Host discovery is a process of enumeration of live hosts. The quality and completeness of this process has a direct impact on the success of further attacks against the target network.

Introduction

The standard approach to host discovery is based on an ICMP Echo message which is often ignored or blocked by cautious administrators. A variety of active techniques were developed to solicit a response from networked machines thus revealing their existence. In cases where stealth is necessary, this article will show you how to query third party services to produce a list of live hosts without sending a single packet directly to scanned systems.

Network Discovery

ICMP Ping

A classical way to discover hosts on the network is to send ICMP Echo request (Type 8) which should prompt target hosts to respond with ICMP Echo reply messages. The communication looks something like this:

0.0.000000 192.168.1.100 -> 192.168.1.1 ICMP Echo (ping) request
0.0.002329 192.168.1.1 -> 192.168.1.100 ICMP Echo (ping) reply

It is common to use ICMP of different types such as Timestamp request (Type 13) and Address Mask request (Type 18) to produce responses from hosts which filter the standard ICMP Echo request:

0.000000 192.168.1.100 -> 192.168.1.1 ICMP Timestamp request
0.000539 192.168.1.1 -> 192.168.1.100 ICMP Timestamp reply

Unfortunately this method is not very reliable since a lot of the hosts and firewalls simply drop all ICMP packets.

TCP SYN Ping

One way to learn about live hosts is to send the first part of the three way handshake (SYN packet) to a range of hosts and record any replies. Since we can learn about host's existence from either open or closed TCP ports, we can increase the reliability of the scan by targeting a frequently opened port 80 and a frequently closed port 0.

The example below illustrates a SYN Ping targeting 192.168.1.1 on port 53.

0.000000 192.168.1.100 -> 192.168.1.1 TCP 1243 > domain [SYN] Seq=0 Len=0
0.000461 192.168.1.1 -> 192.168.1.100 TCP domain > 1243 [RST, ACK] Seq=3538621942 Ack=1 Win=0 Len=0

Even with all closed ports, it is still possible to discover a live host.

TCP ACK Ping

ACK Ping works almost like the above SYN Ping, with the exception that it relies on an ACK packet instead. This method works by soliciting a RST response from a live host for either open or closed ports by sending it an ACK packet.

0.000000 192.168.1.100 -> 192.168.1.1 TCP 2903 > domain [ACK] Seq=0 Ack=0 Win=512 Len=0
0.000414 192.168.1.1 -> 192.168.1.100 TCP domain > 2903 [RST] Seq=0 Len=0

This method is effective for evading non-stateful firewalls.

TCP FIN, NULL, Xmas Ping

FIN, NULL and Xmas Pings work by generating a RST response for a closed port. Such pings must be sent to a known closed port to produce a reply such as port 0:

0.000000 192.168.1.100 -> 192.168.1.1 TCP 1624 > 0 [FIN] Seq=0 Len=0
0.000498 192.168.1.1 -> 192.168.1.100 TCP 0 > 1624 [RST, ACK] Seq=3959530871 Ack=1 Win=0 Len=0

UDP Ping

UDP Ping works by producing an ICMP port unreachable error when attempting to communicate with a closed UDP port. Once again we will be using port 0:

0.000000 192.168.1.100 -> 192.168.1.1 UDP Source port: 1285  Destination port: 0
0.000733 192.168.1.1 -> 192.168.1.100 ICMP Destination unreachable (Port unreachable)

This method is highly effective for evading firewalls that do not filter UDP packets.

ARP Ping

ARP Ping is a preferred host discovery method on a local Ethernet LAN, because it is faster and more reliable than approaches relying on protocols higher up in the networking stack. It works by sending ARP Probes to a range of IP addresses to discover live hosts.

221.788823 00:01:02:03:04:05 -> Broadcast ARP Who has 192.168.1.1?  Tell 192.168.1.100
221.789179 00:06:07:08:09:10 -> 00:01:02:03:04:05 ARP 192.168.1.1 is at 00:06:07:08:09:10

IP Protocol Ping

This method attempts to solicit a host reply by sending raw IP packets with varying protocol id options:

0.680436 192.168.1.102 -> 192.168.1.1  ICMP Echo (ping) request
0.681045 192.168.1.102 -> 192.168.1.1  IGMP V1 Membership Query
0.681305 192.168.1.102 -> 192.168.1.1  IP [Malformed Packet]
0.684463 192.168.1.1 -> 192.168.1.102  ICMP Echo (ping) reply

Stealth Methods

Reverse DNS

While not very accurate, performing reverse DNS queries on a range of IP addresses is a very stealthy way to discover live hosts. It works by resolving a range of IP addresses hoping that successfuly resolved IPs have live systems bound to them.

Search Engines

This stealth host discovery method takes advantage of advanced search queries implemented by modern search engines. One particularly useful search query is ip: available on Bing.com which produces a list of websites running on a provided IP address. For example, ip:157.166.224.25 query will produce a list of CNN.com subdomains. By repeatedly quering a range of IP address, it is possible to discover live IPs with a running website.

External Links

Published on April 1st, 2009 by iphelix

sprawlsimilar

port scanning

Discovering open ports on a networked system is an important reconnaissance step used to enumerate potentially vulnerable services. In this article you will learn a number of techniques used to perform fast and reliable port scans while bypassing many trivial defenses. Read more.

scapy

Scapy is a packet forging tool using Python as its domain specific language. It was developed by Philippe Biondi in 2003. Read more.

syn flooder

Download synflood.pl
Size 476 bytes
DateJuly 4th, 2008
Version0.1

A proof of concept script to perform a SYN flood attack on a target host. Requires Net::RawIP module. Read more.

search engine assessment tool

Download seat-0.3.tar.bz2
Size 1.3 MB
DateFebruary 20th, 2009
Version0.3

SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan a site for potential vulnerabilities. Its multi-threaded, multi-database, and multi-search-engine capabilities permit easy navigation through vast amounts of information with a goal of system security assessment. Furthermore, SEAT’s ability to easily process additional search engine signatures as well as custom made vulnerability databases allows security professionals to adapt SEAT to their specific needs. Read more.


sprawlcomments

All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

π
///\oo/\\\