Activity 2.1 Host Discovery - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

In this Activity, we explored various methods of Host Discovery, Link to code used in this Activity

Notes

Host Discovery

On my Kali box, I first did some pings and, in Wireshark, looked at how they flowed.
I then wrote the following ping script to ping all of the IP's in the range of 10.0.5.2-50.

Ping script below and link here:

#!/bin/bash
# Script to ping range of 10.0.5.2-10.0.5.50
# For each item in the sequence
for ip in $(seq 2 50) 
do
	# Ping ips, grep if response contains certain string
	IsUp=$(ping -c 1 -i .02 10.0.5.$ip | grep "100% packet loss")
	# If the variable is empty (indicates no packet loss, so successful ping)
	if [ -z $IsUp ](/Oliver-Mustoe/Oliver-Mustoe-Tech-Journal/wiki/--z-$IsUp-)
	then
		echo "10.0.5.$ip" >> ./sweep.txt
	fi
done

Breakdown of flags:

  1. "-c 1" indicates that the ping should only do a certain count, -c, in this case 1 time, 1.
  2. T"-i .02" indicates that the interval, -i, and what the interval should be, .02. Anything below .02 would require sudo.
  3. "-z" in a test, double brackets, is testing for if a string or variable is zero, -z, aka has nothing in it. -n would be non-zero, aka has something in it.

This script should produce the following results:
D2
(NOTE: SEE HERE)

Then I did the same operation with a bash fping one liner (I also made it into a script here):

fping -ga 10.0.5.2 10.0.5.50 2>/dev/null >> sweep.txt

Breakdown of flags and /dev/null:

  1. "-g" generates a target list from a netmask or starting and ending IP. "-a" only shows systems that are alive. So together they would generate a target list and only display the alive hosts.
  2. "2>/dev/null" directs standard error, 2, to, >, null, /dev/null. This removes ICMP errors that fping generates.

This one liner should produce the following results:
D3

(NOTE: SEE HERE)

I then used Wireshark to get better acquainted with nmap. After which, I made this bash nmap one liner (and I made it into a script here):

sudo nmap -n -sn 10.0.5.2-50 | awk '/Nmap scan report for/ {print $5}' >> sweep.txt

MAKE SURE TO RUN IN SUDO FOR CORRECT RESULTS!!!

Breakdown of flags and awk:

  1. "-n" tells nmap to never do reverse DNS resolution on found active IP's, improves speed of command.
  2. "-sn" indicates a ping scan, but to not do a port scan after discovery. It makes use of ICMP and TCP, on multiple ports, to discover hosts.
  3. "awk '/Nmap scan report for/ {print $5}'" uses the awk command to find the line with the string "Nmap scan report", /Nmap scan report for/, (which nmap displays when a host is up,) and prints the 5th delimited field, {print $5}. By default awk delimitates, using whitespace as it's delimiter, and starts at 1, 0 is whole.

This one liner should produce the following results:
D5

LINK TO PAGE SOURCE LIST

Trials, Tribulations and Commentary

  • Use nmap as sudo
  • Use workspaces in Kali to work effectively without having to constantly be switching between tabs (recommended to have 1 workspace always a terminal and 1 always a web browser.)
  • When running these sort of network commands, having Wireshark open (or dedicating a workspace to it :)) to monitor traffic is very useful

ping and fping vs nmap

As seen in screenshots throughout this technical journal, ping and fping do not read the host 10.0.5.31 as up while nmap does. I believe that this is because the host 10.0.5.31 blocks ICMP in some sort of way (possibly firewall, Windows?) I do not believe that either ping or fping scripts/one liners need to be changed to accommodate this, as they would have no way to clearly indicate this particular situation (at least not any way I know about.) I believe this to be a simple matter of proving that nmap is the better choice for verbose host discover compared to ping and fping, since the blocking of ICMP hampers ping and fping abilities.