Module 03 - Scanning Networks

Perform Host Discovery

Host discovery is the process of identifying active hosts in the target network.

Lab Scenario
As a professional ethical hacker or pen tester, you should be able to scan and detect the active
network systems/devices in the target network. During the network scanning phase of security
assessment, your first task is to scan the network systems/devices connected to the target
network within a specified IP range and check for live systems in the target network.

Lab Objectives
= Perform host discovery using Nmap
= Perform host discovery using Angry IP Scanner

Lab Environment
To carry out this lab, you need:
= Windows 11 virtual machine
= Windows Server 2022 virtual machine
= Windows Server 2019 virtual machine
= Parrot Security virtual machine
= Ubuntu virtual machine
= Android virtual machine
= Web browsers with an Internet connection
= Administrator privileges to run the tools

Lab Duration
Time: 10 Minutes

Overview of Host Discovery

Host discovery is considered the primary task in the network scanning process. It is used to
discover the active/live hosts in a network. It provides an accurate status of the systems in the

CEH Lab Manual Page 218 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

network, which, in turn, reduces the time spent on scanning every port on every system in a sea
of IP addresses in order to identify whether the target host is up.
The following are examples of host discovery techniques:
= ARP ping scan

= UDP ping scan

= ICMP ping scan (ICMP ECHO ping, ICMP timestamp, ping ICMP, and address mask ping)
= TCP ping scan (TCP SYN ping and TCP ACK ping)
= IP protocol ping scan

Lab Tasks
Task 1: Perform Host Discovery using Nmap

Nmap is a utility used for network discovery, network administration, and security auditing. It is
also used to perform tasks such as network inventory, managing service upgrade schedules,
and monitoring host or service uptime.

Here, we will use Nmap to discover a list of live hosts in the target network. We can use Nmap
to scan the active hosts in the target network using various host discovery techniques such as
ARP ping scan, UDP ping scan, ICMP ECHO ping scan, ICMP ECHO ping sweep, etc.

1. Turn on the Windows 11, Windows Server 2022, Windows Server 2019, Parrot
Security, Ubuntu, and Android virtual machines.

2. In the login page of Parrot Security machine, the attacker username will be selected by
default. Enter password as toor in the Password field and press Enter to log in to the
machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
Note: If a Question pop-up window appears asking you to update the machine, click No
to close the window.
3. Click the MATE Terminal icon at the top of the Desktop to open a Terminal window.

Parrot

attacker's Home

CEH Lab Manual Page 219 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

4. A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
5. Inthe [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
6. Inthe terminal window, type the command nmap -sn -PR [Target IP Address] (here, the
target IP address is 10.10.1.22) and press Enter.
Note: -sn: disables port scan and -PR: performs ARP ping scan.

$sudo su
[sudo] pas rd for att er:
rrot
sn -PR 10.10.1.22

7. The scan results appear, indicating that the target Host is up, as shown in the
screenshot.
Note: In this lab, we are targeting the Windows Server 2022 (10.10.1.22) machine.
Note: The ARP ping scan probes ARP request to target host; an ARP response means
that the host is active.
Note: The MAC address might differ when you perform this task.

$sudo su
[sudo] password for attacker
@parrot
#nmap -sn
Starting Nmap /nmap.org ) at 2022-03-23 03:11 EDT
Nmap scan report for 10.10.1.22
fy (0.00052s latency)
ss: 00:15:5D:01:80:02 (Microsoft)
Nmap done: 1 IP add (lh up) scanned in 0.10 seconds
‘ot

CEH Lab Manual Page 220 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

8. In the terminal window, type nmap -sn -PU [Target IP Address], (here, the target IP
address is 10.10.1.22) and press Enter. The scan results appear, indicating the target
Host is up, as shown in the screenshot.
Note: -PU: performs the UDP ping scan.
Note: The UDP ping scan sends UDP packets to the target host; a UDP response means
that the host is active. If the target host is offline or unreachable, various error
messages such as “host/network unreachable” or “TTL exceeded” could be returned.
Yue

rch Terminal Help

parrot
sudo su

[sudo] password for attacker:

@parrot
#nmap -sn -PR 10.10.1.22
starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 03:11 EDT
\map scan report for 10.10,1.22
Host is up (0.00052s Latency)
MAC Addre 00:15:5D:01:80:02 (Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
@parrot
#nmap -sn -PU 10.10.1.22
starting Nmap 7.92 ( https://nmap.org ) 03-23 12
\map scan report for 10.10.1.22
(0,00030s latency)
MAC Address: 00:15:5D:01:80:02 (Micr
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
yarrot

CEH Lab Manual Page 221 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

9. Now, we will perform the ICMP ECHO ping scan. In the terminal window, type nmap -sn
-PE [Target IP Address], (here, the target IP address is 10.10.1.22) and press Enter. The
scan results appear, indicating that the target Host is up, as shown in the screenshot.
Note: -PE: performs the ICMP ECHO ping scan.

Note: The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the
target host is alive, it will return an ICMP ECHO reply. This scan is useful for locating
active devices or determining if the ICMP is passing through a firewall.

#nmap -sn -PR 10.10.1

Starting Nmap 7.¢ tps://nmap.org ) at 2-03-23 03:11
Lz
0 tency)
MAC Address: 00:15:5D:01:80:02 (Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
rrot
PU 10.10.1.22
( https://nmap.org ) at 2022-03
n report for 10.10.1
(0.00030s Latency)
MAC Addr: 00:15:5D:01:80:02
Nmap done

#nmap -sn -PE 10.10.1.22

starting Nmap 7.92 ( https://nmap.org ) at
Nmap scan report for 10.10.1.22
Eee (.00026s latency).
" 00:15:5D:01:8 M osoft)
: 1 IP address (1 hi up) scanned in 0.10 seconds
rrot

10. Now, we will perform an ICMP ECHO ping sweep to discover live hosts from a range of
target IP addresses. In the terminal window, type nmap -sn -PE [Target Range of IP
Addresses] (here, the target range of IP addresses is 10.10.1.10-23) and press Enter. The
scan results appear, indicating the target Host is up, as shown in the screenshot.

Note: In this lab task, we are scanning Windows 11, Windows Server 2022, Windows
Server 2019, and Android machines.

Note: The ICMP ECHO ping sweep is used to determine the live hosts from a range of IP
addresses by sending ICMP ECHO requests to multiple hosts. If a host is alive, it will
return an ICMP ECHO reply.

CEH Lab Manual Page 222 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

ninal Help

1.10-23
92 ( https://nmap.org ) at 3-23 03:55 EDT
Nmap sport for 10.10.1.11
Host is up (0.@011s latency)
MAC Address: 00:15:5D:01:80:00 (Micr
an report for 10.10,1.14
(0.00096s latency)
@2:15:5D:19:04:A7 (
1 report for www.movi. com (10,10.1.19)
up (0.000945 latency)
2:15:5D:19:04:A4 (Unknown)
for 10,10.1.22
0.00021s latency)

up) scanned in 1.33

11. In the terminal window, type nmap -sn -PP [Target IP Address], (here, the target IP
address is 10.10.1.22) and press Enter. The scan results appear, indicating the target
Host is up, as shown in the screenshot.
Note: -PP: performs the ICMP timestamp ping scan.

Note: ICMP timestamp ping is an optional and additional type of ICMP ping
whereby the attackers query a timestamp message to acquire the information
related to the current time from the target host machine.
em OBES
PP 10.10.1.22
Terminal Help
#nmap PE 10,10.1.10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-63-23 3:55 EDT
Nmap scan report for 10.10,1.11
Host is up (0.0011s latency)
dress: @0:15:5D:01:80:00 (Microsoft)
Nmap scan report for 10,10,1.14
Hc up (0.0009 tency)
Address: 62:15:5D:19:04:A7 (Unknown)
Nmap scan report for www.moviescope.com (10.10.1.19)
Host is up (@.00094s latency)
02:15:5D:19:04:A4 (Unknown)
port for 10.10.1
s up (0 li ncy)
Address: 00: 9:02 (Microsoft)
Nmap scan report for 10.10.1.13
Host up
Nmap done: 14 IP addr (5 hosts up) scanned in 1.33
@parrot
#nmap -sn -PP 10,10.1
rting Nmap 7 https://nmap.org ) at 2022-03-23 03:58 EDT
Nmap scan report 10.10.1.22
HERWEEMT (6.090705 Late
" Address: 00:15:5D:01:80:02 (Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 0.10
varrot
|

CEH Lab Manual Page 223 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 Module
03 - Scanning Networks

12. Apart from the aforementioned network scanning techniques, you can also use the
following scanning techniques to perform a host discovery on a target network.
= ICMP Address Mask Ping Scan: This technique is an alternative for the traditional
ICMP ECHO ping scan, which are used to determine whether the target host is live
specifically when administrators block the ICMP ECHO pings.
= #nmap -sn -PM [target IP address]
= TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target host,
ACK response means that the host is active.

= #nmap -sn -PS [target IP address]

= TCP ACK Ping Scan: This technique sends empty TCP ACK packets to the target host;
an RST response means that the host is active.
= #nmap -sn -PA [target IP address]
= IP Protocol Ping Scan: This technique sends different probe packets of different IP
protocols to the target host, any response from any probe indicates that a host is
active.

= #nmap -sn -PO [target IP address]

13. This concludes the demonstration of discovering the target host(s) in the target network
using various host discovery techniques.
14. Close all open windows and document all the acquired information.

Task 2: Perform Host Discovery using Angry IP Scanner

Angry IP Scanner is an open-source and cross-platform network scanner designed to scan IP

addresses as well as ports. It simply pings each IP address to check if it is alive; then, optionally
by resolving its hostname, determines the MAC address, scans ports, etc. The amount of
gathered data about each host can be extended with plugins.
Here, we will use the Angry IP Scanner tool to discover the active hosts in the target network.
Note: Ensure that all the virtual machines are running.
1. Switch to the Windows 11 virtual machine. By default, Admin user profile is selected,
type Pa$$wOrd in the Password field and press Enter to login.
Note: If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.

Note: Networks screen appears, click Yes to allow your PC to be discoverable by other
PCs and devices on the network.

2. Click Search icon (9 on the Desktop. Type angry in the search field, the Angry IP
Scanner appears in the result, click Open to launch it.

CEH Lab Manual Page 224 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

P angnf|P Scanner
All Apps Documents Web

Best match
@ ANY Scanner
App
Search the web Angry IP Scanner
App
PD. angry - See web resuts
Angry Birds - casual Puzzle Video Open
came
Run as administrator
TES Open file location
angry birds 2 Pinto Start
Pin to taskber
angry ip
Uninstall
angry emoji
‘angry grandpa
angry chair brewing

BOor@oues
3. Angry IP Scanner starts, and a Getting Started window pops up. Click Next, follow the
wizard, and click Close.
Note: If Open File - Security Warning window appears, click Run.
DIP Ran
Scan Goto Commands Favorites Tools Help
IPRange: 10.10.1.0 IPRange vt
Hostname: Wine & Getting Started
Angry IP Scanner is an IP address scanner tool.
It is used for scanning of IP addresses with the goal of fi
interesting information about each of them.
You can start by specifying the IP addressesto scan (your local IP is entered by default)
and clicking the Start button.

@ Send anonymous error reports

CEH Lab Manual Page 225 Ethical Hacking and Countermeasures Copyright © by EC-Col
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

4. The IP Range - Angry IP Scanner window appears, as shown in the screenshot.

Penge Angry IP Scanner
Sean Goto Commands Fayorites Jools Help
IPRange 10:10:10 to 10101.255 Range ~ XE
Posie: Windowstt wr [Natmask
Ping ‘Hostname Ports [3+]

Display: A Threads
GOouBoweadc B® sayz
5. In the IP Range fields, type the IP range as 10.10.1.0 to 10.10.1.255 and click the
Preferences icon beside the IP Range menu, as shown in the screenshot.
TPRange "Angry IP Scanner
Scan Goto Commands Favorites Jools Help
IP Range. 10:10:10 to 10101.255 Range ~ XE
cir: | Windows o (set) F preferences j
Ping Hostname Ports [3+]

CEH Lab Manual Page 226 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

6. The Preferences window appears. In the Scanning tab, under the Pinging section, select
the Pinging method as Combined UDP+TCP from the drop-down list.

