Computer Networks/Ping/Sweep
A ping sweep is a network reconnaissance using some type of ping (ICMP echo/reply) to locate hosts on a network. These activities will show you how to use the ping command to perform a ping sweep.
Preparation
editTo prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Identify the Host Network
editTo identify the host network:
- Open a command prompt.
- Use ipconfig to display the host IP address. Note the IPv4 Address displayed.
- Identify the host network. For this activity, the host network will be assumed to be a 24-bit network based on the first three octets of the host IP address. For example, if the IPv4 Address is 192.168.1.101, this activity will assume that the host network is 192.168.1.0, and has potential host addresses from 192.168.1.1 through 192.168.1.254.
Activity 2 - Perform a Ping Sweep
editTo perform a ping sweep:
- From a Microsoft OS command line, Type for /l %i in (1,1,254) do @ping -n 1 -w 100 <first three octets of host network>.%i. For example, if the host network is 192.168.1.0, the command would be for /l %i in (1,1,254) do @ping -n 1 -w 100 192.168.1.%i. This command instructs the computer to loop (for /l) counting from 1 by 1 to 254 (1,1,254) and execute (do) a ping command with a count (-n) of 1 and a wait (-w) time of 100 milliseconds and the given network address and changing host (%i) address. If using a bash command shell, on most Linux OS, a similar example would resemble for i in {1..25}; do ping -c 1 -W 1 10.1.1.$i ; done, where the count for ($i) would be from 1 to 25.
- Press Enter.
- Observe the results as the command sweeps the network searching for hosts.
Windows example to find live hosts(for /l %i in (1,1,254) do @ping -n 1 -w 100 192.168.0.%i | findstr "Reply")
Activity 3 - List Responding Hosts
editMost systems now have a firewall in place that prevents them from responding to the ping sweep. However, they will still acknowledge the underlying Address Resolution Protocol (ARP) request that first converts their IP address into a Media Access Control (MAC) address. To list hosts that responded to the ARP request:
- Use arp -a to view the ARP cache.
- Observe the list of hosts on the network.
- Close the command prompt to complete this activity.