How it works...

To effectively use hping3 for layer 3 discovery, a bash script was used to perform an ICMP echo request in sequence. This was possible due to the unique response that was generated by a successful and unsuccessful request. By passing the function through a loop and then grepping for the unique response, we could effectively develop a script that performs ICMP discovery against multiple systems in sequence and then outputs a list of live hosts.

For layer 4 discovery, hping3 uses ICMP host-unreachable responses to identify live hosts with UDP requests and uses null-flag scanning to identify live hosts with TCP requests. For UDP discovery, a series of null UDP requests is sent to arbitrary destination ports in an attempt to solicit a response. For TCP discovery, a series of TCP requests is sent to destination port 0 with no flag bits activated. In the example provided, this solicited a response with the ACK+RST flags activated. Each of these tasks was passed through a loop in bash to perform scanning on multiple hosts or a range of addresses.