Most people who work in the IT industry are fairly familiar with the ping tool. To determine whether a host is alive using ping, you merely need to pass an argument to the command to define the IP address that you wish to test:
When this command is issued, an ICMP echo request will be sent directly to the IP address provided. Several conditions must be true in order to receive a reply to this ICMP echo request. These conditions are as follows:
The IP address tested must be assigned to a system
The system must be alive and online
There must be an available route from the scanning system to the target IP
The system must be configured to respond to ICMP traffic
There should not be any host-based or network firewall between the scanning system and the target IP that is configured to drop ICMP traffic
As you can see, there are a lot of variables that have to be factored into the success of ICMP discovery. It is for this reason that ICMP can be somewhat unreliable, but unlike ARP, it is a routable protocol and can be used to discover hosts outside of the LAN. Notice that in the previous example, ^C appears in the output presented from the ping command. This signifies that an escape sequence (specifically, Ctrl + C) was used to stop the process. Unlike Windows, the ping command integrated into Linux operating systems will, by default, ping a target host indefinitely.
However, the -c option can be used to specify the number of ICMP requests to be sent. Using this option, the process will end gracefully once the timeout has been reached or replies have been received for each sent packet. Have a look at the following command:
In the same way that ARPing can be used in a bash script to cycle through multiple IPs in parallel, ping can be used in conjunction with bash scripting to perform layer 3 discovery on multiple hosts in parallel. To write a script, we need to identify the varied responses associated with a successful and failed ping request. To do this, we should first ping a host that we know to be alive and responding to ICMP, and then follow it up with a ping request to a nonresponsive address. The following command demonstrates this:
As with the ARPing requests, the bytes from a unique string are only present in the output associated with live IP addresses, and they are also on a line that contains this address. In the same fashion, we can extract the IP address from any successful ping request using a combination of grep and cut:
By employing this task sequence in a loop that contains a range of target IP addresses, we can quickly identify live hosts that respond to ICMP echo requests. The output is a simple list of live IP addresses. An example script that uses this technique can be seen here:
#!/bin/bash
if [ "$#" -ne 1 ]; then echo "Usage - ./ping_sweep.sh [/24 network address]" echo "Example - ./ping_sweep.sh 172.16.36.0" echo " Example will perform an ICMP ping sweep of the 172.16.36.0/24 network and output to an output.txt file" exit fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for addr in $(seq 1 254); do ping -c 1 $prefix.$addr | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 & done
In the provided bash script, the first line defines the location of the bash interpreter. The block of code that follows performs a test to determine whether the one argument that was expected was supplied. This is determined by evaluating whether the number of supplied arguments is not equal to 1. If the expected argument is not supplied, the usage of the script is output, and the script exits. The usage output indicates that the script is expecting the /24 network address as an argument.
The next line of code extracts the network prefix from the supplied network address. For example, if the network address supplied was 192.168.11.0, the prefix variable would be assigned 192.168.11. A for loop is then used to cycle through the values of the last octet to generate each possible IP address in the local /24 network. For each possible IP address, a single ping command is issued. The response for each of these requests is then piped over, and then grep is used to extract lines with the bytes from phrase. This will only extract lines that include the IP addresses of live hosts.
Finally, a series of cut functions is used to extract the IP address from that output. Notice that an ampersand is used at the end of the for loop task instead of a semicolon. The ampersand allows the tasks to be performed in parallel instead of in sequence. This drastically reduces the amount of time required to scan the IP range.
The script can then be executed with a period and forward slash, followed by the name of the executable script:
When executed without any arguments supplied, the script returns the usage. However, when executed with a network address value, the task sequence begins, and a list of live IP addresses is returned. As discussed in the previous scripts, the output of this script can also be redirected to a text file for later use. This can be done with a greater-than sign followed by the name of the output file.
In the example provided, the ls command is used to confirm that the output file was created. The contents of this output file can be viewed by passing the filename as an argument to the cat command.
