host alive?

The most commonly used tool to find out whether or not a remote host is alive is the venerable ping or ping6 for IPv6.

marc:~> ping 192.168.122.161
PING 192.168.122.161 (192.168.122.161) 56(84) bytes of data.
64 bytes from 192.168.122.161: icmp_seq=1 ttl=64 time=0.159 ms
64 bytes from 192.168.122.161: icmp_seq=2 ttl=64 time=0.239 ms
64 bytes from 192.168.122.161: icmp_seq=3 ttl=64 time=0.167 ms
64 bytes from 192.168.122.161: icmp_seq=4 ttl=64 time=0.148 ms
64 bytes from 192.168.122.161: icmp_seq=5 ttl=64 time=0.160 ms
64 bytes from 192.168.122.161: icmp_seq=6 ttl=64 time=0.210 ms
^C
--- 192.168.122.161 ping statistics ­­­---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 0.148/0.180/0.239/0.035 ms

The ping utility sends an ICMP ECHO_REQUEST datagram that should ellicit an ECHO_RESPONSE from the target provided that the packet can get to the destination and the target replies such requests. We can specify a few options with ping:

marc:~> ping -­b -­c 3 -­i 5 192.168.0.255
WARNING: pinging broadcast address
PING 192.168.0.255 (192.168.0.255) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.208 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=150 time=0.625 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.218 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=150 time=0.646 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=3 ttl=64 time=0.217 ms

The example above sends 3 probes per host ("-c 3") with a 5 second interval ("-i 5") to the broadcast address ("-b") to ellicit a response from all the hosts in the subnet.

The next example bounds the source address to the one used for the first probe with the “-B” flag (so it does not change mid-flight), shows the timestamp for each (“-D”) and uses the interface virbr0 as the source (“-I virbr0”):

marc:~> ping -­B -­D -I virbr0 192.168.122.161
PING 192.168.122.161 (192.168.122.161) from 192.168.122.1 virbr0: 56(84) bytes of data.
[1443523219.233722] 64 bytes from 192.168.122.161: icmp_seq=10 ttl=64 time=0.275 ms
[1443523220.233655] 64 bytes from 192.168.122.161: icmp_seq=11 ttl=64 time=0.209 ms
[1443523221.233508] 64 bytes from 192.168.122.161: icmp_seq=12 ttl=64 time=0.126 ms
[1443523222.233512] 64 bytes from 192.168.122.161: icmp_seq=13 ttl=64 time=0.160 ms
[1443523223.233613] 64 bytes from 192.168.122.161: icmp_seq=14 ttl=64 time=0.202 ms
[1443523224.233655] 64 bytes from 192.168.122.161: icmp_seq=15 ttl=64 time=0.208 ms
^C
--- 192.168.122.161 ping statistics ­­­---
15 packets transmitted, 6 received, 60% packet loss, time 13999ms
rtt min/avg/max/mdev = 0.126/0.196/0.275/0.048 ms

The following example shows only numeric IPs (“-n”), brief output (“-q”), sets the package size to a non-default 57 bytes (“-s 57”), sends the three probes ("-c 3") two seconds apart ("-i 2") and sets a timeout after which, if there is no response whatsoever, the command exits (“-W 3”):

marc:~> ping ­-c 3 ­-i 2 ­-n -­q -­s 57 ­-W 3 192.168.122.161
PING 192.168.122.161 (192.168.122.161) 57(85) bytes of data.
--- 192.168.122.161 ping statistics ­­­---
3 packets transmitted, 3 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.161/0.192/0.210/0.027 ms

ping is a fantastic tool but sometimes we need something a bit more sophisticated to deal with the intricacies of our network configuration. If that is the case, a good tool to have available is hping3. It might not come by default with your Linux distribution, you will have to dnf it from the common repositories.

root:~> dnf -y install hping3

Some of hping3's options are the same as ping's (-c, -i, -I, -n, -q, etc), but hping3 offers some more advanced features:

• Whereas ping only can send ICMP ECHO_REQUESTs (icmp code 8), hping3 can send any other icmp code (e.g. useful to work around firewalls?).

