- Kali Linux Network Scanning Cookbook(Second Edition)
- Michael Hixon Justin Hutchens
- 1370字
- 2021-07-09 20:36:22
Layer 4 discovery - TCP and UDP
Unlike Nmap, hping3 makes it very easy to identify hosts that are discovered by UDP probes by isolating the task.
- By specifying the UDP mode with the --udp option, UDP probes can be transmitted in attempts to trigger replies from live hosts:
- In the demonstration provided, the process was stopped using Ctrl + C. When using hping3 in UDP mode, discovery will continue indefinitely unless a specific number of packets is defined in the initial command. To define the number of attempts to be sent, the -c option should be included with an integer value that indicates the desired number of attempts:
- Although hping3 does not support the scanning of multiple systems by default, using bash scripting we can filter our results to show only live addresses. In order to do this, we must first identify the distinctions between the output associated with a live address and the output associated with a nonresponsive address. To do this, we should use the same command on an IP address to which no host is assigned:
- By identifying the responses associated with each of these requests, we can determine a unique string that we can grep; this string will isolate the successful discovery attempts from the unsuccessful ones. In the previous requests, you may have noticed that the phrase ICMP Port Unreachable is only presented in the case that a response is returned. Based on this, we can extract the successful attempts by grepping for Unreachable.
- To determine the effectiveness of this approach in a script, we should attempt to concatenate the two previous commands and then pipe over the output to our grep function. Assuming that the string we have selected is truly unique to successful attempts, we should only see the output associated with the live host:
- Despite the desired outcome, the grep function, in this case, does not appear to be effectively applied to the output. As the output display handling in hping3 makes it difficult to pipe over to a grep function and only extract the desired lines, we can attempt to work around this by other means. Specifically, we will attempt to determine whether the output can be redirected to a file, and then we can grep directly from the file. To do this, we will attempt to pass the output for both the commands used earlier to the handle.txt file:
- While this attempt was not completely successful as the output was not totally redirected to the file, we can see by reading the file that enough is output to create an effective script. Specifically, we are able to redirect a unique line that is only associated with successful ping attempts and that contains the corresponding IP address in the line. To check whether this workaround is possible, we will attempt to loop through each of the addresses in the /24 range and then pass the results to the handle.txt file:
We can now view the results by viewing the contents of handle.txt:
- By doing this, there is still a large amount of output (the provided output is truncated for convenience) that consists of all the parts of output that were not redirected to the file. However, the success of the script is not contingent upon the excessive output of this initial loop, but rather on the ability to extract the necessary information from the output file. This can be seen in the following commands:
- After completing the scan loop, the output file can be identified in the current directory using the ls command, and then the unique string of Unreachable can be grepped directly from this file, as shown in the next command. Here, in the output, we can see that each of our live hosts discovered by UDP probing is listed. At this point, the only remaining task is to extract the IP addresses from this output and then recreate this entire process as a single functional script:
- By piping over the output to a series of cut functions, we can extract the IP addresses from the output. Now that we have successfully identified a way to scan multiple hosts and easily identify the results, we should integrate it into a script:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./udp_sweep.sh [/24 network address]"
echo "Example - ./udp_sweep.sh 172.16.36.0"
echo "Example will perform a UDP ping sweep of the 172.16.36.0/24 network and output to an output.txt file"
exit
fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for addr in $(seq 1 254); do
hping3 $prefix.$addr --udp -c 1 >> handle.txt;
done
grep Unreachable handle.txt | cut -d " " -f 5 | cut -d "="
-f 2 >> output.txt
rm handle.txt
- In the bash script that is provided, the first line defines the location of the bash interpreter. The block of code that follows performs a test to determine whether the one argument that was expected was supplied. This is determined by evaluating whether the number of supplied arguments is not equal to 1. If the expected argument is not supplied, the usage of the script is output, and the script exits. The usage output indicates that the script is expecting the /24 network address as an argument.
- The next line of code extracts the network prefix from the supplied network address. For example, if the network address supplied was 192.168.11.0, the prefix variable would be assigned a value of 192.168.11. The hping3 operation is performed on each address within the /24 range, and the resulting output of each task is placed into the handle.txt file.
- Once this is complete, grep is used to extract the lines that are associated with live host responses from the handle.txt file and then extract the IP addresses from those lines.
- The resulting IP addresses are then passed into an output.txt file, and the temporary handle.txt file is removed from the directory:
We can now view the contents of our output.txt file:
- When the script is run, you will still see the same large amount of output that was seen when originally looping through the task. Fortunately, your list of discovered hosts will not be lost in this output, as it is conveniently written to your output file each time. You can also use hping3 to perform TCP discovery. TCP mode is actually the default discovery mode used by hping3, and this mode can be used by just passing the IP address to be scanned to hping3:
- In the same way that we created a bash script to cycle through a /24 network and perform UDP discovery using hping3, we can create a similar script for TCP discovery. First, a unique phrase that exists in the output associated with a live host but not in the output associated with a nonresponsive host must be identified. To do this, we must evaluate the response for each:
- In this case, the length value is only present in the output associated with a live host. Once again, we can develop a script that redirects the output to a temporary handle.txt file and then greps the output from this file to identify live hosts:
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage - ./tcp_sweep.sh [/24 network address]"
echo "Example - ./tcp_sweep.sh 172.16.36.0"
echo "Example will perform a tcp ping sweep of the 172.16.36.0/24 network and output to an output.txt file"
exit
fi
prefix=$(echo $1 | cut -d '.' -f 1-3)
for addr in $(seq 1 254); do
hping3 $prefix.$addr -c 1 >> handle.txt;
done
grep len handle.txt | cut -d " " -f 2
| cut -d "=" -f 2 >> output.txt
rm handle.txt
- This script will perform in a way similar to the one developed for UDP discovery. The only differences are in the command performed in the loop sequence, grep value, and the process to extract the IP address. Once run, this script will produce an output.txt file that will contain a list of the IP addresses associated with the hosts discovered by TCP discovery:
- You can confirm that the output file was written to the execution directory using the ls command and read its contents using the cat command. This can be seen in the following example:
