Activity 2.1 Host Directory
In this activity you are going to enumerate the hosts in our target network 10.0.5.0/24 using various techniques beginning with "living-off-the-land techniques" and then by adding tools to the mix. You may work with your teammates to come up with the solution but you will execute the solution in your own environment and submit your own results as deliverables.
There are live systems on 10.0.5.2,21,22,23 (there may be some more as well).
Use Wireshark on Kali to begin capture on the eth0 Go ahead and manually ping 10.0.5.21 and make sure to capture the ICMP echo request and reply.
Ping
Deliverable 1: Provide a screenshot that shows 1 outbound ping and the captured request and reply
Deliverable 2: Write a bash script or one liner to ping ip's in the range or 10.0.5.2 - 10.0.5.50 your script should output a list of "up IP addresses" into a file called sweep.txt.
output_file="sweep.txt > "$output_file"defines that output file to be sweep.txt and then over writes whatever was in the file before if it was run already
for i in $(seq 2 50); do ip="10.0.5.$i"defines ip as "10.0.5.$i" where $i is what is going to be looped through in a for loop from 2 to 50.
if ping -c 1 -W 1 "$ip" | grep "bytes from"; then echo "$ip" >> "$output_file"if an IP address is pinged and it returns "bytes from" indicating it was a successful ping, it will then echo the IP address into the output_file.
echo "sweep results saves in $output_file"a message will display on the screen if the bash was successful and then the IP addresses were put into the file
cat "$output_file"Displays the IP addresses that were put into the file.
-c
makes the ping only once
-w
timeout option
>
redirects the output of a command to a file and overwrites the existing content in the file
>>
appends the output of a command to a file, perserving any exisiting content
Deliverable 3: Do the same as above, but with Fping. Investigate the switches that allow you to provide a range of ip addresses as well as reporting the "up" hosts.
Great sources used to help out with fping! https://www.supportsages.com/blog/ping-multiple-hosts-at-once
fping -g -r 1 10.0.5.2 10.0.5.50 | grep "alive"displays all IP addresses within the given IP range, and has a retry limit of 1. Greps the returned IP's for the word "alive"
fping -g -r 1 10.0.5.2 10.0.5.50 | grep >> fpingoutput.txtsame as above, except it takes the hosts that are alive and put them into a file.
-g
Generates a target list from the given IP range
-r
retry limit, number of times an attempt at pinging a target will be made (not including the first try)
NMAP
Deliverable 4: Use Nmap's -sn switch to scan 10.0.5.21; it should report that it is up. Capture traffic on eth0 using Wireshark.
-sn
No port scan
With this scan, nmap is trying to establish that the host is up. It does not need to do this by pinging directly. Nmap was able to tell that the host was up by the fact that it reached out on port 80 with a TCP handshake and the host responded. You can see in No.8 the ping wasn't even successful, but since the host ACKed one of the SYNs, NMAP knew it was up.
Deliverable 5. Examine what destination ports and protocols were used in the use case. What observations do you have when comparing this to the ping and fping tests?
The fping and ping both required that the ping be returned to determine if the host was alive, whereas nmap -sn scan can figure out if hosts are alive not just by ping but also by the other communications that are going on, such as a TCP handshake.
Deliverable 6. Write a bash one-liner or script that conducts an nmap -sn scan of 10.0.5.2-50 and outputs the list of ip addresses to sweep3.txt similarly to the code written for ping and fping.
-vv
increased verbosity level (normally its -v) increased detail in the output.
-n
Never do DNS resolution/always resolve
sudo nmap -n -vv -sn 10.0.5-50 | grep "Host is up" > sweep3.txt
when writing this one-liner I checked to see what message would be displayed when a host was up, and made sure to use that with grep.
Last updated