Host Discovery
Host discovery is a process of enumeration of live hosts. The quality and completeness of this process has a direct impact on the success of further attacks against the target network.
Introduction
The standard approach to host discovery is based on an ICMP Echo message which is often ignored or blocked by cautious administrators. A variety of active techniques were developed to solicit a response from networked machines thus revealing their existence. In cases where stealth is necessary, this article will show you how to query third party services to produce a list of live hosts without sending a single packet directly to scanned systems.
Network Discovery
ICMP Ping
A classical way to discover hosts on the network is to send ICMP Echo request (Type 8) which should prompt target hosts to respond with ICMP Echo reply messages. The communication looks something like this:
0.0.000000 192.168.1.100 -> 192.168.1.1 ICMP Echo (ping) request 0.0.002329 192.168.1.1 -> 192.168.1.100 ICMP Echo (ping) replyIt is common to use ICMP of different types such as Timestamp request (Type 13) and Address Mask request (Type 18) to produce responses from hosts which filter the standard ICMP Echo request:
0.000000 192.168.1.100 -> 192.168.1.1 ICMP Timestamp request 0.000539 192.168.1.1 -> 192.168.1.100 ICMP Timestamp replyUnfortunately this method is not very reliable since a lot of the hosts and firewalls simply drop all ICMP packets.
TCP SYN Ping
One way to learn about live hosts is to send the first part of the three way handshake (SYN packet) to a range of hosts and record any replies. Since we can learn about host’s existence from either open or closed TCP ports, we can increase the reliability of the scan by targeting a frequently opened port 80 and a frequently closed port 0.
The example below illustrates a SYN Ping targeting 192.168.1.1 on port 53.
0.000000 192.168.1.100 -> 192.168.1.1 TCP 1243 > domain [SYN] Seq=0 Len=0 0.000461 192.168.1.1 -> 192.168.1.100 TCP domain > 1243 [RST, ACK] Seq=3538621942 Ack=1 Win=0 Len=0Even with all closed ports, it is still possible to discover a live host.
TCP ACK Ping
ACK Ping works almost like the above SYN Ping, with the exception that it relies on an ACK packet instead. This method works by soliciting a RST response from a live host for either open or closed ports by sending it an ACK packet.
0.000000 192.168.1.100 -> 192.168.1.1 TCP 2903 > domain [ACK] Seq=0 Ack=0 Win=512 Len=0
0.000414 192.168.1.1 -> 192.168.1.100 TCP domain > 2903 [RST] Seq=0 Len=0This method is effective for evading non-stateful firewalls.
TCP FIN, NULL, Xmas Ping
FIN, NULL and Xmas Pings work by generating a RST response for a closed port. Such pings must be sent to a known closed port to produce a reply such as port 0:
0.000000 192.168.1.100 -> 192.168.1.1 TCP 1624 > 0 [FIN] Seq=0 Len=0 0.000498 192.168.1.1 -> 192.168.1.100 TCP 0 > 1624 [RST, ACK] Seq=3959530871 Ack=1 Win=0 Len=0UDP Ping
UDP Ping works by producing an ICMP port unreachable error when attempting to communicate with a closed UDP port. Once again we will be using port 0:
0.000000 192.168.1.100 -> 192.168.1.1 UDP Source port: 1285 Destination port: 0 0.000733 192.168.1.1 -> 192.168.1.100 ICMP Destination unreachable (Port unreachable)This method is highly effective for evading firewalls that do not filter UDP packets.
ARP Ping
ARP Ping is a preferred host discovery method on a local Ethernet LAN, because it is faster and more reliable than approaches relying on protocols higher up in the networking stack. It works by sending ARP Probes to a range of IP addresses to discover live hosts.
221.788823 00:01:02:03:04:05 -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.100 221.789179 00:06:07:08:09:10 -> 00:01:02:03:04:05 ARP 192.168.1.1 is at 00:06:07:08:09:10IP Protocol Ping
This method attempts to solicit a host reply by sending raw IP packets with varying protocol id options:
0.680436 192.168.1.102 -> 192.168.1.1 ICMP Echo (ping) request 0.681045 192.168.1.102 -> 192.168.1.1 IGMP V1 Membership Query 0.681305 192.168.1.102 -> 192.168.1.1 IP [Malformed Packet] 0.684463 192.168.1.1 -> 192.168.1.102 ICMP Echo (ping) replyStealth Methods
Reverse DNS
While not very accurate, performing reverse DNS queries on a range of IP addresses is a very stealthy way to discover live hosts. It works by resolving a range of IP addresses hoping that successfuly resolved IPs have live systems bound to them.
Search Engines
This stealth host discovery method takes advantage of advanced search queries implemented by modern search engines. One particularly useful search query is ip: available on Bing.com which produces a list of websites running on a provided IP address. For example, ip:157.166.224.25 query will produce a list of CNN.com subdomains. By repeatedly quering a range of IP address, it is possible to discover live IPs with a running website.
