The most commonly used tool to find out whether or not a remote host is alive is the venerable ping or ping6 for IPv6.
marc:~> ping 192.168.122.161
PING 192.168.122.161 (192.168.122.161) 56(84) bytes of data.
64 bytes from 192.168.122.161: icmp_seq=1 ttl=64 time=0.159 ms
64 bytes from 192.168.122.161: icmp_seq=2 ttl=64 time=0.239 ms
64 bytes from 192.168.122.161: icmp_seq=3 ttl=64 time=0.167 ms
64 bytes from 192.168.122.161: icmp_seq=4 ttl=64 time=0.148 ms
64 bytes from 192.168.122.161: icmp_seq=5 ttl=64 time=0.160 ms
64 bytes from 192.168.122.161: icmp_seq=6 ttl=64 time=0.210 ms
^C
— 192.168.122.161 ping statistics —
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 0.148/0.180/0.239/0.035 ms
The ping utility sends an ICMP ECHO_REQUEST datagram that should ellicit an ECHO_RESPONSE from the target provided that the packet can get to the destination and the target replies such requests. We can specify a few options with ping:
marc:~> ping -b -c 3 -i 5 192.168.0.255
WARNING: pinging broadcast address
PING 192.168.0.255 (192.168.0.255) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.208 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=150 time=0.625 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.218 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=150 time=0.646 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=3 ttl=64 time=0.217 ms
The example above sends 3 probes per host (“-c 3“) with a 5 second interval (“-i 5“) to the broadcast address (“-b“) to ellicit a response from all the hosts in the subnet.
The next example bounds the source address to the one used for the first probe with the “-B” flag (so it does not change mid-flight), shows the timestamp for each (“-D”) and uses the interface virbr0 as the source (“-I virbr0”):
marc:~> ping -B -D -I virbr0 192.168.122.161
PING 192.168.122.161 (192.168.122.161) from 192.168.122.1 virbr0: 56(84) bytes of data.
[1443523219.233722] 64 bytes from 192.168.122.161: icmp_seq=10 ttl=64 time=0.275 ms
[1443523220.233655] 64 bytes from 192.168.122.161: icmp_seq=11 ttl=64 time=0.209 ms
[1443523221.233508] 64 bytes from 192.168.122.161: icmp_seq=12 ttl=64 time=0.126 ms
[1443523222.233512] 64 bytes from 192.168.122.161: icmp_seq=13 ttl=64 time=0.160 ms
[1443523223.233613] 64 bytes from 192.168.122.161: icmp_seq=14 ttl=64 time=0.202 ms
[1443523224.233655] 64 bytes from 192.168.122.161: icmp_seq=15 ttl=64 time=0.208 ms
^C
— 192.168.122.161 ping statistics —
15 packets transmitted, 6 received, 60% packet loss, time 13999ms
rtt min/avg/max/mdev = 0.126/0.196/0.275/0.048 ms
The following example shows only numeric IPs (“-n”), brief output (“-q”), sets the package size to a non-default 57 bytes (“-s 57”), sends the three probes (“-c 3“) two seconds apart (“-i 2“) and sets a timeout after which, if there is no response whatsoever, the command exits (“-W 3”):
marc:~> ping -c 3 -i 2 -n -q -s 57 -W 3 192.168.122.161
PING 192.168.122.161 (192.168.122.161) 57(85) bytes of data.
— 192.168.122.161 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.161/0.192/0.210/0.027 ms
ping is a fantastic tool but sometimes we need something a bit more sophisticated to deal with the intricacies of our network configuration. If that is the case, a good tool to have available is hping3. It might not come by default with your Linux distribution, you will have to dnf it from the common repositories.
root:~> dnf -y install hping3
Some of hping3‘s options are the same as ping‘s (-c, -i, -I, -n, -q, etc), but hping3 offers some more advanced features:
• Whereas ping only can send ICMP ECHO_REQUESTs (icmp code 8), hping3 can send any other icmp code (e.g. useful to work around firewalls?).
• Whereas ping can only use ICMP which “does not know about ports”, hping3 can use any IP
protocol to “ping” multiple ports at the target (e.g. TCP & UDP).
• hping3 can perform TCP SYN scans in which the 3-way handshake communication is not established, and use any combination of flags: A (–ack), R (–rst), F (–fin), P (–push), U (–urg), X (-xmas) or Y (-ymas).
• hping3 can listen and read packets looking for certain signatures (i.e. OS fingerprinting)
• hping3 can spoof source addresses (for testing purposes obviously).
Let’s look at some examples to get familiar with it and its capabilities. The following command does the same as a ping without options:
root:/etc> hping3 192.168.122.161 –icmp –icmpcode 8
HPING 192.168.122.161 (virbr0 192.168.122.161): icmp mode set, 28 headers + 0 data bytes
len=28 ip=192.168.122.161 ttl=64 id=16250 icmp_seq=0 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16251 icmp_seq=1 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16252 icmp_seq=2 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16253 icmp_seq=3 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16254 icmp_seq=4 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16255 icmp_seq=5 rtt=0.1 ms
len=28 ip=192.168.122.161 ttl=64 id=16256 icmp_seq=6 rtt=0.1 ms
^C
— 192.168.122.161 hping statistic —
7 packets transmitted, 7 packets received, 0% packet loss
roundtrip min/avg/max = 0.1/0.1/0.1 ms
Three other ways of doing exactly the same would be:
root:/etc> hping3 192.168.122.161 –icmp -C 8
root:/etc> hping3 192.168.122.161 -1 -C 8
root:/etc> hping3 192.168.122.161 -1
In the next example we are sending 1003 TCP ACK probes to the target host, starting on port 21 and going up one at a time until 1024 every 1000 microseconds (1ms):
root:/etc> hping3 -A 192.168.122.161 -p +21 -c 1003 -i u1000
HPING 192.168.122.161 (virbr0 192.168.122.161): A set, 40 headers + 0 data bytes
ICMP Unreachable type=10 from ip=192.168.122.161 name=UNKNOWN
ICMP Unreachable type=10 from ip=192.168.122.161 name=UNKNOWN
ICMP Unreachable type=10 from ip=192.168.122.161 name=UNKNOWN
— 192.168.122.161 hping statistic —
1003 packets transmitted, 7 packets received, 100% packet loss
roundtrip min/avg/max = 0.0/0.0/0.0 ms
As seen in the examples above, hping3 is way more sophisticated and capable than old rusty ping. However, if we need to go up to a whole new level and perform reconnaissance, host discovery, OS fingerprinting, firewall ruleset mapping, etc… then what we need is nmap.
root:~> dnf -y install nmap
nmap is an extremely capable network scanning tool with a ton of tweaks available to the user. If you want to get it in depth I would recommend starting your study at:
Or buying the excellent book by Gordon “Fyodor” Lyon (its creator): nmap network scanning .
So that you get a brief idea let’s execute an aggressive scan of a certain host:
root:/etc> nmap -A -T4 192.168.122.161
.
Starting Nmap 6.47 ( http://nmap.org ) at 20150930 09:15 BST
Nmap scan report for 192.168.122.161
Host is up (0.000084s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| sshhostkey:
| 2048 2a:54:52:bd:be:e3:e5:72:58:61:b3:11:65:c0:9a:c9 (RSA)
|_ 256 6d:25:55:02:ea:81:1d:e9:7b:d4:b0:e2:e5:15:92:48 (ECDSA)
MAC Address: 52:54:00:49:72:FC (QEMU Virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 3.10, Linux 3.4 3.10
Network Distance: 1 hop
.
TRACEROUTE
HOP RTT ADDRESS
1 0.08 ms 192.168.122.161
.
OS and Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds