Lab 1 - Host Discovery
Lab 1 - Host Discovery
Lab 1 - Host Discovery
Lab Scenario
As a professional ethical hacker or pen tester, you should be able to scan and detect the active
network systems/devices in the target network. During the network scanning phase of security
assessment, your first task is to scan the network systems/devices connected to the target
network within a specified IP range and check for live systems in the target network.
Lab Objectives
= Perform host discovery using Nmap
= Perform host discovery using Angry IP Scanner
Lab Environment
To carry out this lab, you need:
= Windows 11 virtual machine
= Windows Server 2022 virtual machine
= Windows Server 2019 virtual machine
= Parrot Security virtual machine
= Ubuntu virtual machine
= Android virtual machine
= Web browsers with an Internet connection
= Administrator privileges to run the tools
Lab Duration
Time: 10 Minutes
CEH Lab Manual Page 218 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module
03 - Scanning Networks
network, which, in turn, reduces the time spent on scanning every port on every system in a sea
of IP addresses in order to identify whether the target host is up.
The following are examples of host discovery techniques:
= ARP ping scan
= ICMP ping scan (ICMP ECHO ping, ICMP timestamp, ping ICMP, and address mask ping)
= TCP ping scan (TCP SYN ping and TCP ACK ping)
= IP protocol ping scan
Lab Tasks
Task 1: Perform Host Discovery using Nmap
Nmap is a utility used for network discovery, network administration, and security auditing. It is
also used to perform tasks such as network inventory, managing service upgrade schedules,
and monitoring host or service uptime.
Here, we will use Nmap to discover a list of live hosts in the target network. We can use Nmap
to scan the active hosts in the target network using various host discovery techniques such as
ARP ping scan, UDP ping scan, ICMP ECHO ping scan, ICMP ECHO ping sweep, etc.
1. Turn on the Windows 11, Windows Server 2022, Windows Server 2019, Parrot
Security, Ubuntu, and Android virtual machines.
2. In the login page of Parrot Security machine, the attacker username will be selected by
default. Enter password as toor in the Password field and press Enter to log in to the
machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
Note: If a Question pop-up window appears asking you to update the machine, click No
to close the window.
3. Click the MATE Terminal icon at the top of the Desktop to open a Terminal window.
Parrot
attacker's Home
CEH Lab Manual Page 219 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module
03 - Scanning Networks
4. A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
5. Inthe [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
6. Inthe terminal window, type the command nmap -sn -PR [Target IP Address] (here, the
target IP address is 10.10.1.22) and press Enter.
Note: -sn: disables port scan and -PR: performs ARP ping scan.
$sudo su
[sudo] pas rd for att er:
rrot
sn -PR 10.10.1.22
7. The scan results appear, indicating that the target Host is up, as shown in the
screenshot.
Note: In this lab, we are targeting the Windows Server 2022 (10.10.1.22) machine.
Note: The ARP ping scan probes ARP request to target host; an ARP response means
that the host is active.
Note: The MAC address might differ when you perform this task.
$sudo su
[sudo] password for attacker
@parrot
#nmap -sn
Starting Nmap /nmap.org ) at 2022-03-23 03:11 EDT
Nmap scan report for 10.10.1.22
fy (0.00052s latency)
ss: 00:15:5D:01:80:02 (Microsoft)
Nmap done: 1 IP add (lh up) scanned in 0.10 seconds
‘ot
CEH Lab Manual Page 220 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
8. In the terminal window, type nmap -sn -PU [Target IP Address], (here, the target IP
address is 10.10.1.22) and press Enter. The scan results appear, indicating the target
Host is up, as shown in the screenshot.
Note: -PU: performs the UDP ping scan.
Note: The UDP ping scan sends UDP packets to the target host; a UDP response means
that the host is active. If the target host is offline or unreachable, various error
messages such as “host/network unreachable” or “TTL exceeded” could be returned.
Yue
CEH Lab Manual Page 221 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
9. Now, we will perform the ICMP ECHO ping scan. In the terminal window, type nmap -sn
-PE [Target IP Address], (here, the target IP address is 10.10.1.22) and press Enter. The
scan results appear, indicating that the target Host is up, as shown in the screenshot.
Note: -PE: performs the ICMP ECHO ping scan.
Note: The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the
target host is alive, it will return an ICMP ECHO reply. This scan is useful for locating
active devices or determining if the ICMP is passing through a firewall.
10. Now, we will perform an ICMP ECHO ping sweep to discover live hosts from a range of
target IP addresses. In the terminal window, type nmap -sn -PE [Target Range of IP
Addresses] (here, the target range of IP addresses is 10.10.1.10-23) and press Enter. The
scan results appear, indicating the target Host is up, as shown in the screenshot.
Note: In this lab task, we are scanning Windows 11, Windows Server 2022, Windows
Server 2019, and Android machines.
Note: The ICMP ECHO ping sweep is used to determine the live hosts from a range of IP
addresses by sending ICMP ECHO requests to multiple hosts. If a host is alive, it will
return an ICMP ECHO reply.
CEH Lab Manual Page 222 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
ninal Help
1.10-23
92 ( https://nmap.org ) at 3-23 03:55 EDT
Nmap sport for 10.10.1.11
Host is up (0.@011s latency)
MAC Address: 00:15:5D:01:80:00 (Micr
an report for 10.10,1.14
(0.00096s latency)
@2:15:5D:19:04:A7 (
1 report for www.movi. com (10,10.1.19)
up (0.000945 latency)
2:15:5D:19:04:A4 (Unknown)
for 10,10.1.22
0.00021s latency)
11. In the terminal window, type nmap -sn -PP [Target IP Address], (here, the target IP
address is 10.10.1.22) and press Enter. The scan results appear, indicating the target
Host is up, as shown in the screenshot.
Note: -PP: performs the ICMP timestamp ping scan.
Note: ICMP timestamp ping is an optional and additional type of ICMP ping
whereby the attackers query a timestamp message to acquire the information
related to the current time from the target host machine.
em OBES
PP 10.10.1.22
Terminal Help
#nmap PE 10,10.1.10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-63-23 3:55 EDT
Nmap scan report for 10.10,1.11
Host is up (0.0011s latency)
dress: @0:15:5D:01:80:00 (Microsoft)
Nmap scan report for 10,10,1.14
Hc up (0.0009 tency)
Address: 62:15:5D:19:04:A7 (Unknown)
Nmap scan report for www.moviescope.com (10.10.1.19)
Host is up (@.00094s latency)
02:15:5D:19:04:A4 (Unknown)
port for 10.10.1
s up (0 li ncy)
Address: 00: 9:02 (Microsoft)
Nmap scan report for 10.10.1.13
Host up
Nmap done: 14 IP addr (5 hosts up) scanned in 1.33
@parrot
#nmap -sn -PP 10,10.1
rting Nmap 7 https://nmap.org ) at 2022-03-23 03:58 EDT
Nmap scan report 10.10.1.22
HERWEEMT (6.090705 Late
" Address: 00:15:5D:01:80:02 (Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 0.10
varrot
|
CEH Lab Manual Page 223 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module
03 - Scanning Networks
12. Apart from the aforementioned network scanning techniques, you can also use the
following scanning techniques to perform a host discovery on a target network.
= ICMP Address Mask Ping Scan: This technique is an alternative for the traditional
ICMP ECHO ping scan, which are used to determine whether the target host is live
specifically when administrators block the ICMP ECHO pings.
= #nmap -sn -PM [target IP address]
= TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target host,
ACK response means that the host is active.
Note: Networks screen appears, click Yes to allow your PC to be discoverable by other
PCs and devices on the network.
2. Click Search icon (9 on the Desktop. Type angry in the search field, the Angry IP
Scanner appears in the result, click Open to launch it.
CEH Lab Manual Page 224 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
P angnf|P Scanner
All Apps Documents Web
Best match
@ ANY Scanner
App
Search the web Angry IP Scanner
App
PD. angry - See web resuts
Angry Birds - casual Puzzle Video Open
came
Run as administrator
TES Open file location
angry birds 2 Pinto Start
Pin to taskber
angry ip
Uninstall
angry emoji
‘angry grandpa
angry chair brewing
BOor@oues
3. Angry IP Scanner starts, and a Getting Started window pops up. Click Next, follow the
wizard, and click Close.
Note: If Open File - Security Warning window appears, click Run.
DIP Ran
Scan Goto Commands Favorites Tools Help
IPRange: 10.10.1.0 IPRange vt
Hostname: Wine & Getting Started
Angry IP Scanner is an IP address scanner tool.
It is used for scanning of IP addresses with the goal of fi
interesting information about each of them.
You can start by specifying the IP addressesto scan (your local IP is entered by default)
and clicking the Start button.
CEH Lab Manual Page 225 Ethical Hacking and Countermeasures Copyright © by EC-Col
All Rights Reserved. Reproduction is Strictly Prohibited.
Module
03 - Scanning Networks
Display: A Threads
GOouBoweadc B® sayz
5. In the IP Range fields, type the IP range as 10.10.1.0 to 10.10.1.255 and click the
Preferences icon beside the IP Range menu, as shown in the screenshot.
TPRange "Angry IP Scanner
Scan Goto Commands Favorites Jools Help
IP Range. 10:10:10 to 10101.255 Range ~ XE
cir: | Windows o (set) F preferences j
Ping Hostname Ports [3+]
CEH Lab Manual Page 226 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module
03 - Scanning Networks
6. The Preferences window appears. In the Scanning tab, under the Pinging section, select
the Pinging method as Combined UDP+TCP from the drop-down list.
7. Now, switch to the Display tab. Under the Display in the results list section, select the
Alive hosts (responding to pings) only radio button and click OK.
CEH Lab Manual Page 227 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module
03 - Scanning Networks
8. In the IP Range - Angry IP Scanner window, click the Start button to start scanning the
IP range that you entered.
TPRange Angy IP Scanner
Scan Goto Commands Favorites Tools Help
IPRange: 10:10:10 to 1010.55 Range ~ XE
fostname: Windows11 oo (i -
iP Ping Hostname Ports [3+]
9. Angry IP Scanner starts scanning the IP range and begins to list out the alive hosts found
along with their hostnames. Check the progress bar on the bottom-right corner to see
the progress of the scanning.
10. After the scanning is completed, a Scan Statistics pop-up appears. Note the total
number of Hosts alive (here, 7) and click Close.
TThvesds 0
mon OBCB Se a 2 22,8
CEH Lab Manual Page 228 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
11. The results of the scan appear in the IP Range - Angry IP Scanner window. You can see
all active IP addresses with their hostnames listed in the main window.
Drange Angiy IP Scanne”
Scan Goto Commands Fayortes Jools Help
IP Range 10.10.10 te 10.10.1255 Range ~ Xf
jostname Windows! IP | Netmask [> set | =
Pp Ping Hostname Ports [3+]
10.10.1.11 Wms Windows}! 80
10.10..19 4ms —— wwnwamoviescopecom 80
10,10.1.22 Ams SERVER2022 80
4ms Android.local [nva}
3ms [n/a] Inve]
ims 80
SiS ms inva “inal
12. This concludes the demonstration of discovering alive hosts in the target range of IP
addresses using Angry IP Scanner.
13. You can also use other ping sweep tools such as SolarWinds Engineer’s Toolset
(https://www.solarwinds.com), NetScanTools Pro (https://www.netscantools.com),
Colasoft Ping Tool (https://www.colasoft.com), Visual Ping Tester
(http://www.pingtester.net), and OpUtils (https://www.manageengine.com) to discover
active hosts in the target network.
14. Close all open windows and document all the acquired information.
15. Turn off all the virtual machines (Windows 11, Windows Server 2022, Windows Server
2019, Parrot Security, Ubuntu, and Android).
Lab Analysis
Analyze and document the results of this lab exercise.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
O Yes
Platform Supported
M1 Classroom
CEH Lab Manual Page 229 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.