Kali Linux 渗透测试之主动信息收集（二）——三层发现（ping/shell脚本、scapy/python脚本、nmap、fping、hping3）

最新推荐文章于 2025-05-20 11:39:35 发布

weixin_45116657

最新推荐文章于 2025-05-20 11:39:35 发布

阅读量1k

点赞数

CC 4.0 BY-SA版权

本文链接：https://blog.youkuaiyun.com/weixin_45116657/article/details/99608236

本文深入探讨了多种网络探测和主机发现技术，包括traceroute、ping、scapy、Nmap、fping及hping3等工具的使用方法，展示了如何扫描局域网内存活的主机，适用于网络安全和网络管理领域的专业人员。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

发现——三层发现

原理：使用IP/ICMP;
优点：相对于二层可以路由，速度较快；
缺点：速度比二层慢，经常被防火墙过滤掉；

1、traceroute —— 追踪路由

traceroute sina.com

root@kali:~# traceroute sina.com
traceroute to sina.com (66.102.251.33), 30 hops max, 60 byte packets
 1  192.168.85.2 (192.168.85.2)  5.104 ms  4.883 ms  4.581 ms          #其中192.168.85.2为网关
 2  * * *
 3  * * *
 4  * * *
 5  * * *

2、ping

2.1> ping单个主机——参数可以参考arping；

ping 192.168.85.142
# ping目标主机，会一直ping下去，按CTRL + C 可暂停；
ping 192.168.85.142 -c 2
# 使用-c参数，指定屏的次数；

-ping 192.168.85.142 -c | grep ‘bytes from’ | awk ‘{print $4}’ | awk -F’:’ '{print $1}'
# ping成功后，切去目标主机的IP地址；

root@kali:~# ping 192.168.85.143
PING 192.168.85.143 (192.168.85.143) 56(84) bytes of data.
64 bytes from 192.168.85.143: icmp_seq=1 ttl=64 time=0.477 ms
64 bytes from 192.168.85.143: icmp_seq=2 ttl=64 time=0.923 ms
64 bytes from 192.168.85.143: icmp_seq=3 ttl=64 time=0.950 ms
64 bytes from 192.168.85.143: icmp_seq=4 ttl=64 time=1.66 ms
^C
--- 192.168.85.143 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 36ms
rtt min/avg/max/mdev = 0.477/1.001/1.656/0.423 ms
root@kali:~# ping 192.168.85.143 -c 2
PING 192.168.85.143 (192.168.85.143) 56(84) bytes of data.
64 bytes from 192.168.85.143: icmp_seq=1 ttl=64 time=0.548 ms
64 bytes from 192.168.85.143: icmp_seq=2 ttl=64 time=0.671 ms

--- 192.168.85.143 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 25ms
rtt min/avg/max/mdev = 0.548/0.609/0.671/0.066 ms
root@kali:~# ping 192.168.85.143 -c 1| grep 'bytes from' | awk '{print $4}' | awk -F':' '{print $1}'
192.168.85.143

ping 192.168.85.143 -w 1
# 指定发包时间，指定为1秒；

root@kali:~# ping 192.168.85.145 -w 5
PING 192.168.85.145 (192.168.85.145) 56(84) bytes of data.
64 bytes from 192.168.85.145: icmp_seq=1 ttl=64 time=0.412 ms
64 bytes from 192.168.85.145: icmp_seq=2 ttl=64 time=0.376 ms
64 bytes from 192.168.85.145: icmp_seq=3 ttl=64 time=0.370 ms
64 bytes from 192.168.85.145: icmp_seq=4 ttl=64 time=2.06 ms
64 bytes from 192.168.85.145: icmp_seq=5 ttl=64 time=0.356 ms

--- 192.168.85.145 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 76ms
rtt min/avg/max/mdev = 0.356/0.714/2.056/0.671 ms

2.2> ping命令无法一次性实现多喝IP的扫描，但可以配合shell实现整个局域网内的扫描

脚本：ping.sh*
#扫描整个网段

#!/bin/bash
#该脚本用户实现整个局域网内的扫描
PREFIX=192.168.85
for addr in $(seq 1 254);
do
	ping -c 1 $PREFIX.$addr | grep "bytes from" |awk '{print $4}'|awk -F':' '{print $1}'
done

结果如下：并使用Wireshark抓包查看扫描过程；

root@kali:~# sh ping.sh
192.168.85.2              #网段
192.168.85.144          #本机
192.168.85.145          #kali-clone-2
192.168.85.254           #边缘机

在这里插入图片描述

3、scapy

作为python库进行调用；
也可以单独的工具使用；
Scapy是一款强大的网络数据包构建工具；
抓包、分析、创建、注入网络流量；

2.1> scapy扫描一个IP地址

>>> i=IP()
>>> p=ICMP()
>>> ping=(i/p)
>>> ping.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= None
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\
###[ ICMP ]### 
     type= echo-request
     code= 0
     chksum= None
     id= 0x0
     seq= 0x0

>>> ping[IP].dst="192.168.85.145"
>>> ping.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= None
  src= 192.168.85.144
  dst= 192.168.85.145
  \options\
###[ ICMP ]### 
     type= echo-request
     code= 0
     chksum= None
     id= 0x0
     seq= 0x0

>>> answer=sr1(ping)
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> answer.display()
###[ IP ]### 
  version= 4
  ihl= 5
  tos= 0x0
  len= 28
  id= 1697
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= 0x47ce
  src= 192.168.85.145
  dst= 192.168.85.144
  \options\
###[ ICMP ]### 
     type= echo-reply
     code= 0
     chksum= 0xffff
     id= 0x0
     seq= 0x0
###[ Padding ]### 
        load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

>>> answer1=sr1(IP(dst="192.168.85.145")/ICMP())         #不需要中间变量的写法，一条语句语句完成
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> answer1.display()
###[ IP ]### 
  version= 4
  ihl= 5
  tos= 0x0
  len= 28
  id= 25121
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= 0xec4d
  src= 192.168.85.145
  dst= 192.168.85.144
  \options\
###[ ICMP ]### 
     type= echo-reply
     code= 0
     chksum= 0xffff
     id= 0x0
     seq= 0x0
###[ Padding ]### 
        load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

>>> sr1(IP(dst="192.168.85.100")/ICMP())          #设置一个不存在的IP地址
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished sending 1 packets.
.......^C
Received 7 packets, got 0 answers, remaining 1 packets
>>> sr1(IP(dst="192.168.85.100")/ICMP(),timeout=1)           ##设置一个不存在的IP地址，并限定超时时间；
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
.Finished sending 1 packets.
.
Received 2 packets, got 0 answers, remaining 1 packets

2.2> 使用python脚本实现对整个局域网内的扫描；

脚本1：ping2.py #扫描整个网段

#!/usr/bin/python
#该脚本用户实现扫描整个局域网的主机
from scapy.all import *
PREFIX="192.168.37."
 
for addr in range(1,255):
	answer=sr1(IP(dst=PREFIX+str(addr))/ICMP(),timeout=0.1,verbose=0)
	if answer==None:
		pass
	else:
		print(PREFIX+str(addr))

结果如下：#相比于ping脚本，scapy模块不扫描自己

root@kali:~# python ping2.py
192.168.85.2
192.168.85.145

脚本2：ping3.py #扫描指定的某个文件

#!/usr/bin/python
#该脚本用户扫描指定的IP地址列表
from scapy.all import *
import sys
filename=sys.argv[1]                    #sys.argv[1]——从第一个数提取，到最后一个数
file=open(filename,'r')
 
for addr in file:
	answer=sr1(IP(dst=addr.strip())/ICMP(),timeout=0.1,verbose=0)       #verbose指不显示详细信息
	if answer==None:
		pass
	else:
		print(addr.strip())

结果如下：

root@root:~# ./ping3.py IP.txt 
192.168.85.2
192.168.85.145

4、Nmap

nmap -sn 192.168.85.145
# -sn: Ping Scan - disable port scan，只进行主机发现，不进行端口扫描
nmap -sn 192.168.37.0/24
# 可以扫描整个网段

root@kali:~# nmap -sn 192.168.85.145
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 22:28 CST
Nmap scan report for 192.168.85.145 (192.168.85.145)
Host is up (0.00082s latency).
MAC Address: 00:0C:29:F1:B7:DC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

root@kali:~# nmap -sn 192.168.85.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 22:30 CST
Nmap scan report for 192.168.85.1 (192.168.85.1)
Host is up (0.000097s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.85.2 (192.168.85.2)
Host is up (0.000078s latency).
MAC Address: 00:50:56:E5:BB:C8 (VMware)
Nmap scan report for 192.168.85.145 (192.168.85.145)
Host is up (0.00044s latency).
MAC Address: 00:0C:29:F1:B7:DC (VMware)
Nmap scan report for 192.168.85.254 (192.168.85.254)
Host is up (0.00016s latency).
MAC Address: 00:50:56:EF:DF:11 (VMware)
Nmap scan report for 192.168.85.144 (192.168.85.144)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.93 seconds

nmap -iL IP.txt -sn
# 扫描指定的IP列表

root@kali:~# cat IP.txt
192.168.85.1
192.168.85.2
192.168.85.3
192.168.85.4
192.168.85.140
192.168.85.141
192.168.85.142
192.168.85.143
192.168.85.144
192.168.85.145
192.168.85.224
192.168.85.253
192.168.85.254
root@kali:~# nmap -iL IP.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 22:33 CST
Nmap scan report for 192.168.85.1 (192.168.85.1)
Host is up (0.000097s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.85.2 (192.168.85.2)
Host is up (0.00015s latency).
MAC Address: 00:50:56:E5:BB:C8 (VMware)
Nmap scan report for 192.168.85.145 (192.168.85.145)
Host is up (0.00014s latency).
MAC Address: 00:0C:29:F1:B7:DC (VMware)
Nmap scan report for 192.168.85.254 (192.168.85.254)
Host is up (0.00017s latency).
MAC Address: 00:50:56:EF:DF:11 (VMware)
Nmap scan report for 192.168.85.144 (192.168.85.144)
Host is up.
Nmap done: 13 IP addresses (5 hosts up) scanned in 0.23 seconds

5、fping

5.1> fping单个主机；

fping 192.168.85.145 -c 2
# -c选项指定fping的次数

root@kali:~# fping 192.168.85.145 -c 2
192.168.85.145 : [0], 84 bytes, 1.10 ms (1.10 avg, 0% loss)
192.168.85.145 : [1], 84 bytes, 0.92 ms (1.01 avg, 0% loss)

192.168.85.145 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 0.92/1.01/1.10

4.2> fping扫描多个IP地址

fping -g 192.168.85.1 192.168.85.150 -c 2
# fping -g IP地址起始 IP地址结束 -c 指定次数
fping -g 整个网段
fping -指定的IP地址列表

root@kali:~# fping -g 192.168.85.1 192.168.85.150 -c 2
192.168.85.2   : [0], 84 bytes, 0.91 ms (0.91 avg, 0% loss)
192.168.85.144 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
192.168.85.145 : [0], 84 bytes, 1.43 ms (1.43 avg, 0% loss)
192.168.85.2   : [1], 84 bytes, 0.29 ms (0.60 avg, 0% loss)
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.3
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.3
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.5
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.5
... ...

fping扫描整个网段；

root@kali:~# fping -g 192.168.85.0/24
192.168.85.2 is alive
192.168.85.144 is alive
192.168.85.145 is alive
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.5
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.5
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.4
... ...

fping中指定Ip地址列表；

root@kali:~# cat IP.txt
192.168.85.1
192.168.85.2
192.168.85.3
192.168.85.4
192.168.85.140
192.168.85.141
192.168.85.142
192.168.85.143
192.168.85.144
192.168.85.145
192.168.85.224
192.168.85.253
192.168.85.254
root@kali:~# fping -f IP.txt
192.168.85.2 is alive
192.168.85.144 is alive
192.168.85.145 is alive
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.140
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.140
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.140
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.140
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.4
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.4
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.4
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.4
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.3
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.3
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.3
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.3
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.143
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.143
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.143
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.143
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.142
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.142
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.142
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.142
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.141
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.141
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.141
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.141
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.224
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.224
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.224
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.224
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.253
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.253
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.253
ICMP Host Unreachable from 192.168.85.144 for ICMP Echo sent to 192.168.85.253
192.168.85.1 is unreachable
192.168.85.3 is unreachable
192.168.85.4 is unreachable
192.168.85.140 is unreachable
192.168.85.141 is unreachable
192.168.85.142 is unreachable
192.168.85.143 is unreachable
192.168.85.224 is unreachable
192.168.85.253 is unreachable
192.168.85.254 is unreachable

5、hping3

能够发送几乎任意的TCP/IP包；
功能强大，但是每次只能扫描一个主机；
如果在hping3中不写数据包类型，则默认发TCP包；

5.1> 扫描单个主机

hping3 192.168.85.145 --icmp -c 2
# 数据包类型为ICMP
# 扫描局域网内存活的某个主机
hping3 192.168.85.100 --icmp -c 2
# 数据包类型为ICMP
# 扫描局域网内不存活的某个主机
hping3 192.168.85.145 -c 2
# 默认数据包类型为TCP包
# 扫描局域网内存活的某个主机
hping3 192.168.85.145 --udp -c 2
# 发送UDP包，端口不可达

root@kali:~# hping3 192.168.85.145 --icmp -c 2           #扫描局域网内存活的主机
HPING 192.168.85.145 (eth0 192.168.85.145): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.85.145 ttl=64 id=21036 icmp_seq=0 rtt=7.5 ms
len=46 ip=192.168.85.145 ttl=64 id=21130 icmp_seq=1 rtt=15.9 ms

--- 192.168.85.145 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.5/11.7/15.9 ms
root@kali:~# hping3 192.168.85.145 -c 2
HPING 192.168.85.145 (eth0 192.168.85.145): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=192.168.85.145 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=6.7 ms
len=46 ip=192.168.85.145 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=3.7 ms

--- 192.168.85.145 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 3.7/5.2/6.7 ms
root@kali:~# hping3 192.168.85.100 --icmp -c 2                  #扫描局域网内不存活的主机
HPING 192.168.85.100 (eth0 192.168.85.100): icmp mode set, 28 headers + 0 data bytes

--- 192.168.85.100 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

hping3 192.168.85.145 --udp -c 2 #发送UDP包，端口不可达

在这里插入图片描述通过这包，查看结果；
将定义的ICMP包和IP包一起发送出去的；

5.2> 使用命令实现扫描多个IP地址

通过for循环向192.168.85.140 —150网段之间，发送一个ICMP包，扫描局域网内存活的主机，并将输出结果传送到handle.txt中，通过：cat handle.txt | grep ^len | awk '{print $2}'命令，输出存活的主机的IP地址；

root@kali:~# for addr in $(seq 140 150); do hping3 192.168.85.$addr --icmp -c 1 >> handle.txt & done
[12] 4600
[13] 4601
[14] 4602
[15] 4603
[16] 4604
[17] 4605
[18] 4606
[19] 4607
[20] 4608
[21] 4609
[22] 4610
[1]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[2]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[3]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[4]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[5]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[6]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[7]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[8]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[9]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[10]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
[11]   退出 1                hping3 192.168.85.$addr --icmp -c >> handle.txt
root@kali:~# 
--- 192.168.85.150 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.0/7.0/7.0 ms

--- 192.168.85.143 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.146 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.147 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.141 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.149 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.145 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.142 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.144 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.148 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.85.140 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
^C
[12]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[13]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[14]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[15]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[16]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[17]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[18]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[19]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[20]   退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[21]-  退出 1                hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
[22]+  已完成               hping3 192.168.85.$addr --icmp -c 1 >> handle.txt
root@kali:~# cat handle.txt
HPING 192.168.85.150 (eth0 192.168.85.150): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.85.150 ttl=64 id=30823 icmp_seq=0 rtt=7.0 ms
HPING 192.168.85.143 (eth0 192.168.85.143): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.146 (eth0 192.168.85.146): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.147 (eth0 192.168.85.147): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.141 (eth0 192.168.85.141): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.149 (eth0 192.168.85.149): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.145 (eth0 192.168.85.145): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.142 (eth0 192.168.85.142): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.144 (eth0 192.168.85.144): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.148 (eth0 192.168.85.148): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.85.140 (eth0 192.168.85.140): icmp mode set, 28 headers + 0 data bytes
root@kali:~# cat handle.txt | grep ^len | awk '{print $2}'
ip=192.168.85.150                #获取存活的IP地址主机