As a new pentester - i wonder how to discover all ipīs on a network if you have a connection to the network and donīt know whatīs on the net. Incl. machines on routed network.

Any good hintīs or tools?

KH3

Host discovery is the very first skill for  a security pro or a hacker. The first thing a hacker does when he goes to a coffee shop is connect to the network and ifconfig and see what dhcp gave him. If his IP is something like 192.168.9.105, then he has an idea of the network range and then will attempt a host discovery. He will first try the default -sS nmap option just to look for low hanging fruit. If anything shows up with -sS or -sT then he knows those might be easier targets. If nothing appears then he steps up his scans. Nmap is the premier open source scanner. There was a tut about it posted on this site  and thats how I found this place  from slashdot, but now its gone. No worries because there are many free nmap tuts out there. Make sure its free, I saw this one dude trying to sell the "secret" of nmap and thats total bs. The only secret is to download and start working with it and not just read about it!

Thanks - I know of and use NMAP, the question here is not to discover host on the LAN where you have and ip, but on the coonected WAN. This is on a closed network with branches. So is there a sure and quick way to discover host connected on other segment (via Cisco routers)? I can not asume that that the other ip segment are same class network.

Depending on how the router is configured, you can sometimes use a tool like Proxycap to tunnel through and then run your scans.

Not all routers will allow you to scan their Lan!

Checking your own IP assigned via DHCP is a good start, and traceroutes. Or, you could just scan all non-routable IPs. They are:

172.16-31.0.0 (or 172.16.0.0/12)
192.168.0.0/16
10.0.0.0/8