No matter how good our skills are, we need to find systems that we can attack. This is accomplished by probing the network and looking for a response.
One of the most popular tool to do this is the excellent open source tool netdiscover.
[#1] With Netdiscover
You can find netdiscover by going to Kali Linux machine, then Information Gathering, then Route Analysis, about midway down the long list of discovery tools. When you click on netdiscover, it opens a screen which displays some basic help. Netdiscover is a relatively simple tool, so there are not a lot of options.
To discover the IP’s on an internal network, we will usually want to scan a range of IP addresses. In netdiscover, we can use the -r switch (for range) and then in CIDR notation provide it the network range we want it to scan.
In the command below, we are asking netdiscover to find all the live hosts with IP addresses between 192.168.73.1 to 192.168.73.255. We do this by typing;
netdiscover -P -i eth0 -r 192.168.73.0/24
Another popular tool which is nmap can also be used to find out the live hosts within a network. You can download then nmap from www.
nmap.org or you can use any number of toolkit distributions for the tool.
When you run the below command, nmap tries to ping the given IP address range (192.168.73.1 to 192.168.73.254) to check if the hosts are alive. If ping fails it tries to send syn packets to port 80 (SYN scan). This is not 100% reliable because modern host based firewalls block ping and port 80. Windows firewall blocks ping by default.
The hosts you have on the network are blocking ping and the port 80 is not accepting connections. Hence nmap assumes that the host is not up.
nmap -sn 192.168.73.1-254
Nmap is compatible with every major operating system including Mac OS, Windows, and Linux. We’re going to focus on using nmap to find and list all hosts on a network, and we’re assuming you already have nmap on your Kali Linux machine.
To find active hosts within a network, type the following command in your terminal:
nmap -n -sV 192.168.73.1-254
This is the easiest but slowest method since you’re scanning every open port on your network. Intentionally vulnerable VMs will generally have more open ports than your own attack or desktop machines.