Home arrow Security arrow Page 2 - LAN Reconnaissance

4.1 Mapping the LAN - Security

If you're trying to keep your LAN secure, sometimes it helps to think like a cracker. This article shows you how to scout out a LAN, and how malicious hackers get around security. It is excerpted from chapter four of Security Power Tools, written by Bryan Burns et. al. (O'Reilly, 2007; ISBN: 0596009631). Copyright 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. LAN Reconnaissance
  2. 4.1 Mapping the LAN
  3. 4.2 Using ettercap and arpspoof on a Switched Network
  4. 4.3 Dealing with Static ARP Tables
  5. 4.4 Getting Information from the LAN
  6. 4.5 Manipulating Packet Data
By: O'Reilly Media
Rating: starstarstarstarstar / 5
November 13, 2008

print this article



The first part of reconnaissance is finding hosts on the LAN. Assuming you are on a machine that is connected to the LAN and it has a working network interface, the most direct method is to ping every IP address and see who responds. Unfortunately, not every ping is created equal. The version that ships with Windows is pretty limited and does not support pinging a broadcast address. The ping that comes with most BSD systems sometimes supports pinging an entire subnet and sometimes it does not. The ping that comes with the Linux netkit typically supports the boption, which allows pinging a broadcast address.

Since pinging a broadcast address is such an uncertain event, its not worth even investigating the possibility. Instead, if doing reconnaissance on, for example, a class C-sized network from a Unix system, its more productive to do a bash one-liner at the command line:

  [lou@duodenum] x=1; while [ $x lt "255" ]; do ping c 1 10.150.9.$x | grep "bytes
  from" | awk '{print $4 " up"}'; let x++; done up up up up up up up up up up

If this takes a long time on your network, you can speed things up by using a shorter timeout. Most Unix versions of ping support thet(timeout) option. If the LAN is fast, a 300-millisecond timeout should be very safe.

If you suspect the network is prone to losing packets, use two pings to deal with the possibility of packet loss and then filter the results with sort and uniq. Here is an example of running the same ping-sweep with a 300-millisecond timeout on a fast and lossy network:

  [lou@duodenum] x=<low_ip>; while [ $x lt "<high_ip>" ]; do ping t 0.3 c 2
  <network>$x | grep "bytes from" | awk '{print $4 " up"}' | sort | uniq; let x++;

This is hardly the optimal way to map out a LAN, but unlike more esoteric tools, you can count on bash, ping, grep, awk, sort, and uniq to be on just about every modern Unix-flavored machine you work with. As complicated as the command looks in print, it is easy to remember the concepts.

On a Microsoft Windows machine, things are a bit different. Again, even though it is not the optimal way of doing a ping-sweep, it is pretty easy to perform in a CMD window to see what hosts are available:

  C:\Documents and Settings\lou> for /L %H in (1,1,254) DO ping w 30 n1 10.150.9.%H |
  find "Reply" >> hostlist.txt

  C:\Documents and Settings\lou> more hostlist.txt
Reply from bytes=32 time<1ms TTL=128
  Reply from bytes=32 time<1ms TTL=64
  Reply from bytes=32 time<1ms TTL=64

For a smaller LAN, or if you are working with a smaller subnet of a large LAN, this works pretty well to give you an idea of what hosts are up and responding to ICMP.

One big problem with using these one liners is that you will get noticed. Sending a lot of ICMP messages to every host in sequential order is very noisy and exactly the kind of behavior a decent IDS system detects. Also, this method assumes that your machine is already connected to the LAN with correct TCP/IP settings. It also assumes that all the machines you are trying to map are responding to ICMP Echo packets. (Plenty of boxes are running host-based firewalls these days, and it is entirely conceivable that someone has disabled ICMP replies in their security policy.)

There are other ways to find out who and what is on a LAN. Most of the methods illustrated in the following sections revolve around investigating the Layer 2 (a.k.a. the Link Layer) aspects of a LAN.

Although there are Windows versions of the tools covered here, the functionality of the Win32 versions may be limited. It is better to acquire a version of Linux running on a laptop so you can get the most functionality out of these programs. I am a big fan of the Knoppix Security Tools Distribution Live CD. This CD-ROM allows you to boot into a complete Linux environment without having to install anything permanently to your hard drive. Unfortunately, as I write this, the current version of Knoppix-STD runs the older 0.6.b version of ettercap, whereas the examples in this chapter use version 0.7.3.

I do not have any formal connection to the Knoppix-STD projector to any of the tools I cover here for that matter. I just like the whole security package provided on one disc.

>>> More Security Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- Whats behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: