January 21, 2020

Discover Network Hosts with NetDiscover

Johan Grotherus
Share
Discover Network Hosts with NetDiscover - Cybrary

NetDiscover is a very neat tool for finding hosts on either wireless or switched networks. It can be used both in active or in passive mode.ARP stands for Address Resolution Protocol and it allows the discovery of which host has which MAC address. The MAC address is the physical address of the hosts network card.NetDiscover comes preinstalled with Kali Linux and is quite easy to use. In passive mode, the tool is silent. It doesn't send any data at all - it simply sniffs the network for ARP requests.On my Kali Linux virtual host, I can simply ask NetDiscover to run in passive mode by entering the following command:

> netdiscover -i eth0 -p

It's important to know that ARP requests are not routed on a network, so if you're sing Kali Linux as a virtual machine with NAT, it might not work as expected. You should have your network in bridged mode to sniff ARP requests on the network you are connected to.Also, when running in passive mode, hosts will appear over time as their ARP requests are picked up by NetDiscover.

If you run Netdiscover in active mode, it can discover every host on a network by sending ARP requests. This is more efficient than using ICMP (Ping packets), as ICMP can be filtered by a host's local firewall, while ARP requests simply cant be blocked.If ARP were to be blocked, the host would not be able to communicate on an Ethernet network at all. Using ARP is a very neat way of finding all online hosts on a network.To run NetDiscover in active mode, remove the -p flag; there are a few options for active scanning. If you are unsure of what network you are on, you can test several networks to see if there's any traffic.

  • The -r flag allows you to specify this, as an example -r 192.168.0.0/24.
  • If you do not specify this, NetDiscover will use the auto scan feature to scan the most common internal networks.
  • If you're using the auto scan feature, you should also probably use the -f flag for fast. This tells NetDiscover not to try every IP on every network specified but instead try a few ones.
  • Once you see ARP requests for a particular network, you can run NetDiscover again for that particular network without the -f flag and use the -r flag to specify which particular network you want to scan every IP for.

Here's an example of running Netdiscover in active mode:

> netdiscover -i eth0 -r 192.168.8.0/24 -f

The manpage is available at man netdiscover and the webpage for NetDiscover can be found at http://nixgeneration.com/~jaime/netdiscover/

Start learning with Cybrary

Create a free account

Related Posts

All Blogs
Building a Security Team
June 27, 2023

Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It

A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.

Read More
Building a Security Team
June 28, 2023

How to Build a Red Team

An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.

Read More
Tools & Applications
June 7, 2023

How to Make the Most of Blending Learning with Cybrary Live

Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.

Read More
News & Events
June 7, 2023

Introducing the New Cybrary Learner Experience

Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.

Read More