From 9bbd3380766d876fff8cb91b6d92f24d15bb78a9 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Sat, 25 Jan 2020 16:53:28 +0000
Subject: [PATCH] Update README.md
ping script.
---
README.md | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 857682d..16bb83e 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@ Got tricks? Send them to root@thc.org or submit a pull request.
1. [SSH socks5 IN](#ssi-anchor)
3. [Network](#network-anchor)
1. [ARP discover computers on the local network](#adln-anchor)
+ 1. [ICMP discover local network](#idln-anchor)
1. [Monitor all new TCP connections](#mtc-anchor)
1. [Alert on all new TCP connections](#atc-anchor)
4. [File Encoding and Transfer](#fe-anchor)
@@ -158,20 +159,27 @@ The others configuring host.org:1080 as their SOCKS4/5 proxy. They can now conne
```
$ nmap -r -sn -PR 192.168.0.1/24
```
-This will Arp-ping all local machines. ARP ping always seems to work and is very steahlthy (e.g. does not show up in the target's firewall). However, this command is by far our favourite:
+This will Arp-ping all local machines just like *arping*. ARP ping always seems to work and is very steahlthy (e.g. does not show up in the target's firewall). However, this command is by far our favourite:
```
$ nmap -thc
```
+**3.ii. ICMP discover local network**
+
+...and when we do not have nmap and we can not do broadcast pings (requires root) then we use this:
+```
+$ for x in `seq 1 254`; do ping -on -c 3 -i 0.1 -W 200 192.168.1.$x | grep 'bytes from' | cut -f4 -d" " | sort -u; done
+```
+
-**3.ii. Monitor all new TCP connections**
+**3.iii. Monitor all new TCP connections**
```
# tcpdump -n "tcp[tcpflags] == tcp-syn"
```
-**3.iii. Alert on new TCP connections**
+**3.iv. Alert on new TCP connections**
Make a *bing*-noise (ascii BEL) when anyone tries to SSH to/from the target system (could be an admin!).