Ping

Finding live hosts is typically done using a Ping command, or via TCP/UDP Network Scanning.

Finding open ports on a live host in comparison is done using TCP/UDP Port Scanning.

ICMP Codes

Ping Sweeping

Used to scan a network for live hosts, however this is very noisy, and often ICMP requests are blocked.

NMAP

NMAP is a widely used scanning tool, which can scan for open TCP UDP, ICMP, etc services. The targets, intensity of the scan, and output formatting can all be changed.

The default NMAP scan is a scan with an ICMP echo request, TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. It then performs a 1,000 port scan. This can of course be modified.

Examples of NMAP options

• -sS - SYN Scan - Default scan option which is used when no scan option is defined. It initiates a TCP connection, but does not complete the three way handshake.
• -sT - TCP Connect Scan - Used to gather more information about the host than a stealth scan, since it is a full TCP connection. Completes the three-way handshake.
• -sU - UDP Scan - Must be run under sudouser permissions, UDP scans expect to receive replies back from systems that have the tested ports closed.
• -sP - Ping Scan
• -sO - Protocol scan
• -sL - DNS scan
• -p - Port selection eg. 1-1023. -p- is a shortcut for 1-65535. Example = 3389 (RDP)
• -A - Aggressive Detection - Combines option -sV for Service version detection and option -o for OS detection.

ARP Ping-Host Discovery

NMAP will send "arp pings" (Reverse ARP Requests?) which can be disabled using --disable-arp-ping. ARP is often blocked on networks.

Host Discovery Lab

Ping Sweep Script #1

• Uses a for loop with a range of 2 to 50 to ping one packet to each address, greps for lines with wanted information (cutting and trimming unwanted strings) then forwarding the results to a text file.

Ping Sweep Script #2

• Uses the fping command with a range between .5.2 and .5.50, greps for lines with wanted information then forwarding the results to a text file.

Ping Sweep Script #3

• Uses a for loop with a range of 2 to 50 in combination with nmap to ping scan (without DNS resolution) each address, uses awk to cut and select the desired field and then directs the results to a text file.

Reflection for Host Discovery Lab

• I had trouble with fping initially, but I realized if I narrowed down the flags I was using, it would make things much easier.
• Same problem above applies to the NMAP script I made, more so that it took me a minute to think to use awk.

Port Scanning Lab #1

Port Scanner Script #1

Selects a text file for hosts and ports to scan for. Writes "host, port" at the top, then for each host in the host file & for each port in the port file, it will timeout .1 second and make a TCP connection to those IPs on those ports to see if they are active. It will write the active ports.

What is /dev/tcp?

/dev/tcp is a file used to establish network connections or communicate with a remote server. It is not listed in the /dev folder, but it is typically used as a “file descriptor” that is to be interacted with.