Monday, September 26, 2016

Scanning Network using Fping, Nmap & ICMP to Find Live Hosts

It goes without saying that you need to first know your target before you can attack one.
Knowing your target is one of the most important things a security professional has to do. You should spend a good amount of time here. 

Basic objectives of network scanning:

  • Discover live hosts (IP address) and their OS
  • Discover open ports on live hosts
  • Discover services running on open ports

Let’s do this! :) 

Fire up your Kali, Windows 7 and XP (if you got one). Make sure they are all on VMNet1 (Host Only) network. 

Go to your attacker machine, open up the terminal and type: ifconfig

You should see your IP address start with 192.168.x.x. Mine is With the net-mask of, it means I am on the network giving me the privilege to talk to any other hosts on my network directly.

Since this series is not meant for experts, we will not go through the rest of the information that is displayed. We cover it all in-depth with our advanced hacking course. More info on this at the bottom of the page.

A ping sweep is a fundamental system scanning tactic to discover live hosts on the network.

How does it work?

It uses the ICMP protocol. Send ICMP Echo requests to hosts. If host is alive, you will receive an ICMP Echo response else you will not receive anything.

Ping sweep using Fping

Type the following in the terminal: fping -g 

Replace my network address with yours. You should know yours by now. What this command does with the “-g” flag is it tells fping to generate a target list on the given subnet. 

You should now be able to discover your Windows 7 and/or XP machines on the virtual lab. As you can see above, 3 hosts are found alive. 1 is my attacker machine and the remaining 2 are the victim machines. 

Ping sweep using Nmap

Nmap is a popular network scanning tool. It holds more functionality over Fping.

Type the following in the terminal: nmap -sP -PI

Make sure to replace my network address with yours. What this command does with the "-sP" flag is it tells nmap to run a ping scan and with the "-PI" to run ICMP scan.

Fping discovered 3 hosts are also discovered with Nmap. However there are 2 more extra "hosts" that are discovered with nmap, and Can you guess what they are? Tell us in the comments below. 

That’s it for now. Take your time to play around with fping and nmap and see what else you can do with it. We will continue with further network scanning on the next article. One step at a time.

I mentioned about an advanced hacking course earlier. We at Bitcrack are offering a course that is 110% hands on and technical. For example, from what we demonstrated today we go in-depth into what other information of “ifconfig” command and mastering fping and nmap.
For info on this, send us a tweet @bitcrack_cyber.  

-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.