命令简介
└─$ man -k netdiscover
netdiscover (8) - active/passive ARP reconnaissance tool
命令实战
└─$ sudo netdiscover
Currently scanning: 192.168.3.0/16 | Screen View: Unique Hosts
65 Captured ARP Req/Rep packets, from 34 hosts. Total size: 3900
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.5.207.54 00:03:1a:0c:1f:36 3 180 Beijing Broad Telecom Ltd., China
10.5.207.40 00:04:16:0f:25:2d 2 120 Parks S/A Comunicacoes Digitais
10.1.208.41 22:59:37:33:e5:2a 3 180 Unknown vendor
10.1.208.13 22:59:37:33:d3:fb 3 180 Unknown vendor
10.5.100.124 00:50:56:b1:62:a6 3 180 VMware, Inc.
10.1.208.52 f6:69:3b:ae:09:48 1 60 Unknown vendor
10.1.208.24 22:59:37:33:e5:0c 3 180 Unknown vendor
10.1.208.21 22:59:37:33:db:cf 2 120 Unknown vendor
10.5.200.107 00:50:cc:7b:a7:84 1 60 Seagate Cloud Systems Inc
10.1.208.22 22:59:37:33:db:9a 3 180 Unknown vendor
10.1.208.31 22:59:37:33:dd:0f 1 60 Unknown vendor
10.5.207.44 00:03:1a:10:25:07 3 180 Beijing Broad Telecom Ltd., China
10.1.208.14 22:59:37:33:d3:b1 2 120 Unknown vendor
10.5.207.31 00:0e:c6:59:48:5d 1 60 ASIX ELECTRONICS CORP.
10.5.207.37 00:03:1a:12:22:31 3 180 Beijing Broad Telecom Ltd., China
10.1.208.33 22:59:37:33:d6:a5 2 120 Unknown vendor
命令帮助
└─$ man netdiscover >a.txt
┌──(libit㉿kali)-[~]
└─$ cat a.txt
netdiscover(8) active/passive ARP reconnaissance tool netdiscover(8)
NAME
netdiscover - active/passive ARP reconnaissance tool
SYNOPSIS
netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter]
[-s time] [-c count] [-n node] [-dfPLNS]
DESCRIPTION
netdiscover is an active/passive ARP reconnaissance tool, initially developed to
gain information about wireless networks without DHCP servers in wardriving sce‐
narios. It can also be used on switched networks. Built on top of libnet and
libpcap, it can passively detect online hosts or search for them by sending ARP
requests.
Furthermore, it can be used to inspect your network‘s ARP traffic, or find net‐
work addresses using auto scan mode, which will scan for common local networks.
OPTIONS
-i device
The network interface to sniff and inject packets. If no interface is
specified, first available will be used.
-r range
Scan a given range instead of auto scan. Valid range values area for ex‐
ample: 192.168.0.0/24, 192.168.0.0/16 or 192.168.0.0/8. Currently, ac‐
ceptable ranges are /8, /16 and /24 only.
-l file
Scan ranges contained on the given file. It must contain only one range
per line.
-p Enable passive mode. In passive mode, netdiscover does not send anything,
but does only sniff.
-m file
Scan a list of known MACs and host names.
-F filter
Customize pcap filter expression (default: "arp").
-s time
Sleep given time in milliseconds between each ARP request injection. (de‐
fault 1)
-c count
Number of times to send each ARP request. Useful for networks with packet
loss, so it will scan given times for each host. (default 1)
-n node
Last IP octet of the source IP used for scanning. You can change it if
the default host (x.x.x.67) is already used. (allowed range is 2 to 253,
default 67)
-d Ignore configuration files at home dir (for autoscan and fast mode only).
This will use default ranges and IPs for autoscan and fast mode. See be‐
low for information about configuration files.
-f Enable fast mode scan. This will only scan for .1, .100 and .254 on each
network. This mode is useful while searching for ranges being used. After
you found such range you can make a specific range scan to find online
boxes.
-P Produces an output suitable to be redirected into a file or to be parsed
by another program, instead of using interactive mode. Enabling this op‐
tion, netdiscover will stop after scanning given ranges.
-L Similar to -P but continue program execution to capture ARP packets pas‐
sively after the active scan. phase to capture ARP packets passively.
-N Do not print header. Only valid when -P or -L is enabled.
-S (DEPRECATED) Enable sleep time suppression between each request. If set,
netdiscover will sleep after having scanned 255 hosts instead of sleeping
after each one. This mode was used in netdiscover 0.3 beta4 and before.
Avoid this option in networks with packet loss, or in wireless networks
with low signal level. (also called hardcore mode)
USAGE
If passive mode (-p), scan list (-l) or scan range (-r) options aren’t enabled,
netdiscover will scan for common LAN addresses (192.168.0.0/16, 172.16.0.0/12
and 10.0.0.0/8).
Screen control keys:
h Show help screen.
j Scroll down (or down arrow).
k Scroll up (or up arrow).
. Scroll page up.
, Scroll page down.
q Close help screen or end application.
Screen views:
a Show ARP replies list.
r Show ARP requests list.
u Show unique hosts detected.
CONFIG FILES
There are 2 configuration files that netdiscover will look for, each time it is
executed. If files doesn‘t exist, netdiscover will use default values. You can
use the -d switch to disable reading and loading configuration files.
~/.netdiscover/ranges
This file contains a list of ranges (one per line) used for auto scan
mode instead of default ranges. By default netdiscover will use a list of
common ranges used on local networks.
Example:
192.168.21.0/24
172.26.0.0/16
10.0.0.0/8
~/.netdiscover/fastips
List containing the last octet of the IPs to be scanned on each subnet,
when using fast mode (-f), by default (1,100,154). You must put a number
per line.
USAGE EXAMPLES
Scan common LAN addresses on eth0:
# netdiscover -i eth0
Fast scan common LAN addresses on eth0 (search only for gateways):
# netdiscover -i eth0 -f
Scan some fixed ranges:
# netdiscover -i eth0 -r 172.26.0.0/24
# netdiscover -r 192.168.0.0/16
# netdiscover -r 10.0.0.0/8
Scan common LAN addresses with sleep time 0.5 milliseconds instead of default 1:
# netdiscover -s 0.5
Scan fixed range on fast mode with sleep time 0.5 milliseconds instead of de‐
fault 1:
# netdiscover -r 192.168.0.0/16 -f -s 0.5
Scan a range using 101 as last octet for SOURCE IP
# netdiscover -r 10.1.0.0/16 -n 101
Only sniff for ARP traffic, don't send nothing:
# netdiscover -p
AUTHOR
netdiscover was written by Jaime Penalba Estebanez <jpenalbae@gmail.com>.
This manual page was originally written by Nicolas Weyland, for the Debian
project. This man page has been merged into netdiscover project and modified
from the original by Jaime Penalba and Joao Eriberto Mota Filho.
netdiscover-0.8.1 01 Nov 2021 netdiscover(8)
常用方式
sudo netdiscover
如果有多个网卡,则可以指定特定网卡。如果不指定,则默认选第一个。
┌──(libit㉿kali)-[~]
└─$ nmcli connection show
NAME UUID TYPE DEVICE
eth0 9a204893-b8ae-46e4-9962-1053aa2a43a4 ethernet eth0
┌──(libit㉿kali)-[~]
└─$ sudo netdiscover -i eth0
可以扫描指定某个网段
┌──(libit㉿kali)-[~]
└─$ sudo netdiscover -r 192.168.240.1/24
使用被动接受模式,不主动扫描
┌──(libit㉿kali)-[~]
└─$ sudo netdiscover -p
将扫描结果保存到文件中,扫描完毕后,程序结束。这里需要将结果重定向到一个文件中。
┌──(libit㉿kali)-[~]
└─$ sudo netdiscover -P >a1.txt