Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

172.16.10.1 is up.

172.16.10.10 is up.

172.16.10.11 is up.

172.16.10.12 is up.

172.16.10.13 is up.

The caveat to this host-discovery approach is that certain hosts,

especially hardened ones, might not reply to ping commands at all.

So, if we solely rely on this method for discovery, we might miss out

on live hosts on the network.

Also note that commands that run forever by default, such as

ping, could pose a challenge when integrated into a bash script. In

this example, we’ve explicitly set a few special flags to ensure that

our bash script won’t hang when it executes ping. This is why it’s

important to first test commands in the terminal before integrating

them into your scripts. More often than not, tools have special

options to ensure they don't execute forever, such as timeout options.

For tools that don't provide a timeout option, the timeout

command allows you to run commands and exit after a certain

amount of time has passed. You can prepend the timeout

command to any Linux utility, passing it some interval (in the

seconds, minutes, hours format). After the time has elapsed, the

entire command exits. For example: timeout 5s ping

8.8.8.8.

Nmap

Nmap has a special option called -sn that performs a ping

sweep (and disables port scanning). A ping sweep is a simple

technique for finding live hosts on a network by sending them a

ping command and waiting for a positive response (ping response).

Since many operating systems will respond to ping by default, this

technique has proved valuable. The ping sweep in Nmap will

essentially make Nmap send Internet Control Message Protocol

(ICMP) packets over the network to discover running hosts:

$ nmap -sn 172.16.10.0/24

Nmap scan report for 172.16.10.1

Host is up (0.00093s latency).

Nmap scan report for 172.16.10.10

Host is up (0.00020s latency).

Nmap scan report for 172.16.10.11

Host is up (0.00076s latency).