Ping Mapping

[devildell]

hello all, I was reading a little into networking the other day and the book had said something in regards to mapping a network with the ping command and tracert.. i did not really understand it clearly, i was wondering if someone can explain it in more detail..... i'm not asking how to hack or anything, i just found this interesting and would like to know more....

thanks

[fyrewall]

(very basic - not detailed)

ok if you use the tracert command it will show you all the hops it makes to get to the destination.. ie all the routers (ip address's) it goes through etc... tracert stands for trace route and that is exactly what it does .. traces the route to get to the destination.

Ping is basically used to see if a host is up. for example if i ping hotmail.com and the reply looks like this:

D:\WINNT>ping hotmail.com

Pinging hotmail.com [64.4.32.7] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.4.32.7:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

that means i cannot get to hotmail.com. if it looks like this

D:\WINNT>ping hello.com

Pinging hello.com [63.146.123.17] with 32 bytes of data

Reply from 63.146.123.17: bytes=32 time=416ms TTL=236
Reply from 63.146.123.17: bytes=32 time=413ms TTL=236
Reply from 63.146.123.17: bytes=32 time=413ms TTL=236
Reply from 63.146.123.17: bytes=32 time=389ms TTL=236

Ping statistics for 63.146.123.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 389ms, Maximum = 416ms, Average = 407ms

that means i can reach hello.com


that is very basic .. there is more to it than that ... but it should help you understand it



the best way to learn is to muck aroud with these commands on a network

http://searchnetworking.techtarget.c...214297,00.html

www.whatis.com ask them what ping and treacrt are.

[devildell]

i understand how the commands work, i believe there is a way to map out an entire network using these two commands.........

that was a very nice explantion though, however i am looking deeper into the two commands......

[hobbdebub]

Actually it is not possible in most cases to map a network with just these two tools. With the ICMP protocol 'yes' maybe. You see most firewalls will block this kind of traffic so that you are unable to uses these commands to their full effect. You can however still learn a lot. I mean if the ping is blocked it can mean A) The computer is not up or B) The border router is blocking ICMP echo packets . See? Same with tracert (traceroute for *nix nuts) when you run the command if it times out on a particular hop it is possible that the router blocked the traffic at this point. Nmap is a tool you may really find fun and useful if you are enjoying using ping and tracert. It can be found here:


http://www.insecure.org/nmap/

[Irongeek]

In linux you can use the "-b" option with the ping command to ping the network broadcast address (all ones in the host part of the address if read in binary). All boxes that accept ICMP echo requests should respond, but if it's behind a firewall or is blocking ICMP Echo then you are out of luck (which will be the case a lot of the time).

[Spyder32]

Well IMO Tracert's already out of the question, kinda. All it does is determine the number of hop's it take's to reach a certain location/IP. Perhap's using it to determine a location and how long it take's to get there, and then pinging it to determine if it's reachable? Anyways, I don't think what you're saying can be done.

[thehorse13]

Actually it is not possible in most cases to map a network with just these two tools.

Well IMO Tracert's already out of the question, kinda. All it does is determine the number of hop's it take's to reach a certain location/IP.

Tsk, tsk. I'm very dissapointed in you boys....

The truth is that you can map out networks using these two tools. In fact, when used properly, tracert can tell you where routers and firewalls are positioned on the network. What do you think the return IP addresses come from when you receive your tracert results? ICMP has much more capabilities than just receiving echo replies too.
Have a look here:
http://www.iana.org/assignments/icmp-parameters
See anything that might be useful? If not, pay special attention to type 11

There are many papers written on how to map networks with tracert. I wrote about 3 of them. If any of you have (I believe) the hacking exposed books, it is outlined in there. I'm not 100% sure about the book but I did see it either in hacking exposed or one of those horrible ankit fadia books.

Now, once you have a network map, move on to a uber leet tool like NMAP to get real information about the devices. By the day's end, you'll have a very accurate view of the network architecture.

In case you don't have access to these books, have a look at this older article and read it top to bottom.

http://www.networkmagazine.com/article/NMG20000829S0003

[MrLinus]

Hacking Exposed, TH13.

I remember reading these a while ago and they might provide some insight or ideas: (by Ofir Arkin) using ICMP to determine OS. In addition, simplistic tools can get a fair amount of info as long as your patient, determined and set a methodology so you don't repeat yourself. Additionally, you can look at the default TTLs to determine OS.

[Tiger Shark]

At the risk of sounding self-serving some of the answers you seek are right here on AO.

Hope this helps....

[Nokia]

There is a little bit of confusion in this thread!!

You send a data packet to a computer and it send one back to you saying it is there........ How can you not map a network with this?????????

One of the easiest and most basic ways of mapping out most class C networks it to conduct a ping sweep! You could try it on a class A nework I suppose, if you have a few days to spare.

There are a few ways to do it:

The -sP command with Nmap
Fping for *nix
Ping Sweep - this one is not free though!
Ping Pro Pack
Or for the more advanced user Hping2

Or there is the manual way from the command line or shell. Once you have an IP address run a whois and see what IP Range (if any) they have assigned to them and ping each one in turn. You would need a lot of time on your hands for this way!

Of course systems can be configured to block ICMP traffic, so obviously thats where port scanning comes in, i.e Nmap or more specificaly the -PT option in Nmap.

Most Sys Admins will explicitly look for this type of traffic in the firewall logs however as it is proberbly the first step of active footprinting, so be carefull!

As for Traceroute, if you send an IP packet to a specific computer and on its way there is tells you the IP address of every computer it passes through, How can you not use this info to map a network????

If you know how to read the info it send back to you, you can even use this to identify routers, firewalls etc

A lot depends on the configuration of the network and the abilities of the sys admin though!!