reddit hackernews mail facebook facebook linkedin

Ping sweep

In the second part of the first phase of a penetration test, active information gathering,it’s important to mapas accurate as possible the network of you target. To find live hosts there isa technique called ping sweep. Different tools exist to perform that task.


A single ping can give you the ip address of the target, the ttl and the time. However since the methodis based on ICMP requests, the target could be configured to block or trash them… With a simple bash script, you can loop throught a range of ip address to test them all:


for ip in $(seq 200 220); do
  ping -c 1 192.168.11.$ip | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f1 &

The -c option is configuredto only send 1 request. The grep is usedto display onlythe host who respond to the request (and supposed alive) and finally cut is used for a nice display. Notice the & at the end of the line, it’s very usefull pto paralellize tasks and make the script faster. Here is the result:

ping sweep ping


The bad point of this method is that you mustchoose a port to test. I usually use the HTTP port (80) but you’ll have toadapt this option for your target. Below a small bashscript:


for ip in $(seq 200 210); do
  nc -n -v -z -w 1 192.168.11.$ip 80 2>&1 |grep open

-n : no DNS resolution, ip address must be provided -v : verbose mode -z : don’t not prompt and wait anything -w : timeout in seconde 2>&1 : used to make the ouput grappable

The result:

ping sweep netcat


Nmap is so powerful that you don’t needto write a script, a simple command can do the trick:

ping sweep nmap

-sn : ping scan, disable port scan

The grep and cut command are only usedfor a nice display ;)

External resources