Saturday, January 19, 2008

How to using NetDiscover.

How to using NetDiscover.

Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks. (Source NetDiscover )

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!

This tool will allow us to quickly gather IP address on a given network and as stated above work great in wireless networks that have no DHCP server.
I am using this tool in BT2 Final. However in BT3 the process is the same.
Ok so to gain access to this tool open a shell and type:
bt ~ # netdiscover -help
This will show us what flags we can use.

Netdiscover 0.3-beta6 [Active/passive arp reconnaissance tool]
Written by: Jaime Penalba

Usage: netdiscover [-i device] [-r range | -p] [-s time] [-n node] [-c count] [-f] [-S]
-i device: your network device
-r range: scan a given range instead of auto scan.,/16,/8
-p passive mode do not send anything, only sniff
-s time: time to sleep between each arp request (miliseconds)
-c count: number of times to send each arp reques (for nets with packet loss)
-n node: last ip octet used for scanning (from 2 to 253)
-S enable sleep time supression betwen each request (hardcore mode)
-f enable fastmode scan, saves a lot of time, recommended for auto

If -p or -r aren't enabled, netdiscover will scan for common lan addresses
Ok so let's look at the flags so that we know what we are dealing with.
"-i" simply put is the network card
"-r" the range to scan that you will insert on the command later
"-p" send no packets out on the network
"-s" time to sleep between the arp requests simply means how long netdiscover should wait.
"-c" count is the number or arp requests to send each time
"-n" node again this is a number you will insert on the command latter.
"-S" this will prevent netdiscover from "sleeping" between arp requests"
"-f" fast as stated above

Ok now in order for netdiscover to work it needs to send out "arp requests" this is the Address Resolution Protocol request. Simply put we are asking the network for a host's address.
For more info about ARP go here

So now if you understand the above we can move on.
What we are doing is asking a host some basic info about the network.
"Who has Tell"
This keeps going until all the nodes or ranges we specify have answered.
When using I used wireshark to help visualize the process however this is not needed.The pictures are located here:

Now we are going to look at an example of netdiscover in action
with no flags set. This will cause ND to scan for common LAN address'
bt ~ # netdiscover
Hit enter and watch
 Currently scanning:   |   Our Mac is: 00:11:22:AA:BB:CC - 0

2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 120
IP At MAC Address Count Len MAC Vendor
----------------------------------------------------------------------------- 00:11:22:AA:BB:CC 01 060 Cisco-Linksys 00:11:22:AA:BB:CC 01 060 Cisco-Linksys
In order to stop the scan you can hit control + c .

We see above that we have found 2 hosts and the IP and MAC address's as well as the Vendor of said MAC's

Ok now we will look at some sample commands
bt ~ # netdiscover -i ath0 -r
The above is Set to scan a class "C" network to see what hosts are alive
bt ~ # netdiscover -i eth0
The above is Set to scan "common networks"
 bt ~ # netdiscover -i ath1 -p
The above is Set to scan passively

This means that it will not send ARP packets out but will wait for them to come from another source.
This is useful when we don't want to make noise and set off the alarms! This will happen on any good network with a decent IDS/IPS in place
because we are sending multiple ARP packets.
Ok so I have provided a few pictures of the tool in action and wireshark showing what is going on.


No comments: