Using fping to perform layer 3 discovery
A tool that is very similar to the well-known ping utility is fping. However, it is also built with a number of additional features that are not present in ping. These additional features allow fping to be used as a functional scan tool, without additional modification. This recipe will demonstrate how to use fping to perform layer 3 discovery on remote hosts.
Getting ready
Using fping to perform layer 3 discovery does not require a lab environment, as many systems on the Internet will reply to ICMP echo requests. However, it is highly recommended that you perform any type of network scanning exclusively in your own lab unless you are thoroughly familiar with the legal regulations imposed by any governing authorities to whom you are subject. If you wish to perform this technique within your lab, you will need to have at least one system that will respond to ICMP requests. In the examples provided, a combination of Linux and Windows systems are used. For more information on setting up systems in a local lab environment, please refer to the the Installing Metasploitable2 and Installing Windows Server recipes in Chapter 1, Getting Started.
How to do it...
fping is very similar to the ping utility with a few extras added on. It can be used in the same way that ping can be used to send an ICMP echo request to a single target to determine if it is alive. This is done by simply passing the IP address as an argument to the fping utility:
root@KaliLinux:~# fping 172.16.36.135 172.16.36.135 is alive
Unlike the standard ping utility, fping will stop sending ICMP echo requests after it receives a single reply. Upon receiving a reply, it will indicate that the host corresponding to this address is alive. Alternatively, if a response is not received from the address, fping will, by default, make four attempts to contact the system prior to determining that the host is unreachable:
root@KaliLinux:~# fping 172.16.36.136 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.136 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.136 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.136 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.136 172.16.36.136 is unreachable
This default number of connection attempts can be modified using the -c count option and supplying an integer value to it that defines the number of attempts to be made:
root@KaliLinux:~# fping 172.16.36.135 -c 1 172.16.36.135 : [0], 84 bytes, 0.67 ms (0.67 avg, 0% loss) 172.16.36.135 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.67/0.67/0.67 root@KaliLinux:~# fping 172.16.36.136 -c 1 172.16.36.136 : xmt/rcv/%loss = 1/0/100%
When executed in this fashion, the output is slightly more cryptic but can be understood with careful analysis. The output for any host includes the IP address, the amount of attempts made (xmt), the number of replies received (rcv), and the percentage of loss (%loss). In the example provided, the first address was discovered to be online. This is evidenced by the fact that the number of bytes received and the latency of reply are both returned. You can also easily determine whether there is a live host associated with the provided IP address by examining the percentage loss. If the percentage loss is 100, no replies have been received.
Unlike ping—which is most commonly used as a troubleshooting utility—fping was built with the integrated capability to scan multiple hosts. A sequential series of hosts can be scanned with fping, using the -g option to dynamically generate a list of IP addresses. To specify a range to scan, pass this argument to both the first and last IP address in the desired sequential range:
root@KaliLinux:~# fping -g 172.16.36.1 172.16.36.4 172.16.36.1 is alive 172.16.36.2 is alive ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.3 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.3 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.3 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.3 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.4 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.4 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.4 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.4 172.16.36.3 is unreachable 172.16.36.4 is unreachable
The generate list option can also be used to generate a list based on the CIDR range notation. In the same way, fping will cycle through this dynamically generated list and scan each address:
root@KaliLinux:~# fping -g 172.16.36.0/24 172.16.36.1 is alive 172.16.36.2 is alive ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.3 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.4 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.5 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.6 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.7 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.8 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.9 *** {TRUNCATED} ***
Finally, fping can also be used to scan a series of addresses as specified by the contents of an input text file. To use an input file, use the -f file option and then supply the filename or path of the input file:
root@KaliLinux:~# fping -f iplist.txt 172.16.36.2 is alive 172.16.36.1 is alive 172.16.36.132 is alive 172.16.36.135 is alive 172.16.36.180 is alive ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.203 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.203 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.203 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.203 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.205 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.205 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.205 ICMP Host Unreachable from 172.16.36.180 for ICMP Echo sent to 172.16.36.205 172.16.36.203 is unreachable 172.16.36.205 is unreachable 172.16.36.254 is unreachable
How it works…
The fping tool performs ICMP discovery in the same manner as other tools that we discussed earlier. For each IP address, fping transmits one or more ICMP echo requests, and the received responses are then evaluated to identify live hosts. fping can also be used to scan a range of systems or an input list of IP addresses by supplying the appropriate arguments. As such, we do not have to manipulate the tool with bash scripting in the same way that was done with ping to make it an effective scanning tool.