Nping - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 14: Nping

Overview

Nping is a new addition to the Nmap suite. It is thought of as a modern replacement to the traditional ping program shipped on most operating systems. Nping is also considered a modern replacement for the Hping utility. Hping was a popular ping alternative until it ceased development in 2005. The Nmap project has picked up where Hping left off by providing similar functionality while adding even more powerful features. Nping is “ping on steroids”.

Note: The output generated by Nping is quite verbose. The information in this section may not display well on small e-readers.

Summary of features covered in this section:

-H
Hide sent packets

-q
Hide all packets

-c
Specify a ping count

--rate
Specify a ping rate

--delay
Specify a ping delay

--data-length
Generate a payload

--tcp
Ping using TCP

--udp
Ping using UDP

-p
Ping a specific port

--arp
Perform an ARP ping

Perform a Simple Ping

Executing Nping with no options will send 5 ICMP pings to the specified target.

Usage syntax: nping [target]

# nping 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-23 18:19 CST

SENT (0.0039s) ICMP [192.168.1.100 > 192.168.1.1 Echo request (type=8/code=0) id=8877 seq=1] IP [ttl=64 id=45140 iplen=28 ]

RCVD (0.0069s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=8877 seq=1] IP [ttl=255 id=0 iplen=28 ]

SENT (1.0079s) ICMP [192.168.1.100 > 192.168.1.1 Echo request (type=8/code=0) id=8877 seq=2] IP [ttl=64 id=45140 iplen=28 ]

RCVD (1.0110s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=8877 seq=2] IP [ttl=255 id=0 iplen=28 ]

SENT (2.0105s) ICMP [192.168.1.100 > 192.168.1.1 Echo request (type=8/code=0) id=8877 seq=3] IP [ttl=64 id=45140 iplen=28 ]

RCVD (2.0134s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=8877 seq=3] IP [ttl=255 id=0 iplen=28 ]

SENT (3.0165s) ICMP [192.168.1.100 > 192.168.1.1 Echo request (type=8/code=0) id=8877 seq=4] IP [ttl=64 id=45140 iplen=28 ]

RCVD (3.0195s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=8877 seq=4] IP [ttl=255 id=0 iplen=28 ]

SENT (4.0204s) ICMP [192.168.1.100 > 192.168.1.1 Echo request (type=8/code=0) id=8877 seq=5] IP [ttl=64 id=45140 iplen=28 ]

RCVD (4.0234s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=8877 seq=5] IP [ttl=255 id=0 iplen=28 ]

Max rtt: 2.870ms | Min rtt: 2.704ms | Avg rtt: 2.775ms

Raw packets sent: 5 (140B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 4.02 seconds

Pinging a system with Nping

By default, Nping sends 5 ping packets and then quits. A summary is then displayed at the end of the session. Nping differs from traditional ping programs by showing ping packets sent in both directions. Packets marked SENT are for outgoing pings and packets marked RCVD represent the reply. The nping command also displays helpful information contained in the packet headers such as the TTL and packet length.

Tip: Nping works best when it runs with root privileges on Unix/Linux/Mac. This is the default mode of operation on Windows systems.

Hide Sent Packets

The -H option can be used to hide sent ping packets.

Usage syntax: nping -H [target]

# nping -H 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-23 18:23 CST

RCVD (0.0070s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=61279 seq=1] IP [ttl=255 id=0 iplen=28 ]

RCVD (1.0078s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=61279 seq=2] IP [ttl=255 id=0 iplen=28 ]

RCVD (2.0117s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=61279 seq=3] IP [ttl=255 id=0 iplen=28 ]

RCVD (3.0111s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=61279 seq=4] IP [ttl=255 id=0 iplen=28 ]

RCVD (4.0148s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=61279 seq=5] IP [ttl=255 id=0 iplen=28 ]

Max rtt: 2.883ms | Min rtt: 0.973ms | Avg rtt: 2.162ms

Raw packets sent: 5 (140B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 4.02 seconds

Hiding sent packets

Unlike traditional ping programs that only print replies and errors, Nping prints both sent and received packets. The -H option can be used to hide the sent ping packets. This simulates the traditional ping output behavior and makes the output easier to read when examining responses. The -H option is also helpful when pinging multiple hosts (covered later in this chapter).

Note: To improve readability the -H option will be used on many of the examples in the remainder of this chapter.

Hide All Packets

The -q option hides all sent and received ping packets.

Usage syntax: nping -q [target]

# nping -q 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-23 18:31 CST

Max rtt: 3.236ms | Min rtt: 2.586ms | Avg rtt: 2.829ms

Raw packets sent: 5 (140B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 4.02 second

Hiding all packet output with Nping

The -q option (short for quiet) hides the packet display completely. A summary is still displayed at the end of the session. This option is helpful when doing network stress testing, which is covered later in this chapter. Using the -q option in stress tests helps prevent seizure-inducing output from taking over your display as hundreds of packets per a second volley back and forth.

Specify A Ping Count

The -c option allows you to specify the number of ping packets to send.

Usage syntax: nping -c [count] [target]

# nping -H -c 50 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-23 18:39 CST

RCVD (0.0070s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=50587 seq=1] IP [ttl=255 id=0 iplen=28 ]

[...]

RCVD (49.1901s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=50587 seq=50] IP [ttl=255 id=0 iplen=28 ]

Max rtt: 2.927ms | Min rtt: 1.095ms | Avg rtt: 2.748ms

Raw packets sent: 50 (1.400KB) | Rcvd: 50 (1.400KB) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 49.19 seconds

Sending 50 pings

By default, Nping sends 5 pings and then quits. In the above example, the -c option is used to override the default count and send 50 pings to the specified target. You can also use -c 0 to instruct nping to run continuously until interrupted (by pressing <CTRL+ C>).

Ping Multiple Targets

The nping program allows you to specify multiple hosts as targets using the same syntax supported by the nmap command.

Usage syntax: nping [target1 target2 etc | range | CIDR]

# nping -H -c 2 192.168.1.1 192.168.1.5

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-24 09:24 CST

RCVD (0.0122s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=27395 seq=1] IP [ttl=255 id=0 iplen=28 ]

RCVD (1.0166s) ICMP [192.168.1.5 > 192.168.1.100 Echo reply (type=0/code=0) id=64201 seq=1] IP [ttl=64 id=56187 iplen=28 ]

RCVD (2.0182s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=27395 seq=2] IP [ttl=255 id=0 iplen=28 ]

RCVD (3.0225s) ICMP [192.168.1.5 > 192.168.1.100 Echo reply (type=0/code=0) id=64201 seq=2] IP [ttl=64 id=56188 iplen=28 ]

Statistics for host 192.168.1.1:

| Probes Sent: 2 | Rcvd: 2 | Lost: 0 (0.00%)

|_ Max rtt: 2.951ms | Min rtt: 2.843ms | Avg rtt: 2.897ms

Statistics for host 192.168.1.5:

| Probes Sent: 2 | Rcvd: 2 | Lost: 0 (0.00%)

|_ Max rtt: 2.949ms | Min rtt: 1.464ms | Avg rtt: 2.206ms

Raw packets sent: 4 (112B) | Rcvd: 4 (148B) | Lost: 0 (0.00%)

Nping done: 2 IP addresses pinged in 3.02 seconds

Pinging two hosts at the same time

In the above example, two hosts are specified (separated by a space). Targets can be specified using ranges, CIDR notation, or DNS names. Each host is pinged in round-robin fashion for the specified number of rounds. At the end of the session, a summary for each host is displayed.

Tip: Since the targets in the above scan are on the same subnet, you could use the shorthand notation of nping 192.168.1.1,5 to achieve the same results.

Specify a Ping Rate

The --rate option pings hosts at the specified rate.

Usage syntax: nping --rate [rate] [target]

# nping -H --rate 5 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-23 18:36 CST

RCVD (0.0069s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=53451 seq=1] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.2053s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=53451 seq=2] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.4095s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=53451 seq=3] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.6147s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=53451 seq=4] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.8189s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=53451 seq=5] IP [ttl=255 id=0 iplen=28 ]

Max rtt: 2.768ms | Min rtt: 0.916ms | Avg rtt: 1.363ms

Raw packets sent: 5 (140B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 0.82 seconds

Specifying a ping rate

The --rate option is used to specify the number of pings to be sent per second. By default, nping sends 1 packet per second. In the above example, specifying --rate 5 instructs Nping to send 5 pings per second. This can be useful when you want to flood a network link to test its robustness, as demonstrated in the next example.

# nping -q -c 60000 --rate 1000 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-24 20:57 CST

Max rtt: 2.509ms | Min rtt: 0.017ms | Avg rtt: 0.017ms

Raw packets sent: 60000 (1.680MB) | Rcvd: 59619 (1.669MB) | Lost: 381 (0.64%)

Nping done: 1 IP address pinged in 60.83 seconds

Flooding a network connection with packets

In this example, the --rate option is combined with -c 60000 to attempt to send 1,000 packets per second to the specified target for approximately one minute. The -q (quiet) option is useful in this situation. Notice how there was a loss of 381 packets. This indicates the network was unable to handle the full load of packets. You should note that the source of the lost packets can be the target, link, or even the sending host's network interface if it is unable to handle the return load.

Tip: The -N option can be used to instruct nping to ignore replies. This can help prevent overwhelming the local system's resources when flooding a target, although nping will not be able to display useful information as a result.

Specify a Ping Delay

The --delay option allows you to specify a delay between ping probes.

Usage syntax: nping --delay [delay] [target]

# nping -H --delay 200ms 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-23 18:50 CST

RCVD (0.0069s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=28008 seq=1] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.2101s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=28008 seq=2] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.4143s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=28008 seq=3] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.6185s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=28008 seq=4] IP [ttl=255 id=0 iplen=28 ]

RCVD (0.8185s) ICMP [192.168.1.1 > 192.168.1.100 Echo reply (type=0/code=0) id=28008 seq=5] IP [ttl=255 id=0 iplen=28 ]

Max rtt: 2.774ms | Min rtt: 0.898ms | Avg rtt: 1.365ms

Raw packets sent: 5 (140B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 0.82 seconds

Specifying a 200ms delay

In this example, the --delay 200ms specifies a 200-millisecond delay. You can use any form of time for the --delay parameter such as milliseconds (ms), seconds (s), minutes (m), or hours (h). For example, --delay 2s would send one packet every two seconds and --delay 1m would send one packet every minute. You can also use decimals such as --delay .5m which would send one packet every 30 seconds.

Note: The default parameter is seconds when no qualifier is specified.

Generate a Payload

The --data-length option can be used to send random data as a payload.

Usage syntax: nping --data-length [length] [target]

# nping -q --rate 1000 -c 60000 --data-length 1400 192.168.1.1

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-24 20:53 CST

Max rtt: 9.143ms | Min rtt: 0.017ms | Avg rtt: 0.017ms

Raw packets sent: 60000 (85.680MB) | Rcvd: 60000 (85.680MB) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 61.62 seconds

Sending a 1400-byte payload at a rate of 1,000 packets a second

The nping command sends empty packets by default. The --data-length option enables you to send a specific amount of data along with the packet. The program will then generate random data to be transmitted with the ping. This can be useful for testing how well a system handles sustained loads of data. In this example, 85MB of traffic is sent to the target in approximately one minute. No packets are lost during the session indicating a healthy connection.

Tip: You can also send custom data using the --data or --data-string options.

Ping Using TCP or UDP

The --tcp and --udp options enable you to ping TCP or UDP ports.

Usage syntax: nping --tcp|--udp [target]

# nping -H --tcp W.X.Y.Z

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-24 21:58 CST

RCVD (0.0609s) TCP W.X.Y.Z:80 > 192.168.1.100:18983 SA ttl=55 id=2845 iplen=44 seq=2822863765 win=29200 <mss 556>

RCVD (1.0683s) TCP W.X.Y.Z:80 > 192.168.1.100:18983 SA ttl=55 id=23228 iplen=44 seq=1085309427 win=29200 <mss 556>

RCVD (2.0799s) TCP W.X.Y.Z:80 > 192.168.1.100:18983 SA ttl=55 id=16472 iplen=44 seq=3240730386 win=29200 <mss 556>

RCVD (3.0767s) TCP W.X.Y.Z:80 > 192.168.1.100:18983 SA ttl=55 id=50696 iplen=44 seq=1908815270 win=29200 <mss 556>

RCVD (4.0750s) TCP W.X.Y.Z:80 > 192.168.1.100:18983 SA ttl=55 id=39640 iplen=44 seq=3512659904 win=29200 <mss 556>

Max rtt: 65.434ms | Min rtt: 49.115ms | Avg rtt: 57.350ms

Raw packets sent: 5 (200B) | Rcvd: 5 (220B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 4.08 seconds

Pinging using the TCP protocol.

Note: The public IP address used in this example is changed to W.X.Y.Z for privacy reasons.

The --tcp and --udp options allow you to ping a system using transport protocols rather than ICMP. This is helpful for checking the liveliness of a firewalled system that does not respond to ICMP probes. It can also be helpful for checking internet facing services running behind a NAT firewall, as the probes will reach the internal port-forwarded destination (rather than stopping at the firewall). Good examples of this are SMTP, DNS, and HTTP, which usually reside behind a NAT firewall.

In the above example, the --tcp option is used to ping a system behind a NAT firewall that does not respond to ICMP pings. For comparison, output for a traditional ping of the same system is shown below.

# ping -c4 W.X.Y.Z

PING W.X.Y.Z (W.X.Y.Z): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

--- W.X.Y.Z ping statistics ---

4 packets transmitted, 0 packets received, 100.0% packet loss

Note: The default port for --tcp is 80 and 53 for --udp. You can specify a specific port using the -p option (discussed next).

Ping Specific Ports (TCP or UDP)

The -p option allows you to specify one or more ports to ping.

Usage syntax: nping --tcp|--udp -p [ports] [target]

# nping -H --tcp -p 25 192.168.1.103

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-25 03:00 CST

RCVD (0.5595s) TCP 192.168.1.103:25 > 192.168.1.100:22424 SA ttl=64 id=0 iplen=44 seq=4241054482 win=29200 <mss 1460>

RCVD (1.0139s) TCP 192.168.1.103:25 > 192.168.1.100:22424 SA ttl=64 id=0 iplen=44 seq=4248155670 win=29200 <mss 1460>

RCVD (2.0175s) TCP 192.168.1.103:25 > 192.168.1.100:22424 SA ttl=64 id=0 iplen=44 seq=4263835629 win=29200 <mss 1460>

RCVD (3.0247s) TCP 192.168.1.103:25 > 192.168.1.100:22424 SA ttl=64 id=0 iplen=44 seq=4279574586 win=29200 <mss 1460>

RCVD (4.0300s) TCP 192.168.1.103:25 > 192.168.1.100:22424 SA ttl=64 id=0 iplen=44 seq=314719 win=29200 <mss 1460>

Max rtt: 554.722ms | Min rtt: 2.345ms | Avg rtt: 113.858ms

Raw packets sent: 5 (200B) | Rcvd: 5 (220B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 4.03 seconds

Performing a TCP ping on port 25

The nping command uses port 80 for TCP and port 53 for UDP by default when pinging via transport protocols. The -p option enables you to ping any port(s). You can specify a single port, comma separated list, or range using the same syntax supported by the nmap command. If multiple ports are specified, Nping will alternate between them in round-robin fashion.

Note: You must specify --tcp or --udp as the -p option does not work with ICMP pings.

Perform an ARP Ping

The --arp option allows you to execute an ARP ping.

Usage syntax: nping --arp [target]

# nping -c 1 --arp 192.168.1.104

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-24 22:23 CST

SENT (0.0042s) ARP who has 192.168.1.104? Tell 192.168.1.100

RCVD (0.0078s) ARP reply 192.168.1.104 is at 34:17:EB:D3:57:CD

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

Raw packets sent: 1 (42B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)

Nping done: 1 IP address pinged in 1.01 seconds

Performing an ARP ping

On local Ethernet networks, IP addresses are converted to network interface MAC (Media Access Control) addresses using ARP (Address Resolution Protocol). This facilitates transmission of data via layer 2 switches. The --arp option utilizes this fundamental feature of Ethernet to let you send an ARP broadcast to ping a host, as shown in the example above. This is useful in situations where a system on the local network runs firewall software that drops unsolicited ICMP, TCP, and UDP traffic. This system will not respond to any pings but itmust reply to ARP broadcasts.

To illustrate this case, the same host from the above example is pinged 3 different ways below for comparison.

# ping -c 3 192.168.1.104

PING 192.168.1.104 (192.168.1.104): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

--- 192.168.1.104 ping statistics ---

3 packets transmitted, 0 packets received, 100.0% packet loss

# nping -H 192.168.1.104

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-24 22:18 CST

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)

Nping done: 1 IP address pinged in 5.02 seconds

# nping -H -tcp 192.168.1.104

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2015-01-24 22:19 CST

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

Raw packets sent: 5 (200B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)

Nping done: 1 IP address pinged in 5.01 seconds

In each case, the host refused to respond due to firewall software running on the system. By using ARP, we can bypass the firewall and check its liveliness (and also discover its MAC address in the process).

Miscellaneous Nping Options

In the interest of keeping this book "fat-free," some less common options are listed below rather than giving them their own usage recipe. A few of these have practical uses (like -d for debug and -6 for ipv6) but were skipped because their Nmap counterparts were covered earlier.

-h
Display Nping help

-V
Display Nping version

-d[level]
Set debug level (1 to 6)

-v[level]
Set verbosity level (-4 to 4)

-e [interface]
Use the specified network interface

-g [port]
Spoof the specified source port

--flags [flags]
Use the specified TCP flags

-6 [address]
Ping the specified IPv6 address

--echo-server [passphrase]
Setup an echo server for use with the --echo-client option

--echo-client [passphrase]
Ping an echo server

Tip: The options discussed in this book cover everyday usage. There are many other obscure uses available for Nping. The nping manual is an excellent resource for additional information on these features. You can read the man page on Unix/Linux/Mac by executing man nping. Windows users can visit nmap.org/book/nping-man.html to read the manual online.