Target Discovery
Created On 26. Jan 2020
Updated: 2021-05-01 23:44:19.128293000 +0000
Created By: acidghost
We will cover some tools that discover targets on Open Systems Interconnection (OSI) layer 2 and 3.
You can check a good explanation about the differences of these 2 layers here https://www.aussiebroadband.com.au/blog/difference-layer-3-layer-2-networks/
In fewer words: layer 2 networks have always the same MAC address, while layer 3 deals with IP addresses which are on a higher abstraction layer and they can change.
Layer 2 methods:
arping uses Address Resolution Protocol (ARP) requests. ARP can be used on local networks only.
Ping the local address like this:
arping 192.168.120.130 -c 1
-c indicates the count, and in this case it is one request.
Among the output, you will understand that the request succeeded if you get the target MAC address (ff:ff:ff:ff:ff:ff) specific to layer 2.
Netdiscover is another good tool to perform ARP based discovery. In your shell:
$ netdiscover -r 192.168.120.0/24
Slash 24 will give the range of the entire class C range network.
Netdiscover can also check the network passively, which will just listen to other broadcast. Passive scanning takes longer time, but compared to active, where you are directly pinging the hosts, this makes sure that you won't be discovered by other machines.
For this just pass in the -p argument:
$ netdiscover -r -p 192.168.120.0/24
Layer 3 methods:
Ping - the most popular tool for checking availability of particular hosts that can be also found on Windows. It checks the availability of hosts by sending an Internet Control Message Protocol (ICMP) echo request. If the target host is alive it will send an ICMP echo reply packet.
$ ping google.com
See one of google's IP addresses and response echo replies.
Similary ping an IP address as:
$ ping 192.168.120.130
Use ping6 to ping an IPv6 address.
$ ping6 -c 1 fe80::20c:29ff:fe18:f08 -I eth0
Set -I to work against the link local address on eth0 interface.
The response will look something like:
PING fe80::20c:29ff:fe18:f08(fe80::20c:29ff:fe18:f08) from fe80::20c:29ff:feb3:137 eth0: 56 data bytes 64 bytes from fe80::20c:29ff:fe18:f08: icmp_seq=1 ttl=64 time=7.98 ms --- fe80::20c:29ff:fe18:f08 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 7.988/7.988/7.988/0.000 ms
We can clearly see the request duration, whether the packet was received or lost, the sender and target addresses.
fping works like ping, but in contrast it can send requests on a range of addresses.
$ fping -a -g 192.168.120.0/24
-g will allow us to specify a range and -a indicates that output just the alive hosts.
Further, with fping you can set optional retry limit, count and read from a file.
Check more details on fping with
$ fping -h
hping3 helps to test firewall rules and vulnerabilities by creating custom network packets.
Send a simple ICMP request
$ hping3 -1 192.168.120.130 -c 1
hping3 uses the Tcl language for scripting. To enter its shell just type hping3:
hping3> hping send {ip(daddr=192.168.120.130)+icmp(type=8,code=0)}
This would be the same ICMP request that was sent above.
It supports conditionals and loops.
To test against a firewall rule against a specific open port 22, you can send a TCP SYN packet as following:
$ hping3 192.168.120.130 -c 1 -S -p 22
If you have the port open for TCP connections, you should see 0% loss.
Now send a UDP one by specifing option -2 for UDP.
$ hping3 -2 192.168.120.130 -c 1 -S -p 22
If the Firewall rule works fine, you would see 100% loss.
You can use the following options for different protocols:
| Short option | - Long option | Description |
|---|---|---|
| 0 | raw-ip | This sends raw IP packets |
| 1 | icmp | This sends ICMP packets |
| 2 | udp | This sends UDP packets |
| 8 | scan | This indicates the scan mode |
| 9 | listen | This indicates the listen mode |
check more on hping3 here http://wiki.hping.org/94
Other tools worth checking are:
nbtscan - can get NetBIOS name, MAC address, available services, IP address.
alive6 - you can find IPv6 systems locally. This is more special, because IPv6 are immense and that is impossible to do like we did earlier with IPv4.
nping - customize protocol headers and generate network packets for ARP, ICMP, TCP and UDP. Also can work like ping, and be used for ARP poisoning and DDos attacks, which will be covered more later.
Section: Web
Back