Categories
Apps & Packages

Netdiscover – Network Address Discovering Tool

In this article we examine Netdiscover which is a network address discovering tool. It works on both wired & wireless networks and uses ARP requests to detect devices.

In a previous article, Network Scanning Tools (part 2), we briefly covered Netdiscover and described it as:

Netdiscover is a network address discovering tool, developed mainly for those wireless networks without DHCP server, it also works on hub/switched networks. Its based on ARP packets, it will send ARP requests and sniff for replies.

Netdiscover

A further explanation is as follows:

Netdiscover is an active/passive ARP reconnaissance tool, initially developed to gain information about wireless networks without DHCP servers in wardriving scenarios.

debian.org

Wardriving is the act of searching for wireless networks, usually in a moving vehicle, using a laptop or smartphone.

In the following sections we are going to look at Netdiscover in more detail and demonstrate its use with some examples.

Tool Usage

The synopsis or syntax of Netdiscover is as follows:

netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS]

The main options are as follows:

  • -i device
    • your network device.
  • -r range
    • scan a given range instead of auto scan e.g. 192.168.6.0/24, /16, /8.
  • -l file
    • scan the list of ranges contained into the given file.
  • -p
    • passive mode i.e. do not send anything, only sniff.
  • -m file
    • scan a list of known MACs and host names.
  • -F filter
    • customize pcap filter expression (default: “arp”).
  • -s time
    • time to sleep between each ARP request (milliseconds).
  • -c count
    • number of times to send each ARP request (for nets with packet loss).
  • -n node
    • last source IP octet used for scanning (from 2 to 253).
  • -d
    • ignore home config files for autoscan and fast mode.
  • -f
    • enable fast mode scan, saves a lot of time, recommended for auto.
  • -P
    • print results in a format suitable for parsing by another program and stop after active scan.
  • -L
    • similar to -P but continue listening after the active scan is completed.
  • -N
    • do not print header. Only valid when -P or -L is enabled.
  • -S
    • enable sleep time suppression between each request (hardcore mode).

Test Environment

For the purposes of this article we will be using Netdiscover v0.7 installed on a Kali Linux 2021.2 virtual machine (IP = 10.0.2.15) running within VirtualBox 6.1. The target machines are being run as virtual machines on the same NAT Network:

  • Metasploitable 2:
    • IP = 10.0.2.4
    • MAC = 08:00:27:e9:d3:d7
  • Ubuntu 21.04:
    • IP = 10.0.2.5
    • MAC = 08:00:27:cd:fe:4b
  • Windows 10:
    • IP = 10.0.2.6
    • MAC = 08:00:27:42:90:70

Demonstrations

1) Scan common LAN addresses on eth0

Perform a scan of common LAN IP address ranges using the wired network adapter. This type of scan can take a long period of time to run due to the large number of IP Addresses within these ranges. The command is as follows:

netdiscover -i eth0

The results of this scan were:

2) Fast scan common LAN addresses on wlan0

Perform a fast scan of common LAN IP address ranges using the wireless network adapter. This type of scan is faster than example #1 because it only searches for network gateways. The command is as follows:

netdiscover -i wlan0 -f

The results of this scan were:

Although this scan is only supposed to pick up network gateways, it did also detect some media streaming devices.

3) Scan a fixed range of IP Addresses on eth0

Perform a scan of LAN IP address within a fixed range using the wired network adapter. The command is as follows:

netdiscover -i eth0 -r 10.0.0.0/16

The results of this scan were:

4) Scan a fixed range of IP Addresses on wlan0

Perform a scan of LAN IP address within a fixed range using the wireless network adapter. The command is as follows:

netdiscover -i wlan0 -r 192.168.0.0/16

The results of this scan were:

5) Fast scan a fixed range of IP Addresses on eth0 with sleep time

Perform a fast scan of LAN IP address within a fixed range using the wired network adapter. A sleep time of 0.5 has been used instead of the default of 1. The command is as follows:

netdiscover -i eth0 -r 10.0.0.0/8 -f -s 0.5

The results of this scan were:

6) Sniff for ARP traffic on eth0

Perform a sniff for ARP traffic using the wired network adapter. This type of scan is passive so does not send out network packets which helps the tool avoid detection. The command is as follows:

netdiscover -i eth0 -p

The results of this scan were:

7) Scan for common LAN addresses on eth0 using old hardcore mode

Perform a scan of common LAN IP address ranges in ‘old hardcore mode’ using the wired network adapter. This type of scan is much faster but is to be avoided on networks with a bad connection. The command is as follows:

netdiscover -i eth0 -S

The results of this scan were:

Further Information


Do you have experience of using Netdiscover? If so please share your thoughts below in the comments.

Leave a Reply