1. Overview
Scanning IP addresses help us to identify accessible hosts on our network. Scanning the network also helps to maintain good network health and prevent unauthorized users from wasting valuable bandwidth or spying.
In this tutorial, we’ll see three approaches to scanning a LAN to get a list of all IP addresses on a LAN.
2. Subnet
Before we can scan the network, we need to determine the subnet. Subnetting is the process of dividing a large network into smaller networks, known as subnets. A subnet is a network fragment.
2.1. Linux
We use the ifconfig command in Linux:
$ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:6f:57:2b txqueuelen 1000 (Ethernet)
RX packets 4116 bytes 256877 (250.8 KiB)
RX errors 4 dropped 0 overruns 0 frame 0
TX packets 162354 bytes 6822026 (6.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.136 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe6f:5735 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:6f:57:35 txqueuelen 1000 (Ethernet)
RX packets 4944 bytes 411961 (402.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6899 bytes 417025 (407.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 base 0x2080
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 256 bytes 17984 (17.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 256 bytes 17984 (17.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
On our machine, the network adapter that is connected to the Wi-Fi network is the eth1 adapter.
The output on the eth1 shows us the IP address that has been assigned to our machine, the netmask, and the broadcast IP address on the network. Since we know the netmask, we can then calculate that our subnet is 192.168.1.0/24.
Let’s now find the active IP addresses on our network.
3. Using netdiscover
netdiscover is a network scanning tool that is preinstalled in Kali Linux. It is used to get the IP address and MAC address of live hosts on a network:
$ netdiscover -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 2 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 00:50:56:c0:00:01 2 120 VMware, Inc.
192.168.1.254 00:50:56:f6:62:49 2 120 VMware, Inc.
The -r option means range. In this case, we are scanning the whole network for live hosts.
We use netdiscover in both active and passive mode. In active mode, it sends requests to network hosts to get information, while in passive mode, it is silent. It doesn’t send data. It only sniffs the network for ARP requests.
4. Using nmap
nmap is short for Network Mapper. It is a free and open-source software for network discovery and security auditing. Using nmap, we can get a list of all active IP addresses on our LAN. This tool is able to run on Windows, Linux, and macOS:
$ nmap -sP --unprivileged 192.168.1.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2022-06-19 20:47 CAT
Nmap scan report for 192.168.1.1
Host is up (0.079s latency).
Nmap scan report for DESKTOP-17PF619 (192.168.1.198)
Host is up (0.0013s latency).
Nmap scan report for 192.168.1.255
Host is up (0.0025s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 9.93 seconds
The commands only list the IP addresses of active IP addresses without the ports. The –unprivileged option means we are not able to create raw packets. Hence, we are using the TCP connect scan technique. This method is slow relative to a privileged user.
5. Using Angry IP Scanner
Angry IP Scanner is a free tool that can be installed on Windows, Linux, and macOS. It expects a range of IP addresses as parameters to search. It helps to find live hosts, open ports, and other relevant information for every IP address:
Here is what the colored dots next to each IP address mean:
- Green: The IP address is active, and the device on this address is responding to the requests made by the Angry IP Scanner
- Blue: The IP address is either active or busy and not responding to the requests made by the Angry IP Scanner.
- Red: The IP address is inactive, dead, or there is no device connected to this IP address.
6. Conclusion
In this tutorial, we saw how to determine the subnet of our network using ifconfig in Linux. We also learned how to use netdiscover, nmap, and Angry IP Scanner to get a list of all the IP addresses on a LAN.