commands that acquire this information include "ping" or "net view" using Net. The contents of the
C:\Windows\System32\Drivers\etc\hostsfile can be viewed to gain insight into the existing hostname to IP mappings on the system.Specific to Mac, the
bonjourprotocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the/etc/hostsfile can be viewed to gain insight into existing hostname to IP mappings on the system.Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the
/etc/hostsfile can be viewed to gain insight into existing hostname to IP mappings on the system.
Identify remote systems with net.exe
Supported Platforms: Windows
net view /domain
net view
Identify remote systems via ping sweep
Supported Platforms: Windows
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
Identify remote systems via arp
Supported Platforms: Windows
arp -a
Identify remote systems via arp
Supported Platforms: Linux, macOS
arp -a | grep -v '^?'
Identify remote systems via ping sweep
Supported Platforms: Linux, macOS
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done