Scan Goto Commands Favorites Toole Help

IPRange. 10:10:10 to 1010.55 PRange ~ XE
iPr [Netmask | [_Dstat ]
Ping Hostname © Preferences
Scanning Ports Display
Threads
Delay between starting threads (in ms): 20
‘Maximum number of threads: 100
Pinging
Pinging method: Combined U
Number of ping probes (packetsto send): (Windows 1OMP
UDP packet
Ping timeout (in ms): TCP port probe
Ciscan dead hosts, which don't reply to ptyava gui
Skipping
@ skip probably unassigned IP addresses *0 and *.255,

7. Now, switch to the Display tab. Under the Display in the results list section, select the
Alive hosts (responding to pings) only radio button and click OK.

Scan Goto Commands Favorites Toole Help

IPRange 10:10:10 to 1010.55 Range v XE
Hostname: Windows ir [Netmask | (_Dstat ]
Ping Hostname © Preferences
Scanning Ports Display
Display inthe results ist
all scanned hosts
OAlive host (respondingto pings) only
O Hosts with open ports only
Labels displayed in the results list
The value isnot available (no results) Inv}
‘The actual value was not scanned (unknown): [a/s]
Confirmation
Ask or confirmation before starting anew scan
show inf dialog after each scan
Language
System default V Some translations are incomplete
{Bi Check for new versions
@ send anonymous eror reports

CEH Lab Manual Page 227 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

8. In the IP Range - Angry IP Scanner window, click the Start button to start scanning the
IP range that you entered.
TPRange Angy IP Scanner
Scan Goto Commands Favorites Tools Help
IPRange: 10:10:10 to 1010.55 Range ~ XE
fostname: Windows11 oo (i -
iP Ping Hostname Ports [3+]

9. Angry IP Scanner starts scanning the IP range and begins to list out the alive hosts found
along with their hostnames. Check the progress bar on the bottom-right corner to see
the progress of the scanning.

10. After the scanning is completed, a Scan Statistics pop-up appears. Note the total
number of Hosts alive (here, 7) and click Close.

ange 101010 we 10101285

oaname Windows! 0 [Nema] (>son
Hostname Ports [3+]
Windowst? %
wwwmoviescopecom 80
SERVERDO22 9
Android.ocal ave}
Ira} [vat
ubuntulocel 80 @ Scan Statistics
inal vs
Scanning completed
Tota time: $1.05 sec
Average time per host: 02 sec
IP Range
10.10:1.0- 10.10.1255
Hosts scanned: 254
Hosts alive 7
With open ports: 4

TThvesds 0
mon OBCB Se a 2 22,8

CEH Lab Manual Page 228 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

11. The results of the scan appear in the IP Range - Angry IP Scanner window. You can see
all active IP addresses with their hostnames listed in the main window.
Drange Angiy IP Scanne”
Scan Goto Commands Fayortes Jools Help
IP Range 10.10.10 te 10.10.1255 Range ~ Xf
jostname Windows! IP | Netmask [> set | =
Pp Ping Hostname Ports [3+]
10.10.1.11 Wms Windows}! 80
10.10..19 4ms —— wwnwamoviescopecom 80
10,10.1.22 Ams SERVER2022 80
4ms Android.local [nva}
3ms [n/a] Inve]
ims 80
SiS ms inva “inal

12. This concludes the demonstration of discovering alive hosts in the target range of IP
addresses using Angry IP Scanner.
13. You can also use other ping sweep tools such as SolarWinds Engineer’s Toolset
(https://www.solarwinds.com), NetScanTools Pro (https://www.netscantools.com),
Colasoft Ping Tool (https://www.colasoft.com), Visual Ping Tester
(http://www.pingtester.net), and OpUtils (https://www.manageengine.com) to discover
active hosts in the target network.
14. Close all open windows and document all the acquired information.
15. Turn off all the virtual machines (Windows 11, Windows Server 2022, Windows Server
2019, Parrot Security, Ubuntu, and Android).

Lab Analysis
Analyze and document the results of this lab exercise.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Internet Connection Required

O Yes
Platform Supported

M1 Classroom

CEH Lab Manual Page 229 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.