Discovering live servers over the network

In this recipe, we will learn how to perform the discovery of live network devices/machines over the network, using two methods: Passive information gathering and active information gathering.

We will examine the network traffic of our environment as a part of our passive information gathering, followed by active information gathering, in which we will send packets over the network to detect active machines and services running on them.

Getting ready

In order to begin with this recipe, we will be using a simple ARP sniffing/scanning tool called netdiscover. It is a net-discovery tool which can be used for active/passive ARP reconnaissance.

How to do it...

Let's start with passive reconnaissance:

  1. To start netdiscover, ensure that you are connected via Wi-Fi with a valid IP address. Open the terminal and enter the following command for passive reconnaissance:
    netdiscover - p
    

    The output will be as shown in the following screenshot:

  2. To perform an active scan over the network to discover live IPs, type the following command in the terminal:
    netdiscover -i eth0
    

    The output will be as shown in the following screenshot:

  3. If you would like to save the output of netdiscover, you can use the following command:
    netdiscover -i eth0 > localIPS.txt
    
  4. After a few seconds (for example, 10 seconds), terminate the program with CtrlC, and the output of the file will look something like the following:
  5. Another way to perform a quick and effective scan is by using the nmap command. To detect the live systems over the network range via a simple ping scan, use the following command in the terminal:
    nmap -sP 192.168.1.0/24
    

    The output will be as shown in the following screenshot:

  6. You can also save the outputs of the nmap tool into a file. All we have to do is add a bit of bash scripting and type the following command in terminal:
    nmap -sP <IP address range>/<class subnet> | grep "report for" | cut -d " " -f5 > nmapliveIPs.txt
    

    Let us understand the command: the output of the first nmap command is fed as the input to the second command that comes after the pipe sign. In the second command the grep command searches for the lines that contain "report for" since this will be the statement that specifies the IP is responding. The output of those lines where "report for " is found is forwarded to the third command which is after the pipe sign. In the third command, we perform a cut operation where we say that the comparison delimiter is a "space" in the line and fetch the 5th field that is the fifth word when separation is on the basis of a "space".

    The output of the file will only contain the IP address we can continue to use for our further assessment:

    This file will be used in further references to automate a chain of scanning requests since all the IPs have been extracted into one file.

How it works...

So, the few tools we have used work as follows:

  • netdiscover: The following switches are used with this command:
    • -p: This switch is used for running in passive mode; it makes sure not to send any packets on its own and just acts as a listener on our network interface card
    • -i: This switch is used for specifying which interface to use for detection of live IPs

We also saw how the output can be stored in a file for later reference.

  • nmap: The following switches are used with this command:
    • -sP: This switch is also regarded as the -sn switch that is used for the purpose of a ping scan

We also saved the output of the ping scan in the file using the bash script invoking the use of basic logics.

In this recipe, we have learned how to detect all the IPs in networks which are live, and scoped them under for open-port analysis in the next recipe.

There's more...

There are more features made available in the netdiscover tool that will help to speed up the process. They are as follows:

  • -h: This feature loads the help content for using netdiscover
  • -r: This feature allows you to perform a range scan rather than an auto scan
  • -s: This feature provides you with an option to sleep in between each request
  • -l: This feature allows you to provide a file with a list of IP ranges to be scanned
  • -f: This feature enables a fast-mode scan; it saves a lot of time when compared to normal detection techniques

The nmap tool also supports many options for live IP detection:

  • -sL: This is a simple list scan to specify a file with IP addresses to be checked
  • -sn: This is a simple ping scanner to determine live IP.
  • -PS/PA/PU/PY TCP SYN/ACK: This is used for UDP- or SCTP-based port detection
  • --traceroute: This option allows a trace hop path to each host

See also

For more information on active and passive scanning and more tools for the same, refer to the following links: