Kali Linux Network Scanning Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Using Nmap to perform layer 2 discovery

Network Mapper (Nmap) is one of the most effective and functional tools in Kali Linux. Nmap can be used to perform a large range of different scanning techniques and is highly customizable. This tool will be addressed frequently throughout the course of this book. In this specific recipe, we will discuss how to use Nmap to perform layer 2 scanning.

Getting ready

To use Nmap to perform ARP discovery, you will need to have at least one system on the LAN that will respond to ARP requests. In the examples provided, a combination of Linux and Windows systems are used. For more information on setting up systems in a local lab environment, please refer to the Installing Metasploitable2 and Installing Windows Server recipes in Chapter 1, Getting Started.

How to do it…

Nmap is another option to perform automated layer 2 discovery scans with a single command. The -sn option is referred to by Nmap as a ping scan. Although the term "ping scan" naturally leads you to think that layer 3 discovery is being performed, it is actually adaptive. Assuming that addresses on the same local subnet are specified as the argument, a layer 2 scan can be performed with the following command:

root@KaliLinux:~# nmap 172.16.36.135 -sn

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 15:40 EST
Nmap scan report for 172.16.36.135
Host is up (0.00038s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

This command will send an ARP request to the LAN broadcast address and will determine whether the host is live, based on the response that is received. Alternatively, if the command is used against an IP address of a host that is not alive, the response will indicate that the host is down:

root@KaliLinux:~# nmap 172.16.36.136 -sn

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 15:51 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.41 seconds

This command can be modified to perform layer 2 discovery on a sequential series of IP addresses, using a dash notation. To scan a full /24 range, you can use 0-255:

root@KaliLinux:~# nmap 172.16.36.0-255 -sn

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-11 05:35 EST
Nmap scan report for 172.16.36.1
Host is up (0.00027s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.36.2
Host is up (0.00032s latency).
MAC Address: 00:50:56:FF:2A:8E (VMware)
Nmap scan report for 172.16.36.132
Host is up.
Nmap scan report for 172.16.36.135
Host is up (0.00051s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap scan report for 172.16.36.200
Host is up (0.00026s latency).
MAC Address: 00:0C:29:23:71:62 (VMware)
Nmap scan report for 172.16.36.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:EA:54:3A (VMware)
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.22 seconds

Using this command will send out broadcast ARP requests for all hosts within that range and will determine each host that is actively responding. This scan can also be performed against an input list of IP addresses, using the -iL option:

root@KaliLinux:~# nmap -iL iplist.txt -sn

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 16:07 EST
Nmap scan report for 172.16.36.2
Host is up (0.00026s latency).
MAC Address: 00:50:56:FF:2A:8E (VMware)
Nmap scan report for 172.16.36.1
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.36.132
Host is up (0.00031s latency).
MAC Address: 00:0C:29:65:FC:D2 (VMware)
Nmap scan report for 172.16.36.135
Host is up (0.00014s latency).
MAC Address: 00:0C:29:3D:84:32 (VMware)
Nmap scan report for 172.16.36.180
Host is up.
Nmap scan report for 172.16.36.254
Host is up (0.00024s latency).
MAC Address: 00:50:56:EF:B9:9C (VMware)
Nmap done: 8 IP addresses (6 hosts up) scanned in 0.41 seconds

When the -sn option is used, Nmap will first attempt to locate the host using layer 2 ARP requests, and it will only use layer 3 ICMP requests if the host is not located on the LAN. Notice how an Nmap ping scan performed against the hosts on the local network (on the 172.16.36.0/24 private range) return MAC addresses. This is because the MAC addresses are returned by the ARP response from the hosts. However, if the same Nmap ping scan is performed against remote hosts on a different LAN, the response will not include system MAC addresses:

root@KaliLinux:~# nmap -sn 74.125.21.0-255

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-11 05:42 EST
Nmap scan report for 74.125.21.0
Host is up (0.0024s latency).
Nmap scan report for 74.125.21.1
Host is up (0.00017s latency).
Nmap scan report for 74.125.21.2
Host is up (0.00028s latency).
Nmap scan report for 74.125.21.3
Host is up (0.00017s latency).

When performed against a remote network range (public range 74.125.21.0/24), you can see that layer 3 discovery was used, as no MAC addresses were returned. This demonstrates that when possible, Nmap will automatically leverage the speed of layer 2 discovery, but when necessary, it will use routable ICMP requests to discover remote hosts on layer 3. This can also be seen if you use Wireshark to monitor traffic while an Nmap ping scan is performed against hosts on the local network. In the following screenshot, you can see that Nmap utilizes ARP requests to identify hosts on the local segment:

How it works…

Nmap is already highly functional and requires little to no tampering to run the desired scan. The underlying principle is the same. Nmap sends ARP requests to the broadcast address for a series of IP addresses and identifies live hosts by flagging responses. However, because this functionality is already integrated into Nmap, it can be executed by simply providing the appropriate arguments.

上一章目录下一章