In this post I want to go over different ways to perform host discovery. There is three ways we can perform host discovery on a Linux machine. This is going to be a short post as I just want to go over a few different ways to do this. So, let’s get started!
Bash
In this example, we use a for loop with brace expansion and then use grep to filter any result containing “64 bytes.” The command essentially performs a loop 254 times. For each iteration, we ping the IP address with the last octet corresponding to the loop number. The -c1 flag tells the ping tool to only ping the IP address once.
The reason we filter for 64 bytes is because we only get that when a host responds to our ping requests. This lets us know that this host is up.
$ for i in {1..254};do ping -c 1 172.16.5.$i | grep "64 bytes"; done
Result Output
In our output the three results that came back our all our hosts that were up.
64 bytes from 172.16.5.5: icmp_seq=1 ttl=128 time=0.591 ms
64 bytes from 172.16.5.130: icmp_seq=1 ttl=128 time=0.599 ms
64 bytes from 172.16.5.225: icmp_seq=1 ttl=64 time=0.043 ms
Nmap
We can use Nmap to perform ping sweeps using the following command. We use the -sn flag and specify the first ip address on the network. We also specify the CIDR in other words the subnet.
$ nmap -sn [Ip]/[CIDR]
Fping
Fping is another tool we can use and its really simple. The -a flag tells fping to only output alive hosts. So, if a host responds to our ping requests for example. The -g flag is to ping an entire subnet. The -q tells fping to only show the output of hosts that respond. Instead of redirecting our output straight to a file we pipe it to the tee -a command. We do this because if we just redirect the output to a file we won’t see it in the terminal. The tee -a command allows us to append the output to the targets.txt file while still showing the output in the terminal.
$ fping -agq 172.16.5.0/23 | tee -a targets.txt