Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Finding hosts on subnet using nmap.

  1. #11
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sorry if we were talking at cross-purposes... my bad...

    I think the best way for the future is to run p0f at certain places on the network to capture live machines passively. But that requires pre-planning and precludes consultants and contractors coming in and doing a thorough and accurate auto-discovery of a network.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #12
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If you are on the same network you can use the arp scan feature and firewall or not, it'll respond... (-sP -PR)

    If not, rather than not sending a ping (-P0), you can use a common list of ports that you would expect to be open/closed and get a decent idea of whether or not the system is up or a firewall is filtering you out... (-PT 23,25,80,135,139,445 for example to do a TCP ping rather than ICMP, i.e., do a -sP -PT 23,25,80,135,139,445 ; which ports used depends heavily on your environment). The theory is explained in the documents for nmap, so I, like others, would highly recommend you read them closely.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #13
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    I've been using nmap for some time to test LANs, including firewalls. A stealth scan (-sS) will often betray hosts that other options won't find. Particularly Windows XP firewalls. Stealth scans still don't find Windows hosts behind a Norton firewall though. I posted some results on this just last week.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #14
    Junior Member
    Join Date
    Mar 2006
    Posts
    11
    In response to manuals,
    The manual on insecure, nmaps main site, is very thorough and has a wealth of information. I'd definitely recommend reading it in its entirety before any other nmap tuts.
    http://www.yazakpro.com/avatar/meatwad.gif [shadow][gloworange]\"The Bun is in your mind.\"[/gloworange][/shadow]

  5. #15

    Re: Finding hosts on subnet using nmap.

    Originally posted here by rogueactivex
    When I'm at a client's network sometimes I have the task of trying to find active hosts within the network. Lately I've been using the ping sweep command for NMAP and saving my results to a file, like so:

    nmap -oN activehosts.txt -vv -sP 192.168.0.0/24

    However the thought occurred to me "what if a client is blocking ICMP pings"? That might be the case, at which point that client PC would be "hidden" from my sweep. So what's the best most efficient way to hunt for active clients on a network, preferably using nmap?
    How large can these networks typicall get?
    What type of information needs to be known about the clients?
    How long do you realistically wish to hunt for clients?
    Does it need to be cmd line based?

    On small networks, I typically use this LAN Scanner . Famatech makes a few free utilities that make small tasks extremely simple.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •