Hello info-sec peoples how are you? So today we will be talking about How to Identify Live Host on Network. This is a very important step if you are doing on-site penetration testing and vulnerability assessments, this gives you an idea of which machines are running on the network and save a lot of time.
There are many tools out there that can do the same and perhaps much more efficient then Netdiscover and give more detailed results like which ports are open what service is running etc. The best example of this is Nmap which is an extensive tool.
The difference between those scanners and Netdiscover is that many other scanners send a lot of pings requests to all the IP in the subnet which gets flagged in the Intrusion Detection Systems (IDS) and your machine is blocked from accessing the network or your IP gets blacklisted in the IDS. But on the other hand, Netdiscover uses simple ARP protocol to scan for hosts on the network it listens on the ARP requests that are being generated on the network and find which hosts are sending those requests.
Netdiscover – simple ARP Scanner to scan for live hosts in a network
As I said that Netdiscover is a simple ARP scanner which is used to scan for live hosts or machines in a network. I can be used to scan multiple subnets on the same network. It gives the output in a real-time display (ncurse). And also as I previously said it is very important for the first step of internal penetration testing.
- Simple Arp Scanner
- Works in both Active & Passive modes
- Produces a live display of identified hosts
- Able to scan multiple subnets
- Timing Options
-i device: your network device -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8 -l file: scan the list of ranges contained into the given file -p passive mode: do not send anything, only sniff -m file: scan the list of known MACs and host names -F filter: Customize pcap filter expression (default: "arp") -s time: time to sleep between each arp request (miliseconds) -n node: last ip octet used for scanning (from 2 to 253) -c count: number of times to send each arp reques (for nets with packet loss) -f enable fastmode scan, saves a lot of time, recommended for auto -d ignore home config files for autoscan and fast mode -S enable sleep time supression betwen each request (hardcore mode) -P print results in a format suitable for parsing by another program -N Do not print header. Only valid when -P is enabled. -L in parsable output mode (-P), continue listening after the active scan is completed
How to use Netdiscover & Related Options
Netdiscover runs simply by calling executing the command in auto mode
Syntax: netdiscover <options>
Syntax: netdiscover -r <range> Command: netdiscover -r 192.168.1.0/24
Syntax: netdiscover -l <file containing ranges> Command: netdiscover -l ranges
” The quieter you become the more you are able to hear.. “
Syntax: netdiscover -p -r <range,optional>
There is a parsable output option also in case you want to pipe it to a file.
Syntax: netdiscover -P<parsable> -N<ommit headers> Command: netdiscover-r 192.168.1.1/24 -PN
Netdiscover is a simple arp scanner which can be used to enumerate hosts. I would like to share with you my experience. We were on an internal penetration testing assessment and we fired up our network scanning tools to get an idea about the network which hosts are up and all kind of information but after some time our IP was blacklisted and we were not able to scan for hosts as those tools used ping scans and the client was using IDS systems that were monitring network activity. So after that we ran Netdiscover in passive mode and let it run in the background and continued our testing and it gave us a whole list of live hosts on the network without generation any alerts in the IDS over network.
- Never perform a scanning activity without having a clear knowledge of your network.
- Use the results from such activities in a constructive way.
So if you learned something new from this tutorial, please support me by sharing it with those whom this will benefit.