Host Discovery Techniques via Scanning - Part 2

To discover the active/live hosts in the network, host discovery techniques can be used. As an ethical hacker, you must be aware of the various types.

This article is divided into two parts. Continue Reading Part 1


Ping scans with ICMP ECHO entail sending ICMP ECHO queries to a server. If the host is up and running, it will respond with an ICMP ECHO. This scan is useful for detecting active devices or determining whether an ICMP packet is being routed via a firewall.  

Linux-based PCs use ICMP echo scanning; the TCP/IP stack implementations in these OSs reply to ICMP echo requests to broadcast addresses, whereas Windows-based networks do not use this technique.

In nmap, the -PE option is used to perform the ICMP ECHO ping scan. 

ICMP ECHP Ping Sweep

Ping Sweep sends ICMP ECHO requests to numerous hosts to determine the live hosts from a range of IP addresses. If a host is alive, it will respond with an ICMP ECHO. Attackers then use a ping sweep to construct a list of active systems in the subnet. 

Pinging delivers a single packet across the network to a specific IP address. After that, the sender waits or listens for a return packet. Pings also include the time it takes for a packet to complete its journey, known as "round-trip time." 


The ping sweep tools listed below allow you to determine live hosts on the target network by issuing several ICMP ECHO queries to different hosts on the network at the same time. 
  • Set up firewalls to immediately identify and block ping sweep attempts.
  • To identify and stop ping sweep attempts, use intrusion detection and prevention systems such as Snort.
  • Examine closely the kind of ICMP traffic that is passing via company networks.
  • Any server that sends out more than 10 ICMP ECHO requests should have their connections cut off.
  • Use DMZs and restrict access to instructions such as TIME EXCEEDED, HOST UNREACHABLE, and ICMP ECHO_REPLY.
  • Access Control Lists (ACLs) can be used to restrict ICMP traffic and grant permissions to IP addresses that are special to them, such as ISPs.

ICMP Timestamp Ping Scan

ICMP timestamp ping is an optional and additional type of ICMP ping, in which an attacker queries a timestamp message to obtain the target host machine's current time information. For every timestamp qurey received, the target machine replies with a timestamp reply. Nevertheless, the destination host's response is conditional; based on how the administrator configured it at the target's end, it might or might not respond with the time value. 

In nmap, the -PP option is used to perform an ICMP timestamp ping scan. 

ICMP Address Mask Ping Scan

An additional option to the conventional ICMP ECHO ping is the ICMP address mask ping, in which the attacker sends an ICMP address mark inquiry to the target host to obtain subnet mask information. Depending on how it is configured, the address mark might, nevertheless, respond with the correct subnet value. 

In nmap, the -PM option is used to perform an ICMP address mask ping scan. 

You might be interested in, 

No comments:

Post a Comment