NetDiscover is a very neat tool for finding hosts on either wireless or switched networks. It can be used both in active or in passive mode.ARP stands for Address Resolution Protocol and it allows the discovery of which host has which MAC address. The MAC address is the physical address of the hosts network card.NetDiscover comes preinstalled with Kali Linux and is quite easy to use. In passive mode, the tool is silent. It doesn't send any data at all - it simply sniffs the network for ARP requests.On my Kali Linux virtual host, I can simply ask NetDiscover to run in passive mode by entering the following command:
> netdiscover -i eth0 -p
It's important to know that ARP requests are not routed on a network, so if you're sing Kali Linux as a virtual machine with NAT, it might not work as expected. You should have your network in bridged mode to sniff ARP requests on the network you are connected to.Also, when running in passive mode, hosts will appear over time as their ARP requests are picked up by NetDiscover.
If you run Netdiscover in active mode, it can discover every host on a network by sending ARP requests. This is more efficient than using ICMP (Ping packets), as ICMP can be filtered by a host's local firewall, while ARP requests simply cant be blocked.If ARP were to be blocked, the host would not be able to communicate on an Ethernet network at all. Using ARP is a very neat way of finding all online hosts on a network.To run NetDiscover in active mode, remove the -p flag; there are a few options for active scanning. If you are unsure of what network you are on, you can test several networks to see if there's any traffic.
- The -r flag allows you to specify this, as an example -r 192.168.0.0/24.
- If you do not specify this, NetDiscover will use the auto scan feature to scan the most common internal networks.
- If you're using the auto scan feature, you should also probably use the -f flag for fast. This tells NetDiscover not to try every IP on every network specified but instead try a few ones.
- Once you see ARP requests for a particular network, you can run NetDiscover again for that particular network without the -f flag and use the -r flag to specify which particular network you want to scan every IP for.
Here's an example of running Netdiscover in active mode:
> netdiscover -i eth0 -r 192.168.8.0/24 -f
The manpage is available at man netdiscover and the webpage for NetDiscover can be found at http://nixgeneration.com/~jaime/netdiscover/