Skip to content

Host Discovery

Note

This page contains {{ jinja2_style_variable_syntax }} in example commands or configs. Replace them with the appropriate values when using the code or values in question.

Methods

ping

Ping sends ICMP ECHO_REQUEST packets to a specified host, and note the replies

Useful Flags

  • -c {{ number }}: send {{ number }} ping requests - by default, it keeps sending them, not stopping until the process is killed.
  • -i {{ seconds }}: wait {{ seconds }} between pings (default is 1)

To ping all hosts in the 192.0.2.0/24 (TEST-NET-1) IP subrange, and only export the IP addresses that reply, run the following in bash:

for ip in 192.0.2.{1..254}; do ping -c1 "$ip" &>/dev/null && echo "$ip"; done
Explanation 192.0.2.{1..254}: expands to 192.0.2.1 192.0.2.2... 192.0.2.254. The network and broadcast addresses are left out.
...&>/dev/null && echo "$ip": redirect stdout and stderr of the `ping` command to /dev/null, effectively discarding it. If the ping was successful, echo the IP address itself.

fping

Like ping, it sends ICMP ECHO_REQUEST packets, but it handles multiple target hosts more elegantly

Useful Flags

  • -a: list all pinged hosts that are online
  • -g {{ network }}/{{ mask }}: generate a list of target hosts from a network address and netmask
  • -g {{ start }} {{ stop }}: generate a list of target hosts from the first and last host in a sequence

To do the same thing as above, and list all addresses successfully pinged in TEST-NET-1, using fping this time, it is far simpler than with the classic ping.

# option 1
fping -a -g 192.0.2.0/24 2>/dev/null
# option 2
fping -a -g 192.0.2.1 192.0.2.254 2>/dev/null

nmap

This one's much more aggressive. Using it without permission from the owners of the target systems can get you in trouble. It's much more powerful, but much more complicated.

Useful Flags

  • -sn: disable port scan - don't scan for open ports, only list hosts that are up
    • despite being a "ping scan", this does not actually limit itself to ICMP ECHO_REQUEST packets, also sending a TCP SYN to port 443, a TCP ACK to port 80, and a ICMP timestamp requests. If running as a non-privileged *nix user, it skips the ICMP packets entirely.
  • -oG {{ file }}: write output to {{ file }}, in a "greppable" (i.e. easy to programmatically parse) format
    • (special case) -oG -: write output to stdout in a "greppable" format

Using the same ping sweep example as earlier, one approach could be as follows:

nmap -sn 192.0.2.1-254 -oG - | awk '/^Host: .*Status: Up$/ {print $2}'