The hping3 command is a very powerful discovery utility that has a large range of options and modes that it can operate in. It is capable of performing discovery in both layer 3 and layer 4.
- To perform basic ICMP discovery of a single host address using hping3, you merely need to pass the IP address to be tested and the desired scanning mode of ICMP to it:
- In the demonstration provided, the process was stopped using Ctrl + C. Similar to the standard ping utility, the hping3 ICMP mode will continue indefinitely unless a specific number of packets is specified in the initial command. To define the number of attempts to be sent, the -c option should be included with an integer value that indicates the desired number of attempts:
- Although hping3 does not support the scanning of multiple systems by default, this can easily be scripted out with bash scripting. In order to do this, we must first identify the distinctions between the output associated with a live address and the output associated with a nonresponsive address.
- To do this, we should use the same command on an IP address to which no host is assigned:
- By identifying the responses associated with each of these requests, we can determine a unique string that we can grep for; this string will isolate the successful ping attempts from the unsuccessful ones. With hping3, you may notice that the length value is only presented in the case that a response is returned. Based on this, we can extract the successful attempts by grepping for len.
- To determine the effectiveness of this approach in a script, we should attempt to concatenate the two previous commands and then pipe over the output to our grep function. Assuming that the string we have selected is truly unique to successful attempts, we should only see the output associated with the live host:
- Despite the desired outcome, the grep function, in this case, does not appear to be effectively applied to the output. As the output display handling in hping3 makes it difficult to pipe over to a grep function and only extract the desired lines, we can attempt to work around this by other means. Specifically, we will attempt to determine whether the output can be redirected to a file, and then we can grep directly from the file. To do this, we will attempt to pass the output for both the commands used earlier to the handle.txt file:
- While this attempt was not completely successful as the output was not totally redirected to the file, we can see by reading the file that enough is output to create an effective script. Specifically, we are able to redirect a unique line that is only associated with successful ping attempts and that contains the corresponding IP address in the line. To verify that this workaround might be possible, we will attempt to loop through each of the addresses in the /24 range and then pass the results to the handle.txt file:
We can now open the handle.txt file and see the output of our script:
- Despite doing this, there is still a large amount of output (the provided output is truncated for convenience) that consists of all the parts of the output that were not redirected to the file. However, the success of the following script is not contingent upon the excessive output of this initial loop, but rather on the ability to extract the necessary information from the output file:
- After completing the scan loop, the output file can be identified in the current directory using the ls command, and then the unique string of len can be grepped directly from this file. Here in the output, we can see that each of our live hosts is listed. At this point, the only remaining task is to extract the IP addresses from this output and then recreate this entire process as a single functional script. Have a look at the following set of commands:
- By piping over the output to a series of cut functions, we can extract the IP addresses from the output. Now that we have successfully identified a way to scan multiple hosts and easily identify the results, we should integrate it into a script. An example of a functional script that would tie all of these operations together is as follows:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./ping_sweep.sh [/24 network address]"
echo "Example - ./ping_sweep.sh 172.16.36.0"
echo "Example will perform an ICMP ping sweep of the
172.16.36.0/24 network and output to an output.txt file"
exit
fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for addr in $(seq 1 254); do
hping3 $prefix.$addr --icmp -c 1 >> handle.txt;
done
grep len handle.txt | cut -d " " -f 2
| cut -d "=" -f 2 >> output.txt
rm handle.txt
- In the bash script that is provided, the first line defines the location of the bash interpreter. The block of code that follows performs a test to determine whether the one argument that was expected was supplied. This is determined by evaluating whether the number of supplied arguments is not equal to 1. If the expected argument is not supplied, the usage of the script is output, and the script exits. The usage output indicates that the script is expecting the /24 network address as an argument.
- The next line of code extracts the network prefix from the supplied network address. For example, if the network address supplied was 192.168.11.0, the prefix variable would be assigned the value 192.168.11. The hping3 operation is then performed on each address within the /24 range, and the resulting output of each task is placed into the handle.txt file.
- Once completed, grep is used to extract the lines that are associated with live host responses from the handle.txt file and then extract the IP addresses from those lines. The resulting IP addresses are then passed into an output.txt file, and the temporary handle.txt file is removed from the directory.
- This script can be executed using a period and forward slash, followed by the name of the executable script:
- Once completed, the script should return an output.txt file to the execution directory. This can be verified using ls, and the cat command can be used to view the contents of this file:
- When the script is run, you will still see the same large amount of output that was seen when originally looping through the task. Fortunately, your list of discovered hosts will not be lost in this output, as it is conveniently written to your output file each time.