One of the steps in scanning process is investigating target and checking weather system is up or down and what services or ports are open. For this number of tools can be used. We will have quick look at this tools and see how they work.
Checking for Live Systems
Ping is great for performing initial scanning, It works by using ICMP (Internet Control Message Protocol). Ping works very simply by sending ICMP echo request to another system. If system is on it will send ICMP echo reply. Ping can provide information like TTL and turn around speed. With some useful switches we can also determine frame size. In some cases if ping is disabled on firewall you will not get reply back. In this case other scanning techniques must be used.
The other way to ping remote is system is by using nmap
nmap -sP -v google.com Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 09:20 EDT Initiating Ping Scan at 09:20 Scanning google.com (18.104.22.168) [2 ports] Completed Ping Scan at 09:20, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:20 Completed Parallel DNS resolution of 1 host. at 09:20, 0.04s elapsed Nmap scan report for google.com (22.214.171.124) Host is up (0.019s latency). rDNS record for 126.96.36.199: yyz08s13-in-f142.1e100.net Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
Performing ping sweep with nmap.
#nmap -sP -PE -PA21,23,80,3389 192.168.0.1-80 Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 09:29 EDT Nmap scan report for 192.168.0.1 Host is up (0.00024s latency). MAC Address: B4:0C:25:4B:8A:12 (Palo Alto Networks) Nmap scan report for 192.168.0.2 Host is up (0.0012s latency). MAC Address: 00:24:F7:3D:2C:00 (Cisco Systems) Nmap scan report for 192.168.0.6 Host is up (0.0020s latency). MAC Address: 00:24:C3:47:2A:C0 (Cisco Systems) Nmap scan report for 192.168.0.15 Host is up (-0.097s latency). MAC Address: 00:CA:E5:67:A3:40 (Unknown) Nmap scan report for 192.168.0.29 Host is up (0.00065s latency). MAC Address: 00:1E:4F:BC:ED:1A (Dell) Nmap scan report for 192.168.0.18 Host is up. Nmap done: 80 IP addresses (6 hosts up) scanned in 1.91 seconds
Drawback of ping sweeps
1. Can be blocked by firewall
2. Can be detected by IDS
3. Can not detect systems that are down
More useful nmap commands
Scan a single IP
Scan a host
Scan a range of IPs
Scan a subnet
Scan targets from a text file
hping3 is more advanced in a sense that it can not only send ICMP packets but it also can craft TCP/IP packets allowing us to asess response from remote host. It suports TCP, UDP, ICMP, RAW-IP.
Lets see some basic examples:
hping3 -1 mysite.com HPING mysite.com (eth0 x.x.x.x): icmp mode set, 28 headers + 0 data bytes len=46 ip=x.x.x.x ttl=55 id=57282 icmp_seq=0 rtt=11.8 ms len=46 ip=x.x.x.x ttl=55 id=10785 icmp_seq=1 rtt=16.1 ms len=46 ip=x.x.x.x ttl=55 id=26850 icmp_seq=2 rtt=16.2 ms len=46 ip=x.x.x.x ttl=55 id=43625 icmp_seq=3 rtt=20.4 ms ^C --- ontla.on.ca hping statistic --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 11.8/16.1/20.4 ms
In this example we will check weather firewall is blocking ping requests.