Internal IP Discovery: Blackbox Pentest

TL;DR

You’re doing a blackbox pentest and need to find valid internal IP addresses without knowing the network range. This guide shows you how using ping sweeps, common subnet ranges, and port scanning.

Finding Internal IPs: A Step-by-Step Guide

1. Understand the Problem
   • A ‘blackbox’ pentest means you have no prior knowledge of the target network.
   • You need to discover live hosts (devices) on the internal network.
   • This guide focuses on finding IPs, not exploiting them (that comes later!).
2. Initial Ping Sweep – Common Subnets

   Start by scanning common private IP ranges. These are often used in home and small business networks.

   • 192.168.1.0/24: This is the most common range.

     ping -c 1 192.168.1.1-254

   • 192.168.0.0/24: Another very common range.

     ping -c 1 192.168.0.1-254

   • 10.0.0.0/24: Frequently used in larger networks.

     ping -c 1 10.0.0.1-254

   • 172.16.0.0/12: Used for even bigger networks (less common for basic pentests).

     ping -c 1 172.16.0.1-254

   The -c 1 flag tells ping to send only one packet, making the scan faster.

3. Wider Ping Sweep – Using a Script (Optional)

   For larger ranges or automation, use a script. Here’s a simple Bash example:

   #!/bin/bash
   for i in {1..254}; do
   ping -c 1 192.168.1.$i > /dev/null 2>&1
   if [ $? -eq 0 ]; then
   echo "192.168.1."$i" is alive"
   fi
   done

   Save this as a file (e.g., scan.sh), make it executable (chmod +x scan.sh) and run it (./scan.sh). Adjust the IP address to your target subnet.

4. Nmap for More Detailed Scanning

   Nmap is a powerful network scanner. It can detect open ports, operating systems, and more. It’s much more thorough than ping sweeps but takes longer.

   • Basic Scan of a Single IP:

     nmap 192.168.1.10

   • Scan an Entire Subnet: This is the most useful for finding live hosts.

     nmap -sn 192.168.1.0/24

     The -sn flag performs a ping scan (like our earlier steps) but Nmap handles it more efficiently.

5. Port Scanning to Confirm Live Hosts

   Even if an IP responds to a ping, it doesn’t guarantee a service is running. Scan common ports (80, 443, 21, 22, 23, etc.) to confirm activity.

   nmap -p 80,443,21,22,23 192.168.1.10

6. ARP Scan (If on the Same Network Segment)

   If you’re physically connected to the same network as the target, an ARP scan is very reliable.

   arp -a

   This shows a list of IP addresses and MAC addresses on your local network. Look for entries that correspond to the target range.

7. Analyze Results
   • Record all IPs that respond positively to ping or port scans.
   • Investigate these IPs further (e.g., using web browsers, SSH, etc.).
   • Be careful! Avoid causing disruption during your scan.