What is ping sweep and how to do a ping sweep

Sarath Pillai's picture
Ping Sweep

I must begin this by saying that the most widely used command by either a network administrator or a Linux system administrator is the PING command.

Ping stands for Packet Internet Groper.It is commonly used to find whether a machine is alive on the network. I will be doing a dedicated post on the working of PING. A normal PING request sends out an ICMP echo request to the target host, which intern replies with an ICMP echo reply.

An important fact to note here is that, a machine can also be configured to not to respond to a ping request for security reasons, in such cases you need to apply some different techniques to find out whether a target host is alive or not.

In this post we will be discussing ping sweep.

What is PING SWEEP?

Ping sweep is just a technique that can be used to find out which hosts are alive in a network or large number of IP addresses.

In fact i must say that, you can use ping sweep to ping large number of hosts in one go. Which means that, if you have a network of 192.168.0.0/24 then you can easily find out which hosts are there, that are responding to the ping requests by ping sweeping that network.

Different tools can be used to do ping sweeping.

How to use NMAP to do Ping Sweeping?

Nmap is an awesome tool used to do port scanning. It can also be used to do ping sweeping. Lets have a look at how to do it.

[root@myvm ~]# nmap -sP 192.168.0.1-254
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-12-29 00:37 IST
Host 192.168.0.1 appears to be up.
Host 192.168.0.2 appears to be up.
Host 192.168.0.5 appears to be up.
Host 192.168.0.8 appears to be up.
Nmap finished: 254 IP addresses (4 host up) scanned in 5.314 seconds

The option we have used is pretty straightforward if you have a look at nmap man pages.

-sP option we have used is only to determine whether the host is up. Nmap will only do a ping scan when this option is only used.

The output of the above command is saying that , nmap has scanned around 254 ip addresses and it has found 4 hosts to be up.

If you want to scan only a limited number of hosts and not the entire network, then you can do that, by the following command. By specifying the range.

[root@myvm ~]# nmap -sP 192.168.0.1-30

Ping Sweeping with fping command

you can also use fping command to do ping sweeping. You can install fping throuh yum. fping command is commonly used to send ICMP echo request to large number of hosts(ping sweep).

Normal ping command, only sends ICMP echo request to a single IP or host, at a time. However fping can be used to send ICMP echo request to a large number of hosts. It does not work like ping, because it sends an echo request to a host, and move on to the next host, not waiting for the echo reply. This is done in a round robin fashion.

By default if you ping a large number of hosts using fping command, it assumes a host as unreachable if there no echo reply from the target host.

25 milliseconds is the default difference in sending request packets, when a large number of hosts are supplied.

 

[root@myvm ~]# cat iplist
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
192.168.0.6
192.168.0.7
192.168.0.8
192.168.0.9
192.168.0.10
[root@myvm ~]# fping -f iplist
192.168.0.1 is alive
192.168.0.3 is alive
192.168.0.4 is alive
192.168.0.2 is unreachable
192.168.0.5 is unreachable
192.168.0.6 is unreachable
192.168.0.7 is unreachable
192.168.0.8 is unreachable
192.168.0.9 is unreachable
192.168.0.10 is unreachable

in the above shown example i have made a list of ip address, where i need to ping, in the file iplist. One IP per line is the way the file should be made.

In between the alive and unreachable message result shown above, there are multiple echo request send messages, which i have shown in the above example.

You can also mention the network address, or range of IP address as an argument to fping command, to do ping sweeping as shown below.

[root@myvm ~]#  fping -g 192.168.0.1 192.168.0.10
192.168.0.1 is alive
192.168.0.3 is alive
192.168.0.4 is alive

you can mention the network address as shown below.

 

[root@myvm ~]#  fping -g 192.168.0.1/24
192.168.0.1 is alive
192.168.0.3 is alive
192.168.0.4 is alive

Ping Sweeping A network Which has blocked ICMP

Many network infrastructure security people block's ICMP traffic targeted to their network. Which will prevent ping Sweeping. So in such cases nmap tool has a good option to determine which hosts are alive in the network.

For achieving this, nmap uses TCP to scan the network instead of ICMP. It is called as tcp ping scan. it can be done the following way.

[root@myvm ~]# nmap -sP -PT80 192.168.0.1-30
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-12-29 02:53 IST
Host 192.168.0.1 appears to be up.
Nmap finished: 30 IP addresses (1 host up) scanned in 0.769 seconds

In the above method, what nmap does is to attempt making connection to port 80, and determines whether the host is alive.(it does not matter even if the port is not open on the target host. but traffic for that target port must be allowed in the network)

the same thing can be achieved by using hping utility.

Ping Sweeping with simple Bash for loop

You can also do a simple ping sweeping by using for loop in bash. However you cant bypass or do a tcp scan to determine whether the host alive, using this technique. because we are using the simple ping command for this technique.

[root@myvm ~]# for i in {1..254}; do ping -c 1 192.168.0.$i | grep 'from'; done
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.106 ms
64 bytes from 192.168.0.3: icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from 192.168.0.4: icmp_seq=1 ttl=64 time=0.039 ms

 

Note: An important thing to consider here is that, its perfectly alright to do ping sweeping for testing purposes if you are the network admin of that network. However its not legitimate, to do a network ping sweep in a network for which you do not have authorization.

 

Prevention:

You can prevent ping seeping in your network to a certain extent by using a good maintained ACL. Or a better approach to this will be to only allow limited ICMP messages, from your ISP.

Snort IDS can be used to track down such ICMP ping sweeps from unauthorized source address. A good maintained host level, firewall can also prevent such sweeps from outside sources.

Hope this article was helpful in understanding, ping sweep.

Rate this article: 
Average: 4.3 (32 votes)

Comments

nice article

People concerned with security would not only block icmp but also not allow nmap to be installed. Better stick to standard ping command in a for loop.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.