Discovering hosts using broadcast pings_Nmap 6：Network exploration and security auditing Cookbook-QQ阅读男生科幻网

上QQ阅读APP看书，第一时间看更新

Discovering hosts using broadcast pings

Broadcast pings send ICMP echo requests to the local broadcast address, and even if they do not work all the time, they are a nice way of discovering hosts in a network without sending probes to the other hsts.

This recipe describes how to discover new hosts with a broadcast ping using Nmap NSE.

How to do it...

Open your terminal and type the following command:

# nmap --script broadcast-ping

You should see the list of hosts that responded to the broadcast ping:

Pre-scan script results: 
| broadcast-ping: 
| IP: 192.168.1.105 MAC: 08:00:27:16:4f:71 
| IP: 192.168.1.106 MAC: 40:25:c2:3f:c7:24 
|_ Use --script-args=newtargets to add the results as targets 
WARNING: No targets were specified, so 0 hosts scanned. 
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.25 seconds

How it works...

A broadcast ping works by sending an ICMP echo request to the local broadcast address 255.255.255.255, and then waiting for hosts to reply with an ICMP echo reply. It produce output similar to the following:.

# nmap --script broadcast-ping --packet-trace 


NSOCK (0.1000s) PCAP requested on device 'wlan2' with berkeley filter 'dst host 192.168.1.102 and icmp[icmptype]==icmp-echoreply' (promisc=0 snaplen=104 to_ms=200) (IOD #1) 
NSOCK (0.1000s) PCAP created successfully on device 'wlan2' (pcap_desc=4 bsd_hack=0 to_valid=1 l3_offset=14) (IOD #1) 
NSOCK (0.1000s) Pcap read request from IOD #1 EID 13 
NSOCK (0.1820s) Callback: READ-PCAP SUCCESS for EID 13 
NSOCK (0.1820s) Pcap read request from IOD #1 EID 21 
NSOCK (0.1850s) Callback: READ-PCAP SUCCESS for EID 21 
NSOCK (0.1850s) Pcap read request from IOD #1 EID 29 
NSOCK (3.1850s) Callback: READ-PCAP TIMEOUT for EID 29 
NSE: > | CLOSE 
Pre-scan script results: 
| broadcast-ping: 
| IP: 192.168.1.105 MAC: 08:00:27:16:4f:71 
| IP: 192.168.1.106 MAC: 40:25:c2:3f:c7:24 
|_ Use --script-args=newtargets to add the results as targets 
WARNING: No targets were specified, so 0 hosts scanned. 
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.27 seconds

There's more...

To increase the number of ICMP echo requests, use the script argument broadcast-ping.num_probes:

# nmap --script broadcast-ping --script-args broadcast-ping.num_probes=5

When scanning large networks, it might be useful to increase the timeout limit, by using --script-args broadcast-ping.timeout=<time in ms>, to avoid missing hosts with bad latency.

# nmap --script broadcast-ping --script-args broadcast-ping.timeout=10000

You can specify the network interface by using broadcast-ping.interface. If you don't specify an interface, broadcast-ping will send probes using all of the interfaces with an IPv4 address.

# nmap --script broadcast-ping --script-args broadcast-ping.interface=wlan3

Target library

The argument --script-args=newtargets forces Nmap to use these new-found hosts as targets:

# nmap --script broadcast-ping --script-args newtargets 
Pre-scan script results: 
| broadcast-ping: 
| IP: 192.168.1.105 MAC: 08:00:27:16:4f:71 
|_ IP: 192.168.1.106 MAC: 40:25:c2:3f:c7:24 
Nmap scan report for 192.168.1.105 
Host is up (0.00022s latency). 
Not shown: 997 closed ports 
PORT STATE SERVICE 
22/tcp open ssh 
80/tcp open http 
111/tcp open rpcbind 
MAC Address: 08:00:27:16:4F:71 (Cadmus Computer Systems) 

Nmap scan report for 192.168.1.106 
Host is up (0.49s latency). 
Not shown: 999 closed ports 
PORT STATE SERVICE 
80/tcp open http 
MAC Address: 40:25:C2:3F:C7:24 (Intel Corporate) 

Nmap done: 2 IP addresses (2 hosts up) scanned in 7.25 seconds

Note that we did not specify a target, but the newtargets argument still added the IPs 192.168.1.106 and 192.168.1.105 to the scanning queue anyway.

The argument max-newtargets sets the maximum number of hosts to be added to the scanning queue:

# nmap --script broadcast-ping --script-args max-newtargets=3