Overview

The goal of this lab was to start utilizing active reconnaissance techniques including scanning for hosts on our Kali box.

Useful commands and instructions

The command below is how I output the contents of the bash file IPscan.sh to the "sweep.txt" file, which used nmap for host discovery:

bash [FILENAME].sh > [FILEPATH/FILENAME]

The command below is how I used fping to do the same thing as the bash script above, except this is a one liner as opposed to a script:

fping -ga [STARTINGIP] [ENDINGIP] 1>[OUTPUTFILE] 2>/dev/null -q

In the command above, -ga specifies a range of IPs to scan and only outputs the available IPs. 1> redirects the standard output to a file, and 2> redirects the standard errors to a file, in this case a sort of garbage directory. -q runs this in "quiet mode", but this was very fast so there wasn't much use in this context.

Below is a for loop used to ping through the specified range of IP addresses, filter the output, and send the output to the file sweep0.txt:

for ip in $(seq 2 50); do ping 10.0.5.$ip -c1 -W 1 | grep icmp_seq | egrep -E "10.0.5.[0-9] | 10.0.5.[0-9][0-9]" -o; done > sweep0.txt

Issues and troubleshooting

I initially didn't know how to run the bash script that I'd created, so I looked up the proper syntax. Simply running bash [FILENAME].sh was the solution.

When using the bash scripts that were in the textbook to attempt pinging the hosts of the private IP range, I accidentally pointed to the script itself as opposed to the file containing the IPs. Once I did point it to the file with the IPs, I realized I needed to adjust the format because my file was set up as a .csv and not separated by different lines for each IP. This allowed the script to work as expected.

In order to meet the parameters of the deliverable, I needed to point this output to another file. I was refreshed on how the > symbol works to send the default output of a script to a file path. I also learned that : can be used to specify "NULL" in a bash file, since I wanted to adjust the script without deleting too many things. I used the > after my bash command to send the output of the script to a file called "sweep.txt". Since I was undergoing multiple test attempts, I kept using > as opposed to >> because I wanted to overwrite the contents until I got results I found satisfactory.

I was struggling to figure out how to use fping, and I had a couple of switches set up--but I couldn't figure out how to filter my output properly. A peer pointed me towards another type of redirect I didn't know about yet: [NUM]>. After looking at the functionality of this, it was incredibly helpful when I looked at the hints provided in the lab again. This provided both a way for me to "deal with the errors" and direct the output to a file. 1> was used to redirect the default output, and 2> was used to redirect standard errors. It also took me some time to figure out that I could combine some of the switches--prior to this I was unable to utilize both the -a and -g switches, both of which I needed to do this in one line. Once I combined them fping was able to both filter out the "bad IPs" and cover the specified range of IPs.

Additional questions, references, etc.

Here's a reference to where I got the IPscan script base, which was made by Gus Khawaja

Kudos to my peer Oliver Mustoe for pointing me in the right direction with the Linux redirects hint! Resources I viewed after our conversation: Standard Error Redirect Standard Output Redirect

Zach Morin worked with me for the original ping script in class, since I don't like "for" loops I used other methods for the different "pings".