slash-root

Local Host Discovery


When we land on a LOCAL network, we need to identify what machines are immediately available for probing. We can do this with a number of tools; in this guide I'll demonstrate 4 of them.

Lab setup


1. I am using VMware with 2 Virtual Machines. I am trying to locate the IP address of the 'Unknown' machine.

vm setup

2. My Kali Linux machine is at 192.168.231.135.

kali setup image

Method 1: ARP Scan


This tool comes packaged with Kali Linux and can be used to send an ARP request to every IP address on the given subnet. It run using the following command:

sudo arp-scan -l

arp scan

As you can probably guess, this is scanning the LOCAL net (-l flag) by sending out an ARP request to every IP address within the subnet. These can be seen in Wireshark:

arp replies

The tool indicates the response (ignore .1, .2 & .254 as these are VMware controllers):

arp scan

At this stage we could be reasonably sure that 192.168.231.136 is the Unknown machines IP address.

Method 2: Netdiscover


This tool also comes packaged with Kali Linux and can be used to send an ARP request to every IP address on the given subnet. It run using the following command:

sudo netdiscover -r 192.168.231.0/24

netdiscover scan

Netdiscover will also attempt to locate machines by sending out ARP requests; presenting replies in the following table:

netdiscover results

What I particularly like about this tool is its ability to passive scan meaning it will simply sit there and sniff traffic presenting results in a live window as shown here:

netdiscoverpassive scan

Method 3: Scripting


Sometimes all tools will fail, or more than likely won't always be available to us depending on what machine we land on (unfortunately, not all networks have a nice Kali Linux machine for us to use!) so we need to manually locate hosts. Arguably one of the best ways to do this is using Internet Control Message Protocol (ICMP) through the PING application.

The following script takes in one parameter ($1) from the user; the first 3 octets of the /24 IP address i.e. 192.168.231 and then appends 1 to 254 in a loop running the PING command against each address.

We take the 64 byte matches (which is a ping response from a Linux machine, Windows would be 32 bytes so you would need to amend the script) cut out what we don't want and delete the trailing ':' to clean up the results.

#!/bin/bash
if [ "$1" == "" ]
then
echo "No ip address!"
else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi


I used Mousepad, but any text editor will work. Save as pingsweep.sh and do not forget to make the file executable.

ping sweep script

Execute the script and await results. Something to bear in mind at this point, if the target machine has been set to not respond to PING we could miss a result.

ping sweep script

In this example, disregard .1 and our own IP .135. We can be confident there is something at .136 as it responded to a PING request.

Method 4: Creating your own tool

Host discovery can be done with numerous programming languages, Python being one. You can create a simple PING scanner in as little as 20 lines. As an example I have provided the following script. When run it will ask a user for a IP/24 i.e. 192.168.231.0/24. Its first action is to replace the 0/24 (as we can't ping this!) with nothing. The FOR LOOP will then cycle through all values from 1 to 254 pinging each 1 time with a reply wait time of 1 second (better to increase the wait time in reality as machines will usually take a little longer to respond depending on network dynamics, I just wanted quick results for this demo).

ping sweep py script

Any IPs that respond to the ping (returncode 0) are appended to a list (ips_responding). At the end of the run, the results are printed to the screen. First the number of hosts that responded (bear in mind one of these is ours) is displayed, followed by the IPs on the hosts themselves. The complete output resembles the following:

ping sweep results

A final point to note, there are hundreds of tools out there to perform host discovery tasks, its always good to have one of each type in your arsenal. Please report any errors to the address below.

Enquiries

[email protected]

Copyright © 2023 - slash-root.com