Mapping entire network...an easy way?

[michelinok]

Hi there!
I hope this is the right forum... (if not...please, don't kill me, i'm not a native english ).

I'm currently working on a simple gui for sslstrip, but i need an advice on how to retrieve via bash all the "live" hosts without knowing the netmask of an interface.
An example...
I wanna scan my network over eth0 and the only thing that i "know" atm is the current ip and the interface that i wanna use.
Is there a way to scan my network with only these parameters or should i work hardly on the netmask? (if it's 255.255.255.0 is quite simple...).

Any idea?

Many thanks!

[iliyapolak]

You can always narrow down your netmask by sliding Msb to the right.

[Scamentology]

Here's whats in my script - hope its helpful.
There are a couple of ways for everything

Code:

       lanip="$(ifconfig $interface | awk '/inet addr/ {split ($2,A,":"); print A[2]}')"    # LAN IP Address
  ip_address="$(ifconfig | grep "Bcast" | awk '{print $2}' | cut -c6-)"                         # IP Address
   interface="$(route | grep -v Gateway | head -n 5 | tail -n -1  | awk  -F " " '{print $8}')"  # Facing the Network You Want to Spoof
      router="$(ip route | grep default | awk '{ print $3}')"                                # Gives us The Gateway IP address
     netmask="$(ifconfig | grep Mask | awk '{print $4}' | cut -c6-55)"
      subnet="$(ip route | awk '{print $1}' | head -1)"
       wanip="$(wget www.whatismyip.com/automation/n09230945.asp -O - -o /dev/null)"        # WAN IP Address

and for the victims you will need to install arpscan
apt-get install arp-scan
use

Code:

arp-scan $router/24 -I $interface
or
arp-scan $subnet -I $interface

[michelinok]

Thanks to all.
Hey scamentology, this "arp-scan $router/24 -I $interface" only scan withing 255.255.255.0 or am i wrong? (if i've a different subnet, i should i use arp-scan $subnet -I $interface or am i wrong?)

I'll try these solutions asap!

[comaX]

You can take a look at my script too http://www.backtrack-linux.org/forum...g-traffic.html, it very commented, so you shouldn't have any problem understanding.

As for only mapping : nmap -sn gatewayip/24 or /16 if you want to map more. What's your subnet ?

[Scamentology]

Yes, but if you do that on a network using multiple netmasks you could make a mess out of the network and piss off the admin. unless you are just using this to spy on your neighbor, in which case your no better than someone who looks into someones window at night. It creepy.

That being the case I would stick to the netmask assigned to you and move around accordingly. have whatever scan you use just output the data but not act on it until you are ready.

Thanks to all.
Hey scamentology, this "arp-scan $router/24 -I $interface" only scan withing 255.255.255.0 or am i wrong? (if i've a different subnet, i should i use arp-scan $subnet -I $interface or am i wrong?)

I'll try these solutions asap!

[comaX]

Yes, but if you do that on a network using multiple netmasks you could make a mess out of the network and piss off the admin. unless you are just using this to spy on your neighbor, in which case your no better than someone who looks into someones window at night. It creepy.

That being the case I would stick to the netmask assigned to you and move around accordingly. have whatever scan you use just output the data but not act on it until you are ready.

I see what you're getting at, but it might just be that his network is not of the most common "private" type which is C. If he has a B type subnet for instance, his quiestion is justified.

Anyway, what michelinok is read about subnet and netmasks and adapt according to his case.

[iliyapolak]

Use following subnet masks /25= 2^1 subnets *2^7-2 hosts, /26=2^2 subnets *2^6-2 hosts and so on.
You can also use instead of CIDR notation write simply subnet masks by using dot decimal notation
/25 = 255.255.255.128, /26 = 255.255.255.192 .

[michelinok]

I see what you're getting at, but it might just be that his network is not of the most common "private" type which is C. If he has a B type subnet for instance, his quiestion is justified.

Anyway, what michelinok is read about subnet and netmasks and adapt according to his case.

you get it at 99,5%
what i really wanna do is an "automated" detection of the subnet, nothing else.
i know that in 98% of the cases it'll be 255.255.255.0 but if not? i don't wanna user to be forced to type his subnet

sorry for my english...i hope you've understood now (or "understand now"? )

[comaX]

If you did glance at my script you'd have found what you're looking for ^^

Code:

 
search=$(ip route show | awk '(NR == 1) { print $1}') #store gateway/24 for whole network mapping to variable
#We put it here in the middle, because it could be used two times, but the gateway shouldn't change,
#so there is no need to do it twice.

I wrote #store gateway/24 because that's what it is in 98% of the cases. But if it changes, the var will change too, accordingly.

Then nmap -sn $search