Getting Started
This section introduces the fundamentals of setting up and configuring a virtual security environment, which can be used for most scenarios and exercises in this book. Topics covered include installing virtualization software, setting up various systems in the virtual environment, and configuring some tools used in the exercises.
1.1 Configuring a Security Environment with VMware Player (Windows)
By installing VMware Player on a Windows workstation, you can run a virtual security environment on a Windows PC with relatively low available resources. You can obtain VMware Player for free or purchase the more feature-rich VMware Player Plus at a low cost.
Preparation
To install VMware Player on a Windows workstation, first download the software. For the free version, visit https://my.vmware.com/web/vmware/free. Scroll down to the VMware Player link and click Download. On the next page, select the Windows 32-bit or 64-bit installation package and click Download. Installation packages are also available for Linux 32-bit and 64-bit systems.
After opening VMware Player, you can start by creating a new virtual machine. This initializes a user-friendly virtual machine installation wizard:
The first task in the wizard is to define the installation media. You can choose to install from the host's CD/DVD drive or use an ISO image file. Most installations discussed in this section use ISOs, and their sources are mentioned in each technique. For now, assume we browse an existing ISO file and click Next, as shown:
Next, assign a name to the virtual machine. This name is arbitrary and used to identify and distinguish the VM from others in the library. Since security environments often involve different operating systems, specifying the OS as part of the VM name can be useful. The following screenshot shows the Specify Disk Capacity window:
The next screen requests the maximum disk size. The VM uses hard drive space on demand but will not exceed this value. You can also define whether the VM is stored in a single file or multiple files. After specifying disk capacity, you'll see:
The final step provides a summary. You can click Finish to complete VM creation or Customize Hardware... for advanced configuration. See the advanced configuration screen:
Advanced configuration allows full control over shared resources, virtual hardware, and networking. Default settings are usually sufficient, but changes can be made later via VM settings. After configuring, you'll see:
After the wizard completes, the new VM should be listed in the library. Start it by pressing the play button. Multiple VMs can run simultaneously by opening multiple instances of VMware Player with unique VMs.
How It Works
VMware creates a virtualization environment that shares resources from a single host to build entire network environments. Virtualization software like VMware makes it easier and cheaper for individuals and independent researchers to construct security environments.
1.2 Configuring a Security Environment with VMware Player (Mac OS X)
You can also run a virtual security environment on Mac OS X by installing VMware Fusion. VMware Fusion requires a license, but it is reasonably priced.
Preparation
To install VMware Player on a Mac, first download the software. For a free trial or purchase, visit: https://www.vmware.com/products/fusion/.
Steps
After downloading the package, locate it in the default download directory. Run the .dmg installation file and follow on-screen instructions. After installation, launch VMware Fusion from the Dock or Applications directory. Upon loading, you'll see the VM library, initially empty. The following screenshot shows the VM library:
To begin, click the Add button at the top left, then New. This starts the VM installation wizard, a guided process for setting up VMs, as shown:
The first step asks you to choose the installation method. VMware Fusion offers options to install from disc or image (ISO file), and various techniques to migrate existing systems to new VMs. For all VMs in this section, select the first option.
After selecting Install from disc or image, you'll be prompted to choose the installation disc or image. If not auto-filled, click Use another disc or disc image to browse for the desired image. Locations for specific system images are discussed later. Finally, you'll reach the Finish window:
After selecting the image, click Continue to see a summary screen. Click Customize Settings to change settings or Finish to create the VM. You'll be asked to save the VM file; the name becomes the VM's display name in the library, as shown:
As more VMs are added, they appear in the library on the left. Select any VM and click Start Up to launch it. Use Settings to modify configuration or Snapshots to save VM states. Multiple VMs can run simultaneously by starting each independently.
How It Works
Using VMware Fusion on Mac OS X creates a virtualized lab environment for building entire network environments on an Apple host. Virtualization software like VMware simplifies and reduces the cost of constructing security environments.
1.3 Installing Ubuntu Server
Ubuntu Server is an easy-to-use Linux distribution for hosting network services and vulnerable software for testing in security environments. Other Linux distributions can be used if preferred; however, Ubuntu is a good choice for beginners due to extensive public references and resources.
Preparation
Before installing Ubuntu Server in VMware, download the disk image (ISO file) from Ubuntu's website: http://www.ubuntu.com/server.
Steps
After loading the image and starting the VM, you'll see the default Ubuntu menu, as shown. Navigate using the keyboard. For a standard installation, ensure Install Ubuntu Server is selected and press Enter.
The installation process begins with a series of questions to define system configuration. First, specify language and country. Then, define keyboard layout configuration, as shown:
Options include detection (press keys for Ubuntu to detect layout) or manual selection. After setting keyboard layout, enter the system hostname. Ensure it's unique if joining a domain. Next, provide a new user's full name and username. Usernames should be lowercase strings; numbers are allowed but not as the first character. See:
After providing a username, set a password. Ensure it's memorable for future access. See:
After setting the password, decide whether to encrypt each user's home directory. This is optional in lab environments. Next, configure the system clock, as shown:
The system guesses your timezone based on public IP; confirm or manually select. Then, define disk partition configuration, as shown:
Keep the default unless needed. Select the disk (usually only one option unless additional disks are added), as shown:
After selecting the disk, review and confirm the configuration. You'll be asked to configure an HTTP proxy; leave blank for this book. Finally, select software to install, as shown:
Use the spacebar to select packages. To increase attack surface, multiple services are selected. Press Enter to complete.
How It Works
Ubuntu Server is command-line driven without a GUI. Use SSH for effective management. For SSH configuration, refer to the "Configuring and Using SSH" technique later.
1.4 Installing Metasploitable2
Metasploitable2 is a deliberately vulnerable Linux distribution and an efficient security training tool. It contains numerous vulnerable network services and web applications.
Preparation
Before installing Metasploitable2 in your virtual lab, download it from the web. Mirrors and torrents are available. A simple method is to download from SourceForge: http://sourceforge.net/projects/metasploitable/files/Metasploitable2/.
Steps
Metasploitable2 installation is straightforward as it comes pre-configured for VMware. Download the ZIP file and extract it in Windows or Mac OS X by double-clicking. See:
After extraction, the directory contains five files, including a VMware VMX file. To use Metasploitable in VMware, click File > Open, browse to the extracted directory, and open Metasploitable.vmx, as shown:
Once opened, the VM appears in your library. Select it and click Run to start, as shown:
After loading, the boot screen requests login credentials. Default credentials are username msfadmin and password msfadmin. SSH access is also possible, covered in "Configuring and Using SSH."
How It Works
Metasploitable is built for security testing education. It is effective but must be used carefully. Do not expose Metasploitable systems to untrusted networks, assign public IP addresses, or use port forwarding through NAT interfaces.
1.5 Installing Windows Server
Installing a Windows operating system in a testing environment is essential for learning security skills, as it is the predominant OS in production systems. The provided scenario uses Windows XP SP2. Since Windows XP is older, many flaws and vulnerabilities can be exploited in testing.
Preparation
To complete tasks and exercises, obtain a copy of Windows XP SP2. As it is no longer supported by Microsoft, acquisition is up to you from third-party vendors or other means.
Steps
After booting from the Windows XP image, a blue menu screen guides installation. First, define the partition for installation (usually one option). Choose quick or full disk format. Then, answer configuration questions, leading to:
First, provide a name and organization. The name is assigned to the initial account; organization is metadata only. Next, provide computer name and administrator password, as shown:
Use a unique computer name if joining a domain. Set a memorable administrator password. Then, set date, time, and timezone, as shown:
After configuring time, assign the system to a workgroup or domain. Most exercises can use either, but some remote SMB auditing tasks require domain joining. See:
After installation, you'll be prompted to protect your PC with automatic updates. Default is enabled, but for testing, select Not right now.
How It Works
Windows XP SP2 is a valuable addition to any beginner's security environment. Its age provides numerous vulnerabilities for testing and exploitation. As skills improve, introduce newer OSes like Windows 7.
1.6 Increasing Windows Attack Surface
To further expand the attack surface on Windows, add vulnerable software and enable/disable integrated components.
Preparation
Before modifying Windows configuration, install the OS on a VM if not done. Refer to "Installing Windows Server" if needed.
Steps
Enabling remote services, especially unpatched ones, effectively introduces vulnerabilities. First, enable Simple Network Management Protocol (SNMP). Open the Start menu, click Control Panel, double-click Add or Remove Programs, then click Add/Remove Windows Components on the left, as shown:
Scroll to Management and Monitoring Tools, double-click to open options, as shown:
Ensure SNMP and WMI SNMP Provider are checked. Click OK to start installation. If prompted for the Windows XP disc, access VM settings, enable the virtual CD/DVD drive, and browse to the ISO file, as shown:
Once detected, installation completes automatically. Also, disable some default services. Open Control Panel, double-click Security Center, scroll to Windows Firewall and ensure it's off, as shown:
After turning off the firewall, click OK, scroll to Automatic Updates, and ensure it's also off.
How It Works
Enabling functional services and disabling security services increases breach risk. By increasing vulnerabilities, we create more opportunities for learning attack patterns and exploits. This technique focuses on integrated Windows components; installing third-party vulnerable packages is also useful. Find vulnerable software at:
http://www.exploit-db.com/http://www.oldversion.com/
1.7 Installing Kali Linux
Kali Linux is a comprehensive penetration testing toolkit and development environment for scanning scripts discussed in this book.
Preparation
Before installing Kali Linux, obtain the ISO from a trusted source: http://www.kali.org/downloads/.
Steps
After booting from the Kali Linux image, you'll see the initial boot menu. Scroll to the fourth option, Install, and press Enter to start installation:
The process guides you through questions. First, provide location and language. Then, choose keyboard configuration manually or via detection. Next, set the hostname, as shown:
Set the root account password with a strong one, as shown:
Next, set the timezone. The system guesses based on IP; confirm or manually select, as shown:
For disk partitioning, use the default method and scheme for lab purposes:
Use a mirror to keep Kali Linux updated:
Next, provide an HTTP proxy address; leave blank for exercises:
Finally, select Yes to install the GRUB bootloader and press Enter to finish. After loading, log in with the root credentials provided during installation:
How It Works
Kali Linux is a Debian-based distribution with numerous pre-installed penetration tools. While tools can be obtained independently, Kali's organization makes it a powerful tool for penetration testers.
1.8 Configuring and Using SSH
Managing multiple VMs can be tedious. To reduce switching between VM screens and improve communication, configure and enable SSH on each virtual system. This technique discusses using SSH on Linux VMs.
Preparation
To use SSH on VMs, install an SSH client on the host system. SSH clients are integrated into most Linux and OS X systems, accessible via terminal. For Windows hosts, download and install a terminal service client like PuTTY from http://www.putty.org/.
Steps
First, enable SSH directly from the terminal in the graphical interface. Run this command in the VM client. All VMs except Windows XP are Linux distributions and should support SSH natively. Steps are similar across distributions:
The command /etc/init.d/ssh start starts the service. Prepend sudo if not logged in as root. If an error occurs, SSH daemon may not be installed; use apt-get install ssh to install. Then, use ifconfig to get the system's IP address for SSH connections. Once activated, access VMware guest systems from the host via SSH. Minimize the VM and open the host's SSH client.
On Mac OS X or Linux, use the terminal directly. On Windows, use PuTTY. In this example, establish an SSH session with the Kali VM's IP address:
demo@host:~$ ssh root@172.16.36.244
The authenticity of host '172.16.36.244 (172.16.36.244)' can't be established.
RSA key fingerprint is c7:13:ed:c4:71:4f:89:53:5b:ee:cf:1f:40:06:d9:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.36.244' (RSA) to the list of known hosts.
root@172.16.36.244's password:
Linux kali 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali5 i686
The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@kali:~#
The proper SSH client usage is ssh [user]@[IP address]. In this example, SSH accesses the Kali system using the root account. Since the host isn't in the known hosts list, confirm the connection by typing yes. Then enter the root password. After authentication, access the system via remote shell. The same can be done with PuTTY on Windows. Download PuTTY, open it, enter the VM's IP in the Hostname field, ensure SSH is selected, as shown:
After setting the connection, click Open to start the session. Enter username and password when prompted. After authentication, access the system via remote terminal, as shown:
To avoid password authentication each time, add the public key to the authorized_keys file on the remote host. Process:
root@kali:~# ls .ssh
ls: cannot access .ssh: No such file or directory
root@kali:~# mkdir .ssh
root@kali:~# cd .ssh/
root@kali:~/.ssh# nano authorized_keys
First, ensure the .ssh hidden directory exists in the root directory. Use ls with the directory name. If not present, create it with mkdir. Then, change to that directory with cd. Use Nano or VIM to create a file named authorized_keys. If unfamiliar with these text editors, see "Using Text Editors (VIM and Nano)" later. In this file, paste the public key used by the SSH client, as shown:
demo@host:~$ ssh root@172.16.36.244
Linux kali 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali5 i686
The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Sat May 10 22:38:31 2014 from 172.16.36.1
root@kali:~#
Once done, you should connect via SSH without providing a password.
How It Works
SSH establishes an encrypted communication channel between client and server. This channel can provide remote management services and securely transfer files using Secure Copy (SCP).
1.9 Installing Nessus on Kali
Nessus is a powerful vulnerability scanner that can be installed on Kali Linux. This technique discusses installing, starting, and activating the Nessus service.
Preparation
Before installing Nessus, obtain an activation code required for audit plugins. For home or lab use, get a free HomeFeed key. For production audits, obtain a ProfessionalFeed key. Get it at: http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code.
Steps
After obtaining the activation code, download the Nessus installation package at: http://www.tenable.com/products/nessus/select-your-operating-system. The following screenshot shows platforms and packages:
Select the appropriate package for your OS architecture. Read and agree to Tenable's subscription agreement, then save the file to a desired location:
In this example, the package is saved to the root directory. After downloading, install from the command line via SSH or terminal on the graphical desktop:
root@kali:~# ls
Desktop Nessus-5.2.6-debian6_i386.deb
root@kali:~# dpkg -i Nessus-5.2.6-debian6_i386.deb
Selecting previously unselected package nessus.
(Reading database ... 231224 files and directories currently installed.)
Unpacking nessus (from Nessus-5.2.6-debian6_i386.deb) ...
Setting up nessus (5.2.6) ...
nessusd (Nessus) 5.2.6 [build N25116] for Linux
Copyright (C) 1998 - 2014 Tenable Network Security, Inc
Processing the Nessus plugins... [##################################################]
All plugins loaded
- You can start nessusd by typing /etc/init.d/nessusd start
- Then go to https://kali:8834/ to configure your scanner
root@kali:~# /etc/init.d/nessusd start
Starting Nessus : .
Use ls to verify the package is in the current directory. Install using the Debian package manager (dpkg) with the -i option. After installation, start the service with /etc/init.d/nessusd start. Nessus runs entirely from a web interface, accessible from other machines. To manage from the Kali system, access via browser: https://127.0.0.1:8834/. Alternatively, access remotely using the Kali VM's IP address, e.g., https://172.16.36.244:8834:
By default, Nessus uses a self-signed SSL certificate, so you'll see an untrusted connection warning. For lab use, ignore this by expanding I Understand the Risks, as shown:
Expand this option and click Add Exception to avoid future warnings. After adding, you'll see a welcome screen. Click Get Started, leading to:
The first configuration is the administrator user account and password. These credentials log in and use Nessus. After entering, click Next; you'll see:
Enter the activation code. If you don't have one, refer to the Preparation section. After entering, you'll return to the login page. Enter the credentials created during installation. The default screen after each visit is:
How It Works
Properly installed, Nessus is accessible from the host system and all VMs with graphical web browsers because the service hosts on TCP port 8834, and all systems have network interfaces in the same private IP space.
1.10 Configuring Burp Suite on Kali
Burp Suite Proxy is a practical and powerful web application auditing tool. However, it isn't a simple click-to-start tool. Modify Burp Suite application and related web browser configurations to ensure proper communication.
Preparation
First launching Burp Suite in Kali Linux requires no preparation; the free version is integrated. Alternatively, purchase a Pro license at https://pro.portswigger.net/buy/. The Pro version is relatively inexpensive and offers extra features, but the free version is still very useful with most core functions.
Steps
Burp Suite is a GUI tool requiring access to a graphical desktop, so it cannot be used via SSH. Two ways to launch Burp Suite in Kali: browse Applications > Kali Linux > Top 10 Security Tools > burpsuite, or execute by passing it to the Java interpreter in a bash terminal:
root@kali:~# java -jar /usr/bin/burpsuite.jar
After loading Burp Suite, ensure the proxy listener is active and running on the desired port (e.g., TCP port 8080). Verify via the Proxy tab, then Options sub-tab, as shown:
Here, you see all proxy listeners. If none, add one. For use with IceWeasel in Kali, configure the listener to listen on 127.0.0.1 on a specific port, and ensure Running is checked. After configuring the listener in Burp Suite, modify IceWeasel browser configuration to forward traffic through the proxy. Open IceWeasel by clicking the globe icon at the top. Then, expand Edit > Preferences:
In IceWeasel preferences, click the Advanced button at the top, select the Network tab, then click Settings under Connection. This opens Connection Settings, as shown:
By default, the proxy radio button is set to Use system proxy settings. Change to Manual proxy configuration. Manual configuration should match Burp Suite proxy listener settings. In this example, HTTP proxy address is 127.0.0.1 and port is 8080. To capture other traffic like HTTPS, check Use this proxy server for all protocols. Verify everything works by browsing a website with IceWeasel, as shown:
If configured correctly, the browser will try to connect but nothing renders because requests are intercepted by the proxy. Proxy interception is the default in Burp Suite. To confirm capture, return to Burp Suite proxy interface:
Here, you should see captured requests. To use the browser for other purposes, change proxy configuration to passive listening by clicking Intercept is on to disable it, or change browser proxy settings back to Use system proxy settings when not using Burp.
How It Works
The initial configuration in Burp Suite creates a listening port on TCP 8080. This port intercepts all web traffic and receives inbound traffic from responses. By pointing IceWeasel's proxy configuration to this port, all traffic generated in the browser routes through Burp Suite proxy. With Burp's functionality, we can modify traffic en route.
1.11 Using Text Editors (VIM and Nano)
Text editors are frequently used to create or modify files. Use a text editor in Kali whenever creating custom scripts or modifying configuration files or existing penetration testing tools.
Preparation
No additional steps are required before using text editors in Kali Linux. VIM and Nano are integrated tools already installed.
Steps
To create a file with VIM in Kali, use the vim command with the filename to create or modify:
root@kali:~# vim vim_demo.txt
In this example, VIM creates a file named vim_demo.txt. Since no file with that name exists, VIM creates a new file and opens an empty text editor. To start entering text, press I or Insert. Then, type desired text:
Write to file demonstration with VIM
~
~
~
~
In this example, one line is added. Press Esc to exit insert mode and enter command mode in VIM. Then, type :wq and press Enter to save. Verify the file exists and view its contents:
root@kali:~# ls
Desktop vim_demo.txt
root@kali:~# cat vim_demo.txt
Write to file demonstration with VIM
Use ls to see directory contents; vim_demo.txt is created. Use cat to read and display file contents. An alternative text editor is Nano. Basic usage is similar to VIM. Start with nano followed by the filename:
root@kali:~# nano nano_demo.txt
In this example, nano opens nano_demo.txt. Since the file doesn't exist, a new file is created. Unlike VIM, Nano has no separate command and write modes; writing is automatic, and commands execute by pressing Ctrl plus specific letter keys. Commands are listed at the editor's bottom:
GNU nano 2.2.6 File: nano_demo.txt
Write to file demonstration with Nano
This example writes one line to nano_demo.txt. To close the editor, use Ctrl + X, then prompted to save with y or not with n. Confirm the filename; default is the name provided to Nano, but it can be changed to save as a different name:
root@kali:~# ls
Desktop nano_demo.txt vim_demo.txt
root@kali:~# cat nano_demo.txt
Write to file demonstration with Nano
After completion, use ls and cat to verify file creation and contents. This technique discusses basic usage of each editor for writing and manipulating files. Note these are powerful text editors with many other features. For more information, use man followed by the editor name to access manual pages.
How It Works
Text editors are command-line-driven character processing tools. Without graphical components, they require minimal overhead and are extremely fast, making them effective for quickly modifying files or handling files via remote terminal interfaces like SSH or Telnet.
Exploring Scanning
2.1 Exploring Layer 2 with Scapy
Scapy is a powerful interactive tool for capturing, analyzing, manipulating, and creating protocol-compliant network traffic for injection. It can also be used as a library in Python for efficient scripting. This technique demonstrates using Scapy for ARP discovery and creating scripts to simplify Layer 2 discovery.
Preparation
To perform ARP discovery with Scapy, need at least one system on the LAN responding to ARP requests. Examples use a mix of Linux and Windows systems. For setting up systems, refer to "Installing Metasploitable2" and "Installing Windows Server" in Chapter 1. Also, a text editor like VIM or Nano is needed for script writing; see "Using Text Editors (VIM and Nano)" in Chapter 1.
Steps
To understand ARP discovery, use Scapy to develop custom packets for identifying LAN hosts. Start Scapy in Kali with scapy. View default configuration of an ARP object with display():
>>> ARP().display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:fd:01:05
psrc= 172.16.36.232
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
Note IP and MAC source addresses auto-configure to host values. Default opcode is who-has for requesting IP-MAC associations. Only need to provide target IP address. Create an ARP object assigned to a variable:
>>> arp_request = ARP()
>>> arp_request.pdst = "172.16.36.135"
>>> arp_request.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:65:fc:d2
psrc= 172.16.36.132
hwdst= 00:00:00:00:00:00
pdst= 172.16.36.135
Call display() on the new ARP object to verify updated configuration. Use an active system's IP in your lab. Then, sr1() sends the request and returns the first response:
>>> sr1(arp_request)
Begin emission:
......................................*
Finished to send 1 packets.
Received 39 packets, got 1 answers, remaining 0 packets
<ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:3d:84:32 psrc=172.16.36.135 hwdst=00:0c:29:65:fc:d2 pdst=172.16.36.132 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
Alternatively, directly call the function with configurations as arguments, avoiding unnecessary variables:
>>> sr1(ARP(pdst="172.16.36.135"))
Begin emission: .........................*
Finished to send 1 packets.
Received 26 packets, got 1 answers, remaining 0 packets
<ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:3d:84:32 psrc=172.16.36.135 hwdst=00:0c:29:65:fc:d2 pdst=172.16.36.132 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
Responses indicate IP 172.16.36.135 has MAC 00:0C:29:3D:84:32. If targeting a non-responsive IP, no response; use Ctrl + C to stop or specify a timeout parameter:
>>> arp_request.pdst = "172.16.36.134"
>>> sr1(arp_request, timeout=1)
Begin emission:
......................................................................... ............
Finished to send 1 packets.
................................. ......................................................................... ........................................
Received 3285 packets, got 0 answers, remaining 1 packets
>>>
With timeout, requests to non-responsive hosts return after specified time with 0 answers. Responses can be assigned to variables for processing:
>>> response = sr1(arp_request, timeout=1)
Begin emission:
....................................*
Finished to send 1 packets.
Received 37 packets, got 1 answers, remaining 0 packets
>>> response.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:3d:84:32
psrc= 172.16.36.135
hwdst= 00:0c:29:65:fc:d2
pdst= 172.16.36.132
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Scapy can be used as a library in Python for automation. Example script for sequential Layer 2 discovery:
#!/usr/bin/python
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv) != 2:
print "Usage - ./arp_discovery.py [interface]"
print "Example - ./arp_discovery.py eth0"
print "This script performs an ARP scan on the local subnet of the specified interface."
sys.exit()
interface = str(sys.argv[1])
ip = subprocess.check_output("ifconfig " + interface + " | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1", shell=True).strip()
prefix = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' + ip.split('.')[2] + '.'
for last_octet in range(0,254):
answer = sr1(ARP(pdst=prefix+str(last_octet)), timeout=1, verbose=0)
if answer == None:
pass
else:
print prefix+str(last_octet)
First line identifies Python interpreter location. Import Scapy functions and set logging level. Import subprocess for system call info. Conditional test checks for required argument; if missing, output usage and exit. Assign argument to interface. Use check_output() to execute ifconfig, extract IP address with grep and cut, assign to ip. Extract /24 network prefix with split. for loop iterates through last octet values (0-254), sending ARP request to each possible IP. Responses evaluated; if reply, print IP. Use & for parallel execution to reduce time.
Execute script with ./:
root@KaliLinux:~# ./arp_discovery.py
Usage - ./arp_discovery.py [interface]
Example - ./arp_discovery.py eth0
This script performs an ARP scan on the local subnet of the specified interface.
root@KaliLinux:~# ./arp_discovery.py eth0
172.16.36.1
172.16.36.2
172.16.36.132
172.16.36.135
172.16.36.254
Without argument, output usage. With eth0, perform scan and output active IPs. Redirect output to file:
root@KaliLinux:~# ./arp_discovery.py eth0 > output.txt
root@KaliLinux:~# ls output.txt
output.txt
root@KaliLinux:~# cat output.txt
172.16.36.1
172.16.36.2
172.16.36.132
172.16.36.135
172.16.36.254
Script can be modified to scan IPs from an input file. First, create input file with IP list:
root@KaliLinux:~# cat iplist.txt
172.16.36.1
172.16.36.2
172.16.36.232
172.16.36.135
172.16.36.180
172.16.36.203
172.16.36.205
172.16.36.254
Script for file input:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv) != 2:
print "Usage - ./arp_discovery_file.py [filename]"
print "Example - ./arp_discovery_file.py iplist.txt"
print "This script performs an ARP scan of IP addresses listed in the file."
sys.exit()
filename = str(sys.argv[1])
file = open(filename,'r')
for line in file:
target_ip = line.strip()
answer = sr1(ARP(pdst=target_ip), timeout=1, verbose=0)
if answer == None:
pass
else:
print target_ip
Differences: variable file instead of interface, use open() for read-only access. for loop reads each IP from file, sends ARP request, outputs responsive IPs. Execute:
root@KaliLinux:~# ./arp_discovery_file.py
Usage - ./arp_discovery_file.py [filename]
Example - ./arp_discovery_file.py iplist.txt
This script performs an ARP scan of IP addresses listed in the file.
root@KaliLinux:~# ./arp_discovery_file.py iplist.txt
172.16.36.2
172.16.36.1
172.16.36.132
172.16.36.135
172.16.36.254
Output can be redirected similarly.
How It Works
Using sr1() (send/receive single) function in Scapy for ARP discovery. Function injects packet defined by arguments and waits for single response. Broadcast ARP request, functon returns response. Scapy integrates this into scripts for testing multiple systems.
2.2 Exploring Layer 2 with ARPing
ARPing is a command-line network tool similar to ping. Identify active hosts on local network by providing IP address as argument. This technique discusses using ARPing to scan for active hosts.
Preparation
Need at least one system on LAN responding to ARP requests. Use mix of Linux and Windows. For setup, refer to "Installing Metasploitable2" and "Installing Windows Server" in Chapter 1. Text editor needed for scripts; see "Using Text Editors (VIM and Nano)".
Steps
ARPing sends ARP requests to determine if host is active. Use with IP address as argument:
root@KaliLinux:~# arping 172.16.36.135 -c 1
ARPING 172.16.36.135
60 bytes from 00:0c:29:3d:84:32 (172.16.36.135): index=0 time=249.000 usec
--- 172.16.36.135 statistics --
1 packets transmitted, 1 packets received, 0% unanswered (0 extra)
Single ARP request sent to broadcast for IP 172.16.36.135; response from MAC 00:0C:29:3D:84:32. More efficient with bash script for multiple hosts. Identify unique string in response for active hosts vs. non-responsive. Test non-responsive IP:
root@KaliLinux:~# arping 172.16.36.136 -c 1
ARPING 172.16.36.136
--- 172.16.36.136 statistics --
1 packets transmitted, 0 packets received, 100% unanswered (0 extra)
For active hosts, response contains bytes from. Extract IP with grep and cut:
root@KaliLinux:~# arping -c 1 172.16.36.135 | grep "bytes from"
60 bytes from 00:0c:29:3d:84:32 (172.16.36.135): index=0 time=10.000 usec
root@KaliLinux:~# arping -c 1 172.16.36.135 | grep "bytes from" | cut -d " " -f 5
(172.16.36.135):
root@KaliLinux:~# arping -c 1 172.16.36.135 | grep "bytes from" | cut -d " " -f 5 | cut -d "(" -f 2 | cut -d ")" -f 1
172.16.36.135
Use in bash script for sequential scan:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./arp_scan.sh [interface]"
echo "Example - ./arp_scan.sh eth0"
echo "This script performs an ARP scan on the local subnet of the specified interface."
exit
fi
network_interface=$1
network_prefix=$(ifconfig $network_interface | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1 | cut -d '.' -f 1-3)
for last_octet in $(seq 1 254); do
arping -c 1 $network_prefix.$last_octet | grep "bytes from" | cut -d " " -f 5 | cut -d "(" -f 2 | cut -d ")" -f 1 &
done
First line defines bash interpreter. Conditional test for argument; if missing, output usage and exit. Assign argument to network_interface. Extract network prefix from interface IP. for loop iterates last octet (1-254), sends ARP request, extracts IP from response. & for parallel execution. Execute:
root@KaliLinux:~# ./arp_scan.sh
Usage - ./arp_scan.sh [interface]
Example - ./arp_scan.sh eth0
This script performs an ARP scan on the local subnet of the specified interface.
root@KaliLinux:~# ./arp_scan.sh eth0
172.16.36.1
172.16.36.2
172.16.36.132
172.16.36.135
172.16.36.254
Redirect output:
root@KaliLinux:~# ./arp_scan.sh eth0 > output.txt
root@KaliLinux:~# ls output.txt
output.txt
root@KaliLinux:~# cat output.txt
172.16.36.1
172.16.36.2
172.16.36.132
172.16.36.135
172.16.36.254
Script for input file:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./arp_scan_file.sh [input file]"
echo "Example - ./arp_scan_file.sh iplist.txt"
echo "This script performs an ARP scan of IP addresses in the file."
exit
fi
input_file=$1
for target_ip in $(cat $input_file); do
arping -c 1 $target_ip | grep "bytes from" | cut -d " " -f 5 | cut -d "(" -f 2 | cut -d ")" -f 1 &
done
Changes: argument is filename, for loop reads from file. Execute:
root@KaliLinux:~# ./arp_scan_file.sh
Usage - ./arp_scan_file.sh [input file]
Example - ./arp_scan_file.sh iplist.txt
This script performs an ARP scan of IP addresses in the file.
root@KaliLinux:~# ./arp_scan_file.sh iplist.txt
172.16.36.1
172.16.36.2
172.16.36.132
172.16.36.135
172.16.36.254
Redirect output similarly.
How It Works
ARPing verifies single host online. By looping through IP range in bash, perform sequential scan. Tool sends ARP requests; responses indicate active hosts.
2.3 Exploring Layer 2 with Nmap
Nmap is powerful and versatile in Kali Linux. Supports various scanning techniques, including Layer 2 discovery. This technique demonstrates using Nmap for Layer 2 scanning.
Preparation
Need at least one system on LAN responding to ARP requests. Use mix of Linux and Windows. For setup, refer to "Installing Metasploitable2" and "Installing Windows Server" in Chapter 1.
Steps
Nmap adaptive; -sn option is ping scan. For local subnet addresses, perform Layer 2 scan:
root@KaliLinux:~# nmap 172.16.36.135 -sn
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 15:40 EST
Nmap scan report for 172.16.36.135
Host is up (0.00038s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Command sends ARP request to LAN broadcast; response determines active host. For non-active IP:
root@KaliLinux:~# nmap 172.16.36.136 -sn
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 15:51 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.41 seconds
Scan range with dash notation:
root@KaliLinux:~# nmap 172.16.36.0-255 -sn
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-11 05:35 EST
Nmap scan report for 172.16.36.1
Host is up (0.00027s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.36.2
Host is up (0.00032s latency).
MAC Address: 00:50:56:FF:2A:8E (VMware)
Nmap scan report for 172.16.36.132
Host is up.
Nmap scan report for 172.16.36.135
Host is up (0.00051s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap scan report for 172.16.36.200
Host is up (0.00026s latency).
MAC Address: 00:0C:29:23:71:62 (VMware)
Nmap scan report for 172.16.36.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:EA:54:3A (VMware)
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.22 seconds
Scan IP list with -iL:
root@KaliLinux:~# nmap -iL iplist.txt -sn
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 16:07 EST
Nmap scan report for 172.16.36.2
Host is up (0.00026s latency).
MAC Address: 00:50:56:FF:2A:8E (VMware)
Nmap scan report for 172.16.36.1
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.36.132
Host is up (0.00031s latency).
MAC Address: 00:0C:29:65:FC:D2 (VMware)
Nmap scan report for 172.16.36.135
Host is up (0.00014s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap scan report for 172.16.36.180
Host is up.
Nmap scan report for 172.16.36.254
Host is up (0.00024s latency).
MAC Address: 00:50:56:EF:B9:9C (VMware)
Nmap done: 8 IP addresses (6 hosts up) scanned in 0.41 seconds
With -sn, Nmap first tries Layer 2 ARP for local hosts; if not local, uses Layer 3 ICMP. For remote network, ICMP used:
root@KaliLinux:~# nmap -sn 74.125.21.0-255
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-11 05:42 EST
Nmap scan report for 74.125.21.0
Host is up (0.0024s latency).
Nmap scan report for 74.125.21.1
Host is up (0.00017s latency).
Nmap scan report for 74.125.21.2
Host is up (0.00028s latency).
Nmap scan report for 74.125.21.3
Host is up (0.00017s latency).
No MAC addresses returned for remote scan, indicating Layer 3 discovery.
How It Works
Nmap highly functional; minimal adjustment needed. Sends ARP requests to broadcast for IP range, marks responses for active hosts. Integrated into Nmap with appropriate parameters.
2.4 Exploring Layer 2 with NetDiscover
NetDiscover identifies network hosts via ARP active and passive analysis. Primarily for wireless interfaces but functional in other environments. This technique demonstrates active and passive scanning.
Preparation
Need at least one system on LAN responding to ARP requests. Use mix of Linux and Windows. For setup, refer to "Installing Metasploitable2" and "Installing Windows Server".
Steps
NetDiscover designed for Layer 2 discovery. Scan IP range with -r option and CIDR notation:
root@KaliLinux:~# netdiscover -r 172.16.36.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
----------------------------------------------------------------------------
172.16.36.1 00:50:56:c0:00:08 01 060 VMWare, Inc.
172.16.36.2 00:50:56:ff:2a:8e 01 060 VMWare, Inc.
172.16.36.132 00:0c:29:65:fc:d2 01 060 VMware, Inc.
172.16.36.135 00:0c:29:3d:84:32 01 060 VMware, Inc.
172.16.36.254 00:50:56:ef:b9:9c 01 060 VMWare, Inc.
Output includes active IPs, MACs, response count, length, vendor. Scan from input file with -l:
root@KaliLinux:~# netdiscover -l iplist.txt
Currently scanning: 172.16.36.0/24 | Screen View: Unique Hosts
39 Captured ARP Req/Rep packets, from 5 hosts. Total size: 2340
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
----------------------------------------------------------------------------
172.16.36.1 00:50:56:c0:00:08 08 480 VMWare, Inc.
172.16.36.2 00:50:56:ff:2a:8e 08 480 VMWare, Inc.
172.16.36.132 00:0c:29:65:fc:d2 08 480 VMware, Inc.
172.16.36.135 00:0c:29:3d:84:32 08 480 VMware, Inc.
172.16.36.254 00:50:56:ef:b9:9c 07 420 VMWare, Inc.
Perform passive discovery with -p; listens for ARP traffic without sending requests, more stealthy:
root@KaliLinux:~# netdiscover -p
Currently scanning: (passive) | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 2 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
----------------------------------------------------------------------------
172.16.36.132 00:0c:29:65:fc:d2 02 120 VMware, Inc.
172.16.36.135 00:0c:29:3d:84:32 02 120 VMware, Inc.
Passive slower as relies on normal network traffic; effective in wireless or broadcast networks.
How It Works
Basic ARP discovery similar to other methods. Differences: passive mode and MAC vendor inclusion. Vendor identified from first 3 bytes of MAC address.
2.5 Exploring Layer 2 with Metasploit
Metasploit primarily an exploitation tool, but has auxiliary modules for scanning. This technique uses Metasploit for ARP discovery.
Preparation
Need at least one system on LAN responding to ARP requests. Use mix of Linux and Windows. For setup, refer to "Installing Metasploitable2" and "Installing Windows Server".
Steps
Start Metasploit with msfconsole. Use ARP sweep module:
root@KaliLinux:~# msfconsole
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) >
View options with show options:
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- ----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
Configure based on system. Example: interface eth1, target 172.16.36.0/24, source IP and MAC from ifconfig:
msf auxiliary(arp_sweep) > set interface eth1
interface => eth1
msf auxiliary(arp_sweep) > set RHOSTS 172.16.36.0/24
RHOSTS => 172.16.36.0/24
msf auxiliary(arp_sweep) > set SHOST 172.16.36.180
SHOST => 172.16.36.180
msf auxiliary(arp_sweep) > set SMAC 00:0c:29:09:c3:79
SMAC => 00:0c:29:09:c3:79
msf auxiliary(arp_sweep) > set THREADS 20
THREADS => 20
msf auxiliary(arp_sweep) > set TIMEOUT 1
TIMEOUT => 1
Verify with show options. Run scan:
msf auxiliary(arp_sweep) > run
[*] 172.16.36.1 appears to be up (VMware, Inc.).
[*] 172.16.36.2 appears to be up (VMware, Inc.).
[*] 172.16.36.132 appears to be up (VMware, Inc.).
[*] 172.16.36.135 appears to be up (VMware, Inc.).
[*] 172.16.36.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
How It Works
Metasploit sends ARP requests to IP range, outputs active systems with IP and vendor.
2.6 Exploring Layer 3 with ICMP
Layer 3 discovery commonly uses ICMP ping. This technique demonstrates using ping for host discovery.
Preparation
No specific lab needed as many Internet systems reply to ICMP. However, recommended to use own lab. Need at least one system responding to ICMP. For setup, refer to earlier techniques. Text editor needed for scripts.
Steps
Use ping to test host activity:
root@KaliLinux:~# ping 172.16.36.135
PING 172.16.36.135 (172.16.36.135) 56(84) bytes of data.
64 bytes from 172.16.36.135: icmp_seq=1 ttl=64 time=1.35 ms
64 bytes from 172.16.36.135: icmp_seq=2 ttl=64 time=0.707 ms
64 bytes from 172.16.36.135: icmp_seq=3 ttl=64 time=0.369 ms
^C
--- 172.16.36.135 ping statistics --
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.369/0.809/1.353/0.409 ms
ICMP echo request sent to IP. Conditions for reply: IP assigned, system online, route available, system configured to respond ICMP, no firewalls blocking. Use -c for packet count:
root@KaliLinux:~# ping 172.16.36.135 -c 2
PING 172.16.36.135 (172.16.36.135) 56(84) bytes of data.
64 bytes from 172.16.36.135: icmp_seq=1 ttl=64 time=0.611 ms
64 bytes from 172.16.36.135: icmp_seq=2 ttl=64 time=0.395 ms
--- 172.16.36.135 ping statistics --
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.395/0.503/0.611/0.108 ms
Use in bash script for multiple hosts. Identify unique string in response. Test active and non-active IPs:
root@KaliLinux:~# ping 74.125.137.147 -c 1
PING 74.125.137.147 (74.125.137.147) 56(84) bytes of data.
64 bytes from 74.125.137.147: icmp_seq=1 ttl=128 time=31.3 ms
--- 74.125.137.147 ping statistics --
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 31.363/31.363/31.363/0.000 ms
root@KaliLinux:~# ping 83.166.169.231 -c 1
PING 83.166.169.231 (83.166.169.231) 56(84) bytes of data.
--- 83.166.169.231 ping statistics --
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Unique string bytes from only in active responses. Extract IP with grep and cut:
root@KaliLinux:~# ping 74.125.137.147 -c 1 | grep "bytes from"
64 bytes from 74.125.137.147: icmp_seq=1 ttl=128 time=37.2 ms
root@KaliLinux:~# ping 74.125.137.147 -c 1 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
74.125.137.147
Script for sequential scan:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./ping_sweep.sh [/24 network address]"
echo "Example - ./ping_sweep.sh 172.16.36.0"
echo "This script performs an ICMP ping sweep on the specified /24 network."
exit
fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for last_octet in $(seq 1 254); do
ping -c 1 $prefix.$last_octet | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done
First line bash interpreter. Conditional test for argument. Extract network prefix. for loop sends ping to each IP, extracts IP from response. & for parallel. Execute:
root@KaliLinux:~# ./ping_sweep.sh
Usage - ./ping_sweep.sh [/24 network address]
Example - ./ping_sweep.sh 172.16.36.0
This script performs an ICMP ping sweep on the specified /24 network.
root@KaliLinux:~# ./ping_sweep.sh 172.16.36.0
172.16.36.2
172.16.36.1
172.16.36.232
172.16.36.249
Redirect output:
root@KaliLinux:~# ./ping_sweep.sh 172.16.36.0 > output.txt
root@KaliLinux:~# ls output.txt
output.txt
root@KaliLinux:~# cat output.txt
172.16.36.2
172.16.36.1
172.16.36.232
172.16.36.249
How It Works
Ping identifies single host activity. Bash script loops through IP range, using ping for sequential scanning.
2.7 Exploring Layer 3 with Scapy
Scapy crafts custom packets for network traffic. This technique demonstrates using Scapy for Layer 3 ICMP discovery.
Preparation
No specific lab needed, but recommended to use own lab. Need at least one system responding to ICMP. For setup, refer to earlier techniques. Text editor needed for scripts.
Steps
In Scapy, stack layers for ICMP echo request. Start with IP layer:
>>> ip = IP()
>>> ip.dst = "172.16.36.135"
>>> ip.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= ip
chksum= None
src= 172.16.36.180 # auto-updated
dst= 172.16.36.135
\options\
Add ICMP layer:
>>> icmp_req = ICMP()
>>> icmp_req.display()
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
Stack layers:
>>> packet = (ip/icmp_req)
>>> packet.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= icmp
chksum= None
src= 172.16.36.180
dst= 172.16.36.135
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
Send with sr1():
>>> reply = sr1(packet, timeout=1)
Begin emission:
.........
Finished to send 1 packets.
...*
Received 15 packets, got 1 answers, remaining 0 packets
>>> reply.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 62577
flags= DF
frag= 0L
ttl= 64
proto= icmp
chksum= 0xe513
src= 172.16.36.135
dst= 172.16.36.180
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
For non-responsive IP, use timeout:
>>> reply = sr1(IP(dst="172.16.36.136")/ICMP(), timeout=1)
Begin emission:
.......................................................................
Finished to send 1 packets.
....................................
Received 3982 packets, got 0 answers, remaining 1 packets
Script for sequential scan:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv) != 2:
print "Usage - ./icmp_sweep.py [/24 network address]"
print "Example - ./icmp_sweep.py 172.16.36.0"
print "This script performs an ICMP ping sweep on the specified network."
sys.exit()
address = str(sys.argv[1])
prefix = address.split('.')[0] + '.' + address.split('.')[1] + '.' + address.split('.')[2] + '.'
for last_octet in range(1,254):
reply = sr1(IP(dst=prefix+str(last_octet))/ICMP(), timeout=1, verbose=0)
if reply == None:
pass
else:
print prefix+str(last_octet)
First line Python interpreter. Import Scapy, set logging. Conditional test for argument. Extract prefix. for loop sends ICMP request to each IP, prints responsive ones. Execute:
root@KaliLinux:~# ./icmp_sweep.py
Usage - ./icmp_sweep.py [/24 network address]
Example - ./icmp_sweep.py 172.16.36.0
This script performs an ICMP ping sweep on the specified network.
root@KaliLinux:~# ./icmp_sweep.py 172.16.36.0
172.16.36.1
172.16.36.2
172.16.36.132
172.16.36.135
Redirect output.
Script for input file:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv) != 2:
print "Usage - ./icmp_sweep_file.py [filename]"
print "Example - ./icmp_sweep_file.py iplist.txt"
print "This script performs an ICMP ping scan of IPs in the file."
sys.exit()
filename = str(sys.argv[1])
file = open(filename,'r')
for line in file:
target_ip = line.strip()
reply = sr1(IP(dst=target_ip)/ICMP(), timeout=1, verbose=0)
if reply == None:
pass
else:
print target_ip
Similar to ARP script but with ICMP. Execute and redirect.
How It Works
Scapy constructs ICMP requests with IP layer for routing. Python scripts automate sequential scanning.
2.8 Exploring Layer 3 with Nmap
Nmap supports ICMP discovery. This technique demonstrates using Nmap for Layer 3 scanning.
Preparation
No specific lab needed, but recommended to use own lab. Need at least one system responding to ICMP. For setup, refer to earlier techniques. Text editor needed for scripts.
Steps
Nmap adaptive; -sn for ping scan. For single target:
root@KaliLinux:~# nmap -sn 74.125.228.1
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 23:05 EST
Nmap scan report for iad23s05-in-f1.1e100.net (74.125.228.1)
Host is up (0.00013s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
Output shows host up and DNS resolution. Scan range:
root@KaliLinux:~# nmap -sn 74.125.228.1-255
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 23:14 EST
Nmap scan report for iad23s05-in-f1.1e100.net (74.125.228.1)
Host is up (0.00012s latency).
Nmap scan report for iad23s05-in-f2.1e100.net (74.125.228.2)
Host is up (0.0064s latency).
... # truncated
Nmap multi-threaded; scans quickly. Scan from input file:
root@KaliLinux:~# nmap -iL iplist.txt -sn
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-17 06:36 EST
Nmap scan report for 172.16.36.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:FF:2A:8E (VMware)
... # truncated
For remote networks, uses ICMP without MAC.
How It Works
Nmap sends ICMP echo requests to each IP. Multi-threaded for speed. Adaptive: uses ARP for local, ICMP for remote.
2.9 Exploring Layer 3 with fping
fping similar to ping with additional features for scanning. This technique demonstrates using fping for Layer 3 discovery.
Preparation
No specific lab needed, but recommended to use own lab. Need at least one system responding to ICMP. For setup, refer to earlier techniques.
Steps
fping sends ICMP echo request; stops after reply:
root@KaliLinux:~# fping 172.16.36.135
172.16.36.135 is alive
For non-responsive, tries four times:
root@KaliLinux:~# fping 172.16.36.136
ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.136
... # multiple attempts
172.16.36.136 is unreachable
Modify attempts with -c:
root@KaliLinux:~# fping 172.16.36.135 -c 1
172.16.36.135 : [0], 84 bytes, 0.67 ms (0.67 avg, 0% loss)
172.16.36.135 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.67/0.67/0.67
root@KaliLinux:~# fping 172.16.36.136 -c 1
172.16.36.136 : xmt/rcv/%loss = 1/0/100%
Output includes packets transmitted, received, loss percentage. Scan range with -g:
root@KaliLinux:~# fping -g 172.16.36.1 172.16.36.4
172.16.36.1 is alive
172.16.36.2 is alive
ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.3
...
172.16.36.3 is unreachable
172.16.36.4 is unreachable
Use CIDR notation:
root@KaliLinux:~# fping -g 172.16.36.0/24
172.16.36.1 is alive
172.16.36.2 is alive
... # truncated
Scan from input file with -f:
root@KaliLinux:~# fping -f iplist.txt
172.16.36.2 is alive
172.16.36.1 is alive
... # truncated
How It Works
fping sends ICMP echo requests to each IP, evaluates responses. Built-in scanning without scripting.
2.10 Exploring Layer 3 with hping3
hping3 versatile for host discovery. This technique demonstrates using hping3 for Layer 3 ICMP discovery.
Preparation
No specific lab needed, but recommended to use own lab. Need at least one system responding to ICMP. For setup, refer to earlier techniques.
Steps
hping3 in ICMP mode:
root@KaliLinux:~# hping3 172.16.36.1 --icmp
HPING 172.16.36.1 (eth1 172.16.36.1): icmp mode set, 28 headers + 0 data bytes
len=46 ip=172.16.36.1 ttl=64 id=41835 icmp_seq=0 rtt=0.3 ms
... # continues until Ctrl+C
Use -c for count:
root@KaliLinux:~# hping3 172.16.36.1 --icmp -c 2
HPING 172.16.36.1 (eth1 172.16.36.1): icmp mode set, 28 headers + 0 data bytes
len=46 ip=172.16.36.1 ttl=64 id=40746 icmp_seq=0 rtt=0.3 ms
len=46 ip=172.16.36.1 ttl=64 id=12231 icmp_seq=1 rtt=0.5 ms
--- 172.16.36.1 hping statistic --
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.4/0.5 ms
Script for sequential scan. Identify unique output: len for active hosts. Test non-active:
root@KaliLinux:~# hping3 172.16.36.4 --icmp -c 2
HPING 172.16.36.4 (eth1 172.16.36.4): icmp mode set, 28 headers + 0 data bytes
--- 172.16.36.4 hping statistic --
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Redirect output to file, then grep:
root@KaliLinux:~# for addr in $(seq 1 254); do hping3 172.16.36.$addr --icmp -c 1 >> handle.txt & done
... # output truncated
root@KaliLinux:~# grep len handle.txt
len=46 ip=172.16.36.2 ttl=128 id=7537 icmp_seq=0 rtt=6.6 ms
...
root@KaliLinux:~# grep len handle.txt | cut -d " " -f 2 | cut -d "=" -f 2
172.16.36.2
172.16.36.1
172.16.36.132
172.16.36.135
Script:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./hping3_icmp_sweep.sh [/24 network address]"
echo "Example - ./hping3_icmp_sweep.sh 172.16.36.0"
echo "This script performs an ICMP ping sweep using hping3."
exit
fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for last_octet in $(seq 1 254); do
hping3 $prefix.$last_octet --icmp -c 1 >> handle.txt &
done
sleep 2 # wait for processes
grep len handle.txt | cut -d " " -f 2 | cut -d "=" -f 2 >> output.txt
rm handle.txt
Execute and redirect.
How It Works
hping3 sends ICMP requests; bash script loops for multiple hosts. Unique response len identifies active systems.
2.11 Exploring Layer 4 with Scapy
Layer 4 discovery can use UDP or TCP. Scapy crafts custom requests for scanning. This technique demonstrates TCP and UDP Layer 4 discovery.
Preparation
No specific lab needed, but recommended to use own lab. Need at least one system responding to TCP/UDP. For setup, refer to earlier techniques. Text editor needed for scripts.
Steps
TCP discovery: send ACK packet to trigger RST from active host. Build IP and TCP layers:
>>> ip = IP(dst="172.16.36.135")
>>> tcp = TCP(flags='A', dport=80) # ACK flag, port 80
>>> packet = ip/tcp
>>> reply = sr1(packet, timeout=1)
>>> reply.display()
# shows RST response
If port closed or host inactive, response varies. Script for sequential scan:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv) != 2:
print "Usage - ./tcp_ack_sweep.py [/24 network address]"
print "Example - ./tcp_ack_sweep.py 172.16.36.0"
print "This script performs a TCP ACK ping sweep."
sys.exit()
address = str(sys.argv[1])
prefix = address.split('.')[0] + '.' + address.split('.')[1] + '.' + address.split('.')[2] + '.'
for last_octet in range(1,254):
reply = sr1(IP(dst=prefix+str(last_octet))/TCP(flags='A', dport=80), timeout=1, verbose=0)
try:
if reply[TCP].flags == 4: # RST flag value
print prefix+str(last_octet)
except:
pass
Check for RST flag (value 4). Execute.
UDP discovery: send UDP request to trigger ICMP port unreachable from active host.
>>> ip = IP(dst="172.16.36.135")
>>> udp = UDP(dport=123) # NTP port
>>> packet = ip/udp
>>> reply = sr1(packet, timeout=1)
>>> reply.display()
# shows ICMP port unreachable if active
UDP less reliable; may need service-specific probes.
How It Works
Scapy constructs TCP ACK or UDP requests. TCP: ACK to arbitrary port expects RST from active host. UDP: empty request expects ICMP port unreachable. Python scripts automate sequential scanning.
2.12 Exploring Layer 4 with Nmap
Nmap supports TCP and UDP Layer 4 discovery. This technique demonstrates using Nmap for Layer 4 scanning.
Preparation
No specific lab needed, but recommended to use own lab. Need at least one system responding to TCP/UDP. For setup, refer to earlier techniques. Text editor needed for scripts.
Steps
UDP discovery with -PU and port:
root@KaliLinux:~# nmap 172.16.36.135 -PU53 -sn
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-11 20:11 EST
Nmap scan report for 172.16.36.135 Host is up (0.00042s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Scan range:
root@KaliLinux:~# nmap 172.16.36.0-255 -PU53 -sn
... # output shows active hosts
Scan from input file:
root@KaliLinux:~# nmap -iL iplist.txt -sn -PU53
... # output
Nmap may use other discovery methods too. TCP ACK ping with -PA:
root@KaliLinux:~# nmap 172.16.36.135 -PA80 -sn
Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-11 20:09 EST
Nmap scan report for 172.16.36.135
Host is up (0.00057s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
Scan range and input file similarly.
How It Works
Nmap TCP discovery: sends ACK packets to arbitrary ports, expects RST from active hosts. UDP discovery: sends service-specific requests to trigger responses.
2.13 Exploring Layer 4 with hping3
hping3 can perform TCP and UDP discovery. This technique demonstrates using hping3 for Layer 4 scanning.
Preparation
No specific lab needed, but recommended to use own lab. Need at least one system responding to TCP/UDP. For setup, refer to earlier techniques. Text editor needed for scripts.
Steps
UDP discovery with --udp:
root@KaliLinux:~# hping3 --udp 172.16.36.132
HPING 172.16.36.132 (eth1 172.16.36.132): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=172.16.36.132 name=UNKNOWN status=0 port=2792 seq=0
... # continues
Use -c for count. Script for sequential scan; grep Unreachable:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./hping3_udp_sweep.sh [/24 network address]"
echo "Example - ./hping3_udp_sweep.sh 172.16.36.0"
echo "This script performs a UDP ping sweep using hping3."
exit
fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for last_octet in $(seq 1 254); do
hping3 --udp $prefix.$last_octet -c 1 >> handle.txt &
done
sleep 2
grep Unreachable handle.txt | cut -d " " -f 5 | cut -d "=" -f 2 >> output.txt
rm handle.txt
Execute and redirect.
TCP discovery: default mode, send TCP packets.
root@KaliLinux:~# hping3 172.16.36.132 -c 1
HPING 172.16.36.132 (eth1 172.16.36.132): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=172.16.36.132 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=3.4 ms
Script for TCP scan; grep len:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./hping3_tcp_sweep.sh [/24 network address]"
echo "Example - ./hping3_tcp_sweep.sh 172.16.36.0"
echo "This script performs a TCP ping sweep using hping3."
exit
fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for last_octet in $(seq 1 254); do
hping3 $prefix.$last_octet -c 1 >> handle.txt &
done
sleep 2
grep len handle.txt | cut -d " " -f 2 | cut -d "=" -f 2 >> output.txt
rm handle.txt
Execute and redirect.
How It Works
hping3 UDP: sends UDP requests, expects ICMP port unreachable for active hosts. TCP: sends TCP packets, expects responses. Bash scripts loop for multiple hosts.
This article covers techniques for network scanning using Kali Linux, from setting up virtual environments to performing Layer 2, 3, and 4 discovery with various tools like Scapy, Nmap, hping3, and Metasploit.