• researchHost Discovery

    Host discovery is a process of enumeration of live hosts. The quality and completeness of this process has a direct impact on the success of further attacks against the target network.


    The standard approach to host discovery is based on an ICMP Echo message which is often ignored or blocked by cautious administrators. A variety of active techniques were developed to solicit a response from networked machines thus revealing their existence. In cases where stealth is necessary, this article will show you how to query third party services to produce a list of live hosts without sending a single packet directly to scanned systems.

    Network Discovery

    ICMP Ping

    A classical way to discover hosts on the network is to send ICMP Echo request (Type 8) which should prompt target hosts to respond with ICMP Echo reply messages. The communication looks something like this:

    0.0.000000 -> ICMP Echo (ping) request
    0.0.002329 -> ICMP Echo (ping) reply

    It is common to use ICMP of different types such as Timestamp request (Type 13) and Address Mask request (Type 18) to produce responses from hosts which filter the standard ICMP Echo request:

    0.000000 -> ICMP Timestamp request
    0.000539 -> ICMP Timestamp reply

    Unfortunately this method is not very reliable since a lot of the hosts and firewalls simply drop all ICMP packets.

    TCP SYN Ping

    One way to learn about live hosts is to send the first part of the three way handshake (SYN packet) to a range of hosts and record any replies. Since we can learn about host's existence from either open or closed TCP ports, we can increase the reliability of the scan by targeting a frequently opened port 80 and a frequently closed port 0.

    The example below illustrates a SYN Ping targeting on port 53.

    0.000000 -> TCP 1243 > domain [SYN] Seq=0 Len=0
    0.000461 -> TCP domain > 1243 [RST, ACK] Seq=3538621942 Ack=1 Win=0 Len=0

    Even with all closed ports, it is still possible to discover a live host.

    TCP ACK Ping

    ACK Ping works almost like the above SYN Ping, with the exception that it relies on an ACK packet instead. This method works by soliciting a RST response from a live host for either open or closed ports by sending it an ACK packet.

    0.000000 -> TCP 2903 > domain [ACK] Seq=0 Ack=0 Win=512 Len=0
    0.000414 -> TCP domain > 2903 [RST] Seq=0 Len=0

    This method is effective for evading non-stateful firewalls.

    TCP FIN, NULL, Xmas Ping

    FIN, NULL and Xmas Pings work by generating a RST response for a closed port. Such pings must be sent to a known closed port to produce a reply such as port 0:

    0.000000 -> TCP 1624 > 0 [FIN] Seq=0 Len=0
    0.000498 -> TCP 0 > 1624 [RST, ACK] Seq=3959530871 Ack=1 Win=0 Len=0

    UDP Ping

    UDP Ping works by producing an ICMP port unreachable error when attempting to communicate with a closed UDP port. Once again we will be using port 0:

    0.000000 -> UDP Source port: 1285  Destination port: 0
    0.000733 -> ICMP Destination unreachable (Port unreachable)

    This method is highly effective for evading firewalls that do not filter UDP packets.

    ARP Ping

    ARP Ping is a preferred host discovery method on a local Ethernet LAN, because it is faster and more reliable than approaches relying on protocols higher up in the networking stack. It works by sending ARP Probes to a range of IP addresses to discover live hosts.

    221.788823 00:01:02:03:04:05 -> Broadcast ARP Who has  Tell
    221.789179 00:06:07:08:09:10 -> 00:01:02:03:04:05 ARP is at 00:06:07:08:09:10

    IP Protocol Ping

    This method attempts to solicit a host reply by sending raw IP packets with varying protocol id options:

    0.680436 ->  ICMP Echo (ping) request
    0.681045 ->  IGMP V1 Membership Query
    0.681305 ->  IP [Malformed Packet]
    0.684463 ->  ICMP Echo (ping) reply

    Stealth Methods

    Reverse DNS

    While not very accurate, performing reverse DNS queries on a range of IP addresses is a very stealthy way to discover live hosts. It works by resolving a range of IP addresses hoping that successfuly resolved IPs have live systems bound to them.

    Search Engines

    This stealth host discovery method takes advantage of advanced search queries implemented by modern search engines. One particularly useful search query is ip: available on which produces a list of websites running on a provided IP address. For example, ip: query will produce a list of subdomains. By repeatedly quering a range of IP address, it is possible to discover live IPs with a running website.

    External Links

    Published on April 1st, 2009 by iphelix


    port scanning

    Discovering open ports on a networked system is an important reconnaissance step used to enumerate potentially vulnerable services. In this article you will learn a number of techniques used to perform fast and reliable port scans while bypassing many trivial defenses. Read more.


    Scapy is a packet forging tool using Python as its domain specific language. It was developed by Philippe Biondi in 2003. Read more.

    syn flooder

    Size 476 bytes
    DateJuly 4th, 2008

    A proof of concept script to perform a SYN flood attack on a target host. Requires Net::RawIP module. Read more.

    search engine assessment tool

    Download seat-0.3.tar.bz2
    Size 1.3 MB
    DateFebruary 20th, 2009

    SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan a site for potential vulnerabilities. Its multi-threaded, multi-database, and multi-search-engine capabilities permit easy navigation through vast amounts of information with a goal of system security assessment. Furthermore, SEAT’s ability to easily process additional search engine signatures as well as custom made vulnerability databases allows security professionals to adapt SEAT to their specific needs. Read more.


    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.