Network scanning and port discovery can be crucial in the initial phases of information gathering for security testing. Recently I came across an interesting approach within a TCM security course about writing out scripts for pings. I decided to give this a try myself and also add Nmap functionality to it as well.
Ping and organized output
One of the first things to consider. Is that we can better optimize the ping process by only sending a single packet and capturing the results into a text file.
To further enhance organization, we can add a “grep” command to specifically extract the portion including the Ip address. This will essentially pull the line that has the 64 bytes listed. Which indicates a response. Then the “cut” command allows us to extract the IP address portion by specifying the delimiter as four spaces. And to further clean it up we use the “tr” command to remove the trailing “:” for a cleaner output.
Scripting the pings
The previous approach is useful as it allows us to then automate and leverage our pings by scripting them.
If we take what we just wrote out, we can create a simple file that does much more for us named ‘ipsweep.sh'. In this instance, we can specify that for every Ip address within the subnet (1 through 254) we would like to ping. We then replace the ‘cat command with our customized ping command and set the argument to 1 so that we will be able to manually enter out our Ip address range. (It’s also required to add the executable permissions on the file because by default it’s not set. “chmod +x ipsweep.sh"
Now this is already pretty cool. With this information about the responsive hosts, we can leverage Nmap to scan for ports that may be open.
Finalizing the script:
At this point, this may already be “good enough” in terms of simplifying the process of gathering Ips and performing network scans. However, we can still take it one more step further and package this all together into one script.
We can simply alter our script to be piped to a ‘while’ loop, where each of the Ip addresses are then read into a variable ‘line’.
After this, the Nmap command is executed with the option “--open” for each IP address to scan for open ports. We keep the ‘&’ symbol so that the commands run in the background for better efficiency and ‘wait’ ensures that all Nmap processes are completed before the script exits.
And of course, to enhance the output clarity, I included the grep command with the option “-E” to basically list the lines that match the specific criteria:
The word “PORT”.
The asterisk matches zero or more occurrences.
The “[0-9]” matches one or more occurrences of any digit (0 to 9). This captures the actual port number.
‘open’ matches the word “open” indicating an open port.
With this simple script that was written, one could already have a pretty decent tool at their disposal. Combining the ping command with Nmap, it automates the process of identifying active hosts, filtering out unresponsive hosts, and performing efficient port scanning.
What makes this exercise interesting is that it only scratches the surface of what scripting can achieve in security assessments and process automation. With simple command line syntax, there are so many possibilities to enhance security practices.