Using NetDiscover to perform layer 2 discovery_Kali Linux Network Scanning Cookbook-QQ阅读男生武侠网

上QQ阅读APP看书，第一时间看更新

Using NetDiscover to perform layer 2 discovery

NetDiscover is a tool that is used to identify network hosts through both active and passive ARP analysis. It was primarily written to be used on a wireless interface; however, it is functional in a switched environment as well. In this specific recipe, we will discuss how to use NetDiscover for both active and passive scanning.

Getting ready

To use NetDiscover to perform ARP discovery, you will need to have at least one system on the LAN that will respond to ARP requests. In the examples provided, a combination of Linux and Windows systems are used. For more information on setting up systems in a local lab environment, please refer to the Installing Metasploitable2 and Installing Windows Server recipes in Chapter 1, Getting Started.

How to do it…

A tool that was specifically designed to perform layer 2 discovery is NetDiscover. NetDiscover can be used to scan a range of IP addresses by passing the network range in CIDR notation as an argument while using the -r option. The output generates a table that lists live IP addresses, corresponding MAC addresses, the number of responses, the length of responses, and MAC vendor:

root@KaliLinux:~# netdiscover -r 172.16.36.0/24

 Currently scanning: Finished! | Screen View: Unique Hosts 
 
 5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300 
 _____________________________________________________________________________
 IP At MAC Address Count Len MAC Vendor 
 ----------------------------------------------------------------------------- 
 172.16.36.1 00:50:56:c0:00:08 01 060 VMWare, Inc. 
 172.16.36.2 00:50:56:ff:2a:8e 01 060 VMWare, Inc. 
 172.16.36.132 00:0c:29:65:fc:d2 01 060 VMware, Inc. 
 172.16.36.135 00:0c:29:3d:84:32 01 060 VMware, Inc. 
 172.16.36.254 00:50:56:ef:b9:9c 01 060 VMWare, Inc.

NetDiscover can also be used to scan IP addresses from an input text file. Instead of passing the CIDR range notation as an argument, the -l option can be used in conjunction with the name or path of an input file:

root@KaliLinux:~# netdiscover -l iplist.txt
Currently scanning: 172.16.36.0/24 | Screen View: Unique Hosts 
 
 39 Captured ARP Req/Rep packets, from 5 hosts. Total size: 2340 
 _____________________________________________________________________________
 IP At MAC Address Count Len MAC Vendor 
 ----------------------------------------------------------------------------- 
 172.16.36.1 00:50:56:c0:00:08 08 480 VMWare, Inc. 
 172.16.36.2 00:50:56:ff:2a:8e 08 480 VMWare, Inc. 
 172.16.36.132 00:0c:29:65:fc:d2 08 480 VMware, Inc. 
 172.16.36.135 00:0c:29:3d:84:32 08 480 VMware, Inc. 
 172.16.36.254 00:50:56:ef:b9:9c 07 420 VMWare, Inc.

Another unique feature that sets this tool apart from the others is the capability to perform passive discovery. Broadcasting ARP requests for every IP address in an entire subnet can sometimes trigger alerts or responses from security devices such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). A stealthier approach is to listen for the ARP traffic, as the scanning system naturally interacts with other systems on the network, and then record the data collected from ARP responses. This passive scanning technique can be performed using the -p option:

root@KaliLinux:~# netdiscover -p

 Currently scanning: (passive) | Screen View: Unique Hosts 
 
 4 Captured ARP Req/Rep packets, from 2 hosts. Total size: 240 
 _____________________________________________________________________________
 IP At MAC Address Count Len MAC Vendor 
 ----------------------------------------------------------------------------- 
 172.16.36.132 00:0c:29:65:fc:d2 02 120 VMware, Inc. 
 172.16.36.135 00:0c:29:3d:84:32 02 120 VMware, Inc.

This technique will be significantly slower in gathering information, as the requests have to come in as a result of normal network interactions, but it will also be unlikely to draw any unwanted attention. This technique is much more effective if it is run on a wireless network, as a promiscuous wireless adapter will receive ARP replies intended for other devices. To work effectively in a switched environment, you would need access to SPAN or TAP, or one would need to overload the CAM tables to force the switch to start broadcasting all traffic.

How it works…

The underlying principle that describes ARP discovery with NetDiscover is essentially the same as what we discussed with the previous layer 2 discovery approaches. The major differences in this tool and some of the others that we have discussed include the passive discovery mode and inclusion of the MAC vendor in the output. Passive mode is, in most cases, useless on a switched network, because receipt of an ARP response will still require some interaction with discovered clients, albeit independent of the NetDiscover tool. Nonetheless, it is important to understand this feature and its potential usefulness in a broadcast network such as a hub or wireless network. NetDiscover identifies the MAC vendor by evaluating the first half (first 3 octets / 24 bits) of the returned MAC address. This portion of the address identifies the manufacturer of the network interface and is often a good indication of the hardware manufacturer for the rest of the device.