Pings and Sweeps

A ping is a special type of network packet called an ICMP packer. Pings work by sending specific types of networks traffic, called ICMP Echo Request packets, to a specific interface on a computer network device. If the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back us to the originating machine with an Echo-Reply packet. Aside from telling us that a host is alive and accepting traffic, pings provide other valuable information including the total time it took for the packet to travel to the target and return. Pings also report traffic loss that can be used to gauge the reliability of a network connection.

All modern versions of Linux and Windows include the ping command. The major difference between the Linux and the Windows version is that by default the Windows ping command will send four Echo Request packets and automatically terminate, whereas the Linux ping command will continue to send Echo-Request commands until you force it to stop. On a Linux system, you can force a ping command to stop sending packets by using the CTRL+C combination.

Let’s set an example from performing a ping test to Google

PING google.com (216.58.222.238) 56(84) bytes of data
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=1 ttl=54 time=25.0 ms
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=2 ttl=54 time=23.5 ms
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=3 ttl=54 time=20.0 ms
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=4 ttl=54 time=20.5 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 19.990/22.255/24.973/2.069 ms

Let’s focus our attention on the third line that starts with “64 bytes from…”. This line is telling us that our ICMP Echo Request packet successfully reached the IP address of 216.58.222.238 and that the IP address sent a Reply packet back to our machines. The “64 bytes” in the line indicate the size of the packet being sent. The “time=20.5ms” is telling you how long the entire round trip took for packets to travel to and from the target. The “ttl=54” is a Time To Live value; this is used to determine the maximum number of hops the packet will take before automatically expiring.

Now that you’ve a basic understanding of how the ping command works, let’s see how we leverage this tool as a hacker. Because we know that pings can be useful in determining if a host is alive, we can use the ping tool as a host discovery service. Unfortunately, pinging every potential machine on even a small network would be highly inefficient. Fortunately for us, there are several tools that allow us to conduct ping sweeps. A ping sweep is a series of pings that are automatically sent to a range of IP addresses, rather than manually entering the individual target’s address.a

The simplest way to run a ping sweep is with a tool called FPing. FPing is built into BlackArch and is run from the terminal. The tool can also be downloaded for Windows. The easiest way to run FPing is to open a terminal window and run the following: fping -a 182.271.23.125 182.271.23.255 > hosts.txt. The “-a” switch is used to show only the live hosts in our output. This makes our final report much cleaner and easier to read. The “-g” parameter is used to specify the range of IP addresses we want to sweep. You need to enter both of the beginning and the ending IP addresses. In this example, we scanned all the IPs from 182.271.23.125 to 182.271.23.125. The “>” character is used to pipe the output to a file, and the hosts.txt is used to specify the name of the file our results will be saved to. There are many other parameters that can be used to change the functionality of the FPing command. It’d be so cool if you could perform a couple of searches of videos, wikis and documentation pages about FPing.

Once you’ve run the command above, you can open the hosts.txt file that was created to find a list of target machines that responded to our pings. These IP addresses should be added to your target list for later investigation. It’s important to remember that not every host will respond to ping request; some hosts may be firewalled or otherwise blocking ping packets.