Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] subnet discovery

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () DELOITTE CO ZA>
Date: Mon, 19 Mar 2001 13:27:13 +0200
You could use nmap for this.

nmap -sP -PI -n -vv range | grep subnet | cut -f2 -d'(' | cut -f1 -d')'

Will give you a list of network broadcast addresses. Of course, if there are
no computers in the subnet (apart from the router), you will get no extra
responses, and nmap will not be able to detect this.

As in:

[root@neo /root]# nmap -sP -PI -vv -n 192.168.0.0-5

Starting nmap V. 2.54BETA1 by fyodor () insecure org ( www.insecure.org/nmap/ )
Host   (192.168.0.0) seems to be a subnet broadcast address (returned 2
extra pings).  Skipping host.
Host  (192.168.0.1) appears to be up.
Host  (192.168.0.2) appears to be down.
Host  (192.168.0.3) appears to be down.
Host  (192.168.0.4) appears to be down.
Host  (192.168.0.5) appears to be down.
Nmap run completed -- 6 IP addresses (1 host up) scanned in 3 seconds

There exists an ICMP netmask message, which might also work. Have a look at
hping2.
http://www.kyuzz.org/antirez/hping.html

Actually, looking at the source, it doesn't support ICMP_ADDRESS requests.
Maybe you can hack it. Also have a look at hping3, linked from the same
site, although there doesn't seem to be much code yet.

Linux also doesn't support ICMP_ADDRESS, it seems, from "man icmp", so Linux
2.2+ machines probably won't answer this type of ICMP message.

Rogan



-----Original Message-----
From: Jason Ellison [mailto:infotek () DATASYNC COM]
Sent: 18 March 2001 10:15
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] subnet discovery


has anyone seen a tool that does ping sweeps and detects DUP packets
outputing results into a nice parsable format?
Previous By Date Next
Previous By Thread Next

Current thread: