One of the first phases of a network security assessment is to network mapping which identifies devices on the network. In this Lab, we will use a variety of tools in Kali Linux to map out a local network to identify targets by discovering hosts on the network. We will understand the difference between how tools scan local networks and remote networks. We will also understand the detection capabilities of each approach.
Upon completion of this Lab you will be able to:
- Scan for active network devices using the following tools:
- The ARP Scanner (command line tool)
- Nmap (command line tool)
- Zenmap (graphical user interface)
- Understand the approaches taken for scanning local networks versus remote networks including the request type packets
Network Mapping Using The ARP Scan Tool
The Lab host includes a Kali Linux virtual machine. Kali Linux is an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments. Kali Linux includes several network scanning tools. In this Lab Step, we will focus on the ARP scanner
arp-scan uses Address Resolution Protocol