• Whereas ping can only use ICMP which “does not know about ports”, hping3 can use any IP
protocol to “ping” multiple ports at the target (e.g. TCP & UDP).

hping3 can perform TCP SYN scans in which the 3-way handshake communication is not established, and use any combination of flags: A (--ack), R (--rst), F (--fin), P (--push), U (--urg), X (-xmas) or Y (-ymas).

hping3 can listen and read packets looking for certain signatures (i.e. OS fingerprinting)

hping3 can spoof source addresses (for testing purposes obviously).

Let's look at some examples to get familiar with it and its capabilities. The following command does the same as a ping without options:

root:/etc> hping3 192.168.122.161 --­­icmp --­­icmpcode 8
HPING 192.168.122.161 (virbr0 192.168.122.161): icmp mode set, 28 headers + 0 data bytes
len=28 ip=192.168.122.161 ttl=64 id=16250 icmp_seq=0 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16251 icmp_seq=1 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16252 icmp_seq=2 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16253 icmp_seq=3 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16254 icmp_seq=4 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16255 icmp_seq=5 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16256 icmp_seq=6 rtt=0.1 ms
^C
--- 192.168.122.161 hping statistic ­­­---
7 packets transmitted, 7 packets received, 0% packet loss
round­trip min/avg/max = 0.1/0.1/0.1 ms

Three other ways of doing exactly the same would be:

root:/etc> hping3 192.168.122.161 --­­icmp -­C 8
root:/etc> hping3 192.168.122.161 ­-1 ­-C 8
root:/etc> hping3 192.168.122.161 ­-1

In the next example we are sending 1003 TCP ACK probes to the target host, starting on port 21 and going up one at a time until 1024 every 1000 microseconds (1ms):

root:/etc> hping3 ­-A 192.168.122.161 ­-p +21 -­c 1003 -­i u1000
HPING 192.168.122.161 (virbr0 192.168.122.161): A set, 40 headers + 0 data bytes
ICMP Unreachable type=10 from ip=192.168.122.161 name=UNKNOWN
ICMP Unreachable type=10 from ip=192.168.122.161 name=UNKNOWN
ICMP Unreachable type=10 from ip=192.168.122.161 name=UNKNOWN
--- 192.168.122.161 hping statistic ---­­­
1003 packets transmitted, 7 packets received, 100% packet loss
round­trip min/avg/max = 0.0/0.0/0.0 ms

As seen in the examples above, hping3 is way more sophisticated and capable than old rusty ping. However, if we need to go up to a whole new level and perform reconnaissance, host discovery, OS fingerprinting, firewall ruleset mapping, etc... then what we need is nmap.

root:~> dnf -y install nmap

nmap is an extremely capable network scanning tool with a ton of tweaks available to the user. If you want to get it in depth I would recommend starting your study at:

https:/nmap.org

Or buying the excellent book by Gordon "Fyodor" Lyon (its creator): nmap network scanning .

So that you get a brief idea let's execute an aggressive scan of a certain host:

root:/etc> nmap ­-A -­T4 192.168.122.161
.
Starting Nmap 6.47 ( http://nmap.org ) at 2015­09­30 09:15 BST
Nmap scan report for 192.168.122.161
Host is up (0.000084s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh­hostkey:
| 2048 2a:54:52:bd:be:e3:e5:72:58:61:b3:11:65:c0:9a:c9 (RSA)
|_ 256 6d:25:55:02:ea:81:1d:e9:7b:d4:b0:e2:e5:15:92:48 (ECDSA)
MAC Address: 52:54:00:49:72:FC (QEMU Virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 ­ 3.10, Linux 3.4 ­ 3.10
Network Distance: 1 hop
.
TRACEROUTE
HOP RTT ADDRESS
1 0.08 ms 192.168.122.161
.
OS and Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds

 

 

<< address resolution              tracing routes >>