When we have our pool of IP addresses, we have to identify the devices and the roles played by each IP in the target organization.
Live Hosts
There are different methods that one can use to identify live hosts.
ICMP Ping Sweep
The most common is the ICMP ping sweep. It consists of ICMP ECHO requests sent to multiple hosts. If a given host is alive, it will return an ICMP ECHO reply.
fping -a -g [IP-Range]/[Mask]
nmap -sn [IP-Range]/[Mask] -oG ping-sweep.nmap
grep "Up" ping-sweep.nmap | cut -d " " -f 2
Note: For internal Audits, when a host reply a ping shown by fping and doesn’t reply for nmap command this could be a router or switch.
Other technic to detect live hosts with ICMP Ping sweep is with this script:
#!/bin/bash
for i in $(seq 1 255); do
timeout 1 bash -c "ping -c 1 10.10.10.$i" > /dev/null && echo "10.10.10.$i - Active" &
done; wait
Most common ports
The second technique is doing a most common port scanner with the following ports:
- 22 - SSH
- 80 - HTTP
- 443 - HTTPS
- 445 - SMB
nmap -p 22,445,80,443 [IP-Range]/[Mask]