Activity 2.1 Host Discovery - JNichollsCyber/SEC-335-Eth-Hacking-Pen-Testing GitHub Wiki

Activity 2.1 Host Discovery

In this activity you are going to enumerate the hosts in our target network 10.0.5.0/24 using various techniques beginning with "living-off-the-land techniques" and then by adding tools to the mix. You may work with your teammates to come up with the solution but you will execute the solution in your own environment and submit your own results as deliverables.

• There are live systems on 10.0.5.2,21,22,23 (there may be some more as well).
• Use Wireshark on Kali to begin capture on the eth0 Go ahead and manually ping 10.0.5.21 and make sure to capture the ICMP echo request and reply.

Ping

Deliverable 1. Provide a screenshot below that shows 1 outbound ping and the captured request and reply.

Deliverable 2. Collaborate with your teammates from Module 1 to write either a bash script or one liner to ping ip's in the range of 10.0.5.2 - 10.0.5.50 your script should output a list of "up ip addresses" into a file called sweep.txt. Submit a screenshot below that shows either your 1 liner command or source code, followed by a cat of sweep.txt.

Hints

1 Ping

• Set timeout to something low
• Look for unique text in a positive response
• Pull the IP out of that response (grep, cut and or awk might be useful)
• Append the IP to sweep.txt

Bash Script pingsweep.sh:

sweep.txt output:

Fping

Deliverable 3. Now, do the same thing with fping. Investigate the switches that allow you to provide a range of ip addresses as well as reporting the "up" hosts. You may need to throw out error messages. Provide a screenshot below.

Bash Script fpingsweep.sh:

sweep2.txt output:

NMAP

• refer to https://nmap.org/book/man-host-discovery.htmlLinks to an external site.

Deliverable 4. Use nmap's -sn switch to scan 10.0.5.21, it should report that it is up. Execute nmap with this exercise. Capture traffic on eth0 using Wireshark. Provide a screenshot of your Wireshark output.

Deliverable 5. Closely examine What destination ports and protocols were used in the use case? What observations do you have when comparing this to the ping and fping tests?

Nmap sometimes behaves differently when running as a non-privileged user. Be very careful. In the case of scans, you should preface them with sudo because many operations and options run by nmap will need elevated privileges. If you use output files, they will be written and owned by root so you may need to tweak permissions in order to edit.

Deliverable 6. Write a bash one-liner or script that conducts an Nmap -sn scan of 10.0.5.2-50 and outputs the list of ip addresses to sweep3.txt for ping and fping. Take a screenshot that shows the execution and output.

I was having issues on this deliverable so to help troubleshoot I added this line so I could see if it was an issue with my bash script or saving to the file:

I eventually got it to this point:

Final Bash Script:

output: