The first part of reconnaissance is finding hosts on the LAN. Assuming you are on a machine that is connected to the LAN and it has a working network interface, the most direct method is to ping every IP address and see who responds. Unfortunately, not every ping is created equal. The version that ships with Windows is pretty limited and does not support pinging a broadcast address. The ping that comes with most BSD systems sometimes supports pinging an entire subnet and sometimes it does not. The ping that comes with the Linux netkit typically supports the –b option, which allows pinging a broadcast address.

Since pinging a broadcast address is such an uncertain event, it’s not worth even investigating the possibility. Instead, if doing reconnaissance on, for example, a class C-sized network from a Unix system, it’s more productive to do a bash one-liner at the command line:

  [lou@duodenum] x=1; while [ $x –lt "255" ]; do ping –c 1 10.150.9.$x | grep "bytes
  from" | awk '{print $4 " up"}'; let x++; done
  10.150.9.15: up
  10.150.9.16: up
  10.150.9.22: up
  10.150.9.23: up
  10.150.9.24: up
  10.150.9.45: up
  10.150.9.46: up
  10.150.9.81: up
  10.150.9.82: up
  10.150.9.86: up

If this takes a long time on your network, you can speed things up by using a shorter timeout. Most Unix versions of ping support the –t (timeout) option. If the LAN is fast, a 300-millisecond timeout should be very safe.

If you suspect the network is prone to losing packets, use two pings to deal with the possibility of packet loss and then filter the results with sort and uniq. Here is an example of running the same ping-sweep with a 300-millisecond timeout on a fast and lossy network:

  [lou@duodenum] x=<low_ip>; while [ $x –lt "<high_ip>" ]; do ping –t 0.3 –c 2
  <network>$x | grep "bytes from" | awk '{print $4 " up"}' | sort | uniq; let x++;
  done

This is hardly the optimal way to map out a LAN, but unlike more esoteric tools, you can count on bash, ping, grep, awk, sort, and uniq to be on just about every modern Unix-flavored machine you work with. As complicated as the command looks in print, it is easy to remember the concepts.

On a Microsoft Windows machine, things are a bit different. Again, even though it is not the optimal way of doing a ping-sweep, it is pretty easy to perform in a CMD window to see what hosts are available:

  C:\Documents and Settings\lou> for /L %H in (1,1,254) DO ping –w 30 –n1 10.150.9.%H |
  find "Reply" >> hostlist.txt
  C:\Documents and Settings\lou> more hostlist.txt
  Reply from 10.150.9.81: bytes=32 time<1ms TTL=128
  Reply from 10.150.9.82: bytes=32 time<1ms TTL=64
  Reply from 10.150.9.86: bytes=32 time<1ms TTL=64

For a smaller LAN, or if you are working with a smaller subnet of a large LAN, this works pretty well to give you an idea of what hosts are up and responding to ICMP.

One big problem with using these one liners is that you will get noticed. Sending a lot of ICMP messages to every host in sequential order is very noisy and exactly the kind of behavior a decent IDS system detects. Also, this method assumes that your machine is already connected to the LAN with correct TCP/IP settings. It also assumes that all the machines you are trying to map are responding to ICMP Echo packets. (Plenty of boxes are running host-based firewalls these days, and it is entirely conceivable that someone has disabled ICMP replies in their security policy.)

There are other ways to find out who and what is on a LAN. Most of the methods illustrated in the following sections revolve around investigating the Layer 2 (a.k.a. the Link Layer) aspects of a LAN.

Although there are Windows versions of the tools covered here, the functionality of the Win32 versions may be limited. It is better to acquire a version of Linux running on a laptop so you can get the most functionality out of these programs. I am a big fan of the Knoppix Security Tools Distribution Live CD. This CD-ROM allows you to boot into a complete Linux environment without having to install any thing permanently to your hard drive. Unfortunately, as I write this, the current version of Knoppix-STD runs the older 0.6.b version of ettercap, whereas the examples in this chapter use version 0.7.3.

I do not have any formal connection to the Knoppix-STD project—or to any of the tools I cover here for that matter. I just like the whole security package provided on one disc.