One of the most basic steps in mapping out a network is performing an automated ping
sweep on a range of IP addresses and network blocks to determine if individual devices
or systems are alive. Ping is traditionally used to send ICMP ECHO (ICMP Type 8)
packets to a target system in an attempt to elicit an ICMP ECHO_REPLY (ICMP Type 0)
indicating the target system is alive. Although ping is acceptable to determine the number
of systems alive in a small-to-midsize network (Class C is 254 and Class B is 65,534
potential hosts), it is inefficient for larger, enterprise networks. Scanning larger Class A
networks (16,277,214 potential hosts) can take hours if not days to complete. You must
learn a number of ways for discovering live systems.
Network pinging is the act of sending certain types of traffic to a target and analyzing
the results (or lack thereof). Typically, pinging utilizes ICMP (Internet Control Message
Protocol) and, although not the only packets available for this function, ICMP tends to be
the most heavily supported. Alternatively, one could use either TCP or UDP as well to
perform the same function of finding a host that is alive on the network.
To perform an ICMP ping sweep, you can use a myriad of tools available for both
UNIX and Windows. One of the tried-and-true techniques of performing ping sweeps in
the UNIX world is to use fping. Unlike more traditional ping sweep utilities, which
wait for a response from each system before moving on to the next potential host, fping
is a utility that will send out massively parallel ping requests in a round-robin fashion.
Thus, fping will sweep many IP addresses significantly faster than ping. fping can be
used in one of two ways: you can feed it a series of IP addresses from standard input
(stdin) or you can have it read from a file. Having fping read from a file is easy; simply
create your file with IP addresses on each line:
192.168.51.1
192.168.51.2
192.168.51.3
...
192.168.51.253
192.168.51.254
Then use the –f parameter to read in the file:
[root]$ fping –a –f in.txt
192.168.1.254 is alive
192.168.1.227 is alive
192.168.1.224 is alive
...
192.168.1.3 is alive
192.168.1.2 is alive
192.168.1.1 is alive
192.168.1.190 is alive
The –a option of fping will show only systems that are alive. You can also combine
it with the –d option to resolve hostnames if you choose. We prefer to use the –a option
with shell scripts and the –d option when we are interested in targeting systems that
have unique hostnames. Other options such as –f may interest you when scripting ping
sweeps. Type fping –h for a full listing of available options. Another utility is nmap from Fyodor.
[root] nmap –sP 192.168.1.0/24
Starting nmap V. 4.68 by fyodor@insecure.org (www.insecure.org/nmap/)
Host (192.168.1.0) seems to be a subnet broadcast
address (returned 3 extra pings).
Host (192.168.1.1) appears to be up.
Host (192.168.1.10) appears to be up.
Host (192.168.1.11 ) appears to be up.
Host (192.168.1.15) appears to be up.
Host (192.168.1.20) appears to be up.
Host (192.168.1.50) appears to be up.
Host (192.168.1.101) appears to be up.
Host (192.168.1.102) appears to be up.
Host (192.168.1.255) seems to be a subnet broadcast
address (returned 3 extra pings).
Nmap run completed -- 256 IP addresses (10 hosts up) scanned in 21 seconds
For the Windows-inclined, we like the tried-and-true freeware product SuperScan
from Foundstone. It is one of the fastest ping sweep utilities
available. Like fping, SuperScan sends out multiple ICMP ECHO packets (in addition
to three other types of ICMP) in parallel and simply waits and listens for responses. Also like
fping, SuperScan allows you to resolve hostnames and view the output in an HTML file.
For those technically minded, here’s a brief synopsis of the different types of ICMP
packets that can be used to ping a host.
The primary ICMP types are
• Message Type: 0 – Echo Reply
• Message Type: 3 – Destination Unreachable
• Message Type: 4 – Source Quench
• Message Type: 5 – Redirect
• Message Type: 8 – Echo
• Message Type: 11 – Time Exceeded
• Message Type: 12 – Parameter Problem
• Message Type: 13 – Timestamp
• Message Type: 14 – Timestamp Reply
• Message Type: 15 – Information Request
• Message Type: 16 – Information Reply
Any of these ICMP message types could potentially be used to discover a host on the
network; it just depends on the target’s ICMP implementation and how it responds to
these packet types. How the different operating systems respond or don’t respond to the
various ICMP types also aids in remote OS detection.
You may be wondering what happens if ICMP is blocked by the target site. Good
question. It is not uncommon to come across a security-conscious site that has blocked
ICMP at the border router or firewall. Although ICMP may be blocked, some additional
tools and techniques can be used to determine if systems are actually alive. However,
they are not as accurate or as efficient as a normal ping sweep.
When ICMP traffic is blocked, port scanning is the first alternate technique to determine
live hosts. By scanning for common ports on every potential IP address, we can determine which hosts are alive
if we can identify open or listening ports on the target system. This technique can be
time-consuming, but it can often unearth rogue systems or highly protected systems.
For Windows, the tool we recommend is SuperScan. As discussed earlier, SuperScan
will perform both host and service discovery using ICMP and TCP/UDP, respectively.
Using the TCP/UDP port scan options, you can determine whether a host is alive or
not—without using ICMP at all. As you can simply select the check box
for each protocol you wish to use and the type of technique you desire, and you are off
to the races.
Another tool used for this host discovery technique is the UNIX/Windows tool
nmap. The Windows version, which is nmap with the Windows wrapper called Zenmap,
is now well supported so, for the truly command line challenged amongst you, you can
easily download the latest Windows version at nmap.org and get scanning quickly. Of
course, the product installs WinPcap so be prepared: if you haven’t installed this
application before on your Windows system, you should know that this is a packet filter
driver that allows nmap to read and write raw packets from and to the wire. nmap for Windows allows for a number of ping options
to discover hosts on a network. These host discovery options have long been available to
the UNIX world, but now Windows users can also leverage them.
As mentioned previously, nmap does provide the capability to perform ICMP sweeps.
However, it offers a more advanced option called TCP ping scan. A TCP ping scan is
initiated with the –PT option and a port number such as 80. We use 80 because it is a
common port that sites will allow through their border routers to systems on their
demilitarized zone (DMZ), or even better, through their main firewall(s). This option will
spew out TCP ACK packets to the target network and wait for RST packets indicating
the host is alive. ACK packets are sent because they are more likely to get through a
nonstateful firewall such as Cisco IOS. Here’s an example:
[root] nmap -sP -PT80 192.168.1.0/24
TCP probe port is 80
Starting nmap V. 4.68
Host (192.168.1.0) appears to be up.
Host (192.168.1.1) appears to be up.
Host shadow (192.168.1.10) appears to be up.
Host (192.168.1.11) appears to be up.
Host (192.168.1.15) appears to be up.
Host (192.168.1.20) appears to be up.
Host (192.168.1.50) appears to be up.
Host (192.168.1.101) appears to be up.
Host (192.168.1.102) appears to be up.
Host (192.168.1.255) appears to be up.
Nmap run completed (10 hosts up ) scanned in 5 seconds
As you can see, this method is quite effective in determining if systems are alive,
even if the site blocks ICMP. It is worth trying a few iterations of this type of scan with
common ports such as SMTP (25), POP (110), AUTH (113), IMAP (143), or other ports
that may be unique to the site.
For the advanced technical reader, Hping2 from www.hping.org is an amazing TCP
ping utility for UNIX that should be in your toolbox. With additional TCP functionality
beyond nmap, Hping2 allows the user to control specific options of the UDP, TCP, or
Raw IP packet that may allow it to pass through certain access control devices.
To perform a simple TCP ping scan, set the TCP destination port with the –p option.
By doing this you can circumvent some access control devices similar to the traceroute
technique. Hping2 can be used to perform TCP and UDP ping
sweeps, and it has the ability to fragment packets, potentially bypassing some access
control devices. Here’s an example:
[root]# hping2 192.168.0.2 -S -p 80 -f
HPING 192.168.0.2 (eth0 192.168.0.2): S set , 40 data bytes
60 bytes from 192.168.0.2: flags = SA seq=0 ttl=64 id=418 win=5840 time=3.2 ms
60 bytes from 192.168.0.2: flags=SA seq=1 ttl=64 id=420 win=5840 time=2.1 ms
60 bytes from 192.168.0.2: flags=SA seq=2 ttl=64 id=422 win=5840 time=2.0 ms
--- 192.168.0.2 hping statistic ---
3 packets tramitted, 3 packets received , 0% packet loss
In some cases, simple access control devices cannot handle fragmented packets
correctly, thus allowing our packets to pass through and determine if the target system
is alive. Notice that the TCP SYN (S) flag and the TCP ACK (A) flag are returned whenever
a port is open (flags=SA). Hping2 can easily be integrated into shell scripts by using the
–cN packet count option, where N is the number of packets to send before moving on.
Although this method is not as fast as some of the ICMP ping sweep methods mentioned
earlier, it may be necessary given the configuration of the target network.
The final tool we will analyze is icmpenum, from Simple Nomad. This UNIX utility
is a handy ICMP enumeration tool that allows you to quickly identify systems that are
alive by sending the traditional ICMP ECHO packets as well as ICMP TIMESTAMP
REQUEST and ICMP INFO REQUEST (similar to SuperScan). Thus, if ingress (inbound)
ICMP ECHO packets are dropped by a border router or firewall, it may still be possible
to identify systems using one of these alternate ICMP types:
[shadow] icmpenum –i 2 -c 192.168.1.0
192.168.1.1 is up
192.168.1.10 is up
192.168.1.11 is up
192.168.1.15 is up
192.168.1.20 is up
192.168.1.103 is up
In this example, we enumerated the entire 192.168.1.0 Class C network using an
ICMP TIME STAMP REQUEST. However, the real power of icmpenum is to identify
systems using spoofed packets to avoid detection. Spoofed packets means they do not
contain the true, legitimate IP address as its source address, thereby making it look like
the scan is coming from another host on the network. This technique is possible because
icmpenum supports the ability to spoof packets with the -s option and passively listen
for responses with the –p switch.
To summarize, this step allows us to determine exactly what systems are alive via
ICMP or through selective port scans. Out of 255 potential addresses within the Class C
range, we have determined that several hosts are alive and have now become our targets
for subsequent interrogation.