top of page

Hacking Host Discovery Part I

Updated: Mar 21, 2022

So, you want to hack stuff. Well, we need to be able to find stuff to break into, so let's begin. Whether you are working a live pen test, setting up a local vulnerable machine, or just trying to figure out what's in your current network (not a good idea at your local Starbucks), there are many occasions when you may need to find other systems on your local network. While there are many commercial products that will do this efficiently and effectively, these products cost money, and some of you may not be in a position to acquire these tools. This article will be the first in a series to cover some tools that won't cost you a dime, and teach you how to use them. This is in no way meant to be an in depth study in the art of host discovery. I will not be going into the depths of Armitage and how to use this tool (this is like throwing a piano down a flight of stares on the subtlety scale). While Armitage will do the job of host discovery admirably, it is noisy, and not always our best option. The three tools I will cover here are ones that every hacker/analyst/sys-admin should have in their tool bags. Let's dive right in.

Bash Ping Sweep

The first tool is perhaps one of the most useful tools I've ever encountered. I can't tell you how many times this tool has helped me do some host discovery without setting off any alarms (even seemed to evade IDS/IPS on several engagements). This first tool is called a 'bash ping sweep,' and it's name says it all. We are going to use a bash command from a linux terminal to perform a basic ICMP ping against every IP in a set range. We're even going to play with the output results and put them into a file we can use later. The initial command is fairly simple.

As you can see, we've created a for loop that will perform a single ping request against every one of the 254 available IP addresses in this subnet. The command will then grep for the "bytes from" string within the results, returning only the lines for the IP addresses that responded.

This is really messy. Let's clean this up so we get only the IP addresses. We'll use the cut command in our linux terminal with the delimeter flag. This allows us to "chop up" or cut the string for each line into separate fields based on a delimiter of our choosing. In this case, we'll use the ' '(space) as a delimeter and as seen above, the IP address will be in the 4th field based on that delimeter.

Okay, now we're talking. We've still got that pesky colon (:) hanging out at the end of each line. Let's get rid of that. We'll get rid of that colon by using the sed (stream editor) command in linux. The -e flag will allow us to edit or replace one string for another. In this case, we're just going to replace the colon with nothing. The s in the provided string calls out to the sed tool that we're replacing one string with another. The string to be replaced goes in between the first two forward slashes (/), and the string to replace it with goes between the second two forward slashes as shown below.

That's clean. Very nice. We're not done yet though. It looks like we have a great list of IP addresses, but they're not in order. Let's fix that. The sort command will help us out here. The -t flag tells sort to use the dot/period (.) as the field marker or delimeter, the -n flag tells sort to sort numerically, and the -k flag allows options to provide further instructions. In this case, the 4,4n tells the sort command we want to sort things based on the fourth field of the number and to sort them numerically. The 4, is actually superfluous to this as it indicates that it should sort this field fourth. Since we're only sorting one field, you can just use the 4n after the -k flag.

Sweet, now we have a list of the live IP addresses on our network to work with, but let's take one final step to put these into a file for later use. Using the right angle bracket (>) we are able to direct the output of this command into our identified text file. Using the cat command will allow us to output those file contents to the screen.

There, now we have a list of IP addresses in a file that we can use in notes, upload to store somewhere, or at least come back to reference as we begin to enumerate each target. Now let's look at some others.

To be continued...


Recent Posts

See All


I may be getting ahead of myself here, but is there any particular reason you wouldn't want to script this? I imagine user input could supply the IP range.

bottom of page