Activity 2.1 ‐ Host Discovery ‐ JM - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki

Goal of assignment:

In this activity you are going to enumerate the hosts in our target network 10.0.5.0/24 using various techniques beginning with "living-off-the-land techniques" and then by adding tools to the mix. You may work with your teammates to come up with the solution but you will execute the solution in your own environment and submit your own results as deliverables.

There are live systems on 10.0.5.2,21,22,23 (there may be some more as well). Use Wireshark on Kali to begin capture on the eth0 Go ahead and manually ping 10.0.5.21 and make sure to capture the ICMP echo request and reply.

Tools Used:

  • ping
  • fping
  • nmap

Ping: Collaborate with your teammates from Module 1 to write either a bash script or or one liner to ping ip's in the range of 10.0.5.2 - 10.0.5.50 your script should output a list of "up ip addresses" into a file called sweep.txt

Command used: for ip in $(seq 2 50); do ping -c 1 "10.0.5.$ip" | grep "64 bytes" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"; done

for ip in $(seq 2 50); do ping -c 1 - provided - for loop that is saying ping IP addresses between 10.0.5.2 - 10.0.5.50

| grep "64 bytes" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"; done - Source parsing through output and pulling IP addresses and lines that include 64 bytes out, then providing data that fulfills those greps.

Fping: do the same thing with fping

Command used: sudo fping -s -g 10.0.5.2 10.0.5.50 2>/dev/null | grep "is alive" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" >> sweep2.txt

sudo fping -s -g 10.0.5.2 10.0.5.50 - pings a range of addresses - Source

2>/dev/null - hides output of command - Source

| grep "64 bytes" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"; done - Source parsing through output and pulling IP addresses and lines that include 64 bytes out, then providing data that fulfills those greps.

Nmap: do the same thing as fping and ping

2>/dev/null hides

Commands used: sudo nmap -sn 10.0.5.21 & sudo nmap -sn 10.0.5.2-50 | grep for | cut -d '' -f 5 | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" > sweep3.txt

sudo nmap -sn 10.0.5.21 - provided as example, only returns hosts that responded to the discovery probe sudo nmap -sn 10.0.5.2-50 - pings a range of IP addresses grep for - pulling out for from output | cut -d '' -f 5 this is providing a delimiter @ space to the console with the cut -d '' and extract the fifth field -f 5 - Source

Trials & Tribulations:

I really enjoyed this lab and thought it was a great introductory to fping, ping, and nmap. I really enjoyed working with my classmates on the first few deliverables, I enjoyed the collaborative troubleshooting a lot.

I struggled at first to place myself in the right mindset or perspective for this type of work. I feel like I struggle to understand always what a command is actually doing, so breaking it down helps a lot. I found myself having to query a lot about the different tags used, or different tools that could be incorporated with a command (cut, regex, etc. ).

This really showed to me for the last deliverable (6). I struggled at first with combining the commands, but once I went gap by gap in the command, I was able to understand why I was receiving all of Nmaps scan output. I realized I had to cut out the useless information, and I did that with the 'cut' tool. Once I implemented that delimiter, it was smooth sailing, then I could my regex from an earlier command.

Sources: