Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

--snip--

There is a lot of text in this output. With a bit of bash magic, we

can get a cleaner output by extracting only the IP addresses that were

identified as being alive by using the grep and awk commands

(Listing 4-8).

$ nmap -sn 172.16.10.0/24 | grep "Nmap scan" | awk -F'report for ' '{print $2}'

172.16.10.1

172.16.10.10

--snip--

Listing 4-8

Parsing Nmap’s ping scan output with grep and awk

Using Nmap’s built-in ping sweep scan may be more useful than

manually wrapping the ping utility with bash because you don't

have to worry about checking for conditions such as whether the

command was successful. Moreover, in penetration tests, you may

drop an Nmap binary on more than one type of operating system,

and the same syntax will work consistently whether the ping utility

exists or not.

arp-scan

We can perform penetration testing remotely, from a different

network, or from within the same network as the target. In this

section, we’ll highlight the use of arp-scan as a way to find hosts

on a network when the test is done locally.

The arp-scan utility sends Address Resolution Protocol

(ARP) packets to hosts on a network and displays any responses it

gets back. The ARP communication protocol maps Media Access

Control (MAC) addresses, which are unique 12-digit hexadecimal

addresses assigned to network devices, to the IP addresses on a

network. ARP is a Layer 2 protocol in the Open Systems

Interconnection (OSI) model, meaning it is useful only when you’re

on a local network and can’t be used to perform a remote scan over

the internet.

Note that arp-scan requires root privileges to run; this is

because it uses functions to read and write packets that require

elevated privileges. At its most basic form, you can run it by

executing the arp-scan command and passing a single IP address

as an argument: