How to list hosts on the current network without knowing the subnet in advance?

2

1

The following 2 questions have been useful for finding hosts on a target network:

- http://superuser.com/q/311019/45927
- http://security.stackexchange.com/q/36198/35859

However, answers in both questions assume I know the network address and mask (subnet, I guess?) in advance (192.168.0.0/24, 172.18.72.0/24, etc).

How can I find hosts on any/all connected networks without specifying the subnet in advance? I know I can list the network devices using ip address show (Arch Linux), ifconfig (*nix, OS X), or ipconfig (Windows) depending on the operating system.

Furthermore, Is there a reliable way to do it across operating systems? From Linux to OS X to Windows?

Ehtesh Choudhury

Posted 2013-12-18T02:18:19.810

Reputation: 1 330

You listed all the tools you need already. ifconfig/ipconfig would be the way to get the IP/subnet mask across all networks, and you can filter it down with batch/bash, but you'd likely need something like python or perl to manage the return strings and run them through nmap. The basic answer is to use a scripting language. – MaQleod – 2013-12-18T03:06:01.363

Drat, I was hoping to take the easy way out and find an already finished implementation. I also didn't think it was normal for parsing ifconfig/ipconfig input. I was hoping to drive something like netsh on Windows. – Ehtesh Choudhury – 2013-12-18T03:17:02.093

Answers

0

For a cross-platform solution that will work on any system that Nmap works on, use Nmap's --iflist argument:

./nmap --iflist

Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-12-18 04:55 UTC
************************INTERFACES************************
DEV     (SHORT)   IP/MASK                TYPE     UP   MTU   MAC
eth0    (eth0)    192.0.2.5/24           ethernet up   1500  F2:3C:DE:AD:BE:B8
eth0    (eth0)    2001:db8::dead:beef/64 ethernet up   1500  F2:3C:91:AE:FC:B8
eth0    (eth0)    fe80::dead:beef/64     ethernet up   1500  F2:3C:91:AE:FC:B8
lo      (lo)      127.0.0.1/8            loopback up   65536
lo      (lo)      ::1/128                loopback up   65536

**************************ROUTES**************************
DST/MASK                DEV  METRIC GATEWAY
192.0.2.0/24            eth0 0
0.0.0.0/0               eth0 100    192.0.2.1
::1/128                 lo   0
2001:db8::dead:beef/128 lo   0
fe80::dead:beef/128     lo   0
2001:db8::/64           eth0 256
fe80::/64               eth0 256
ff00::/8                eth0 256
::/0                    eth0 1024   fe80::1

At this point, it becomes a matter of parsing out the info you want. Probably you are looking for something under ROUTES, but be sure you don't scan localhost!

bonsaiviking

Posted 2013-12-18T02:18:19.810

Reputation: 1 563

--iflist is cool, I didn't notice that option. – Ehtesh Choudhury – 2013-12-18T17:35:22.287

Asked: 2013-12-18T02:18:19.810

Viewed: 271 times

Active: 2013-12-18T05:03:24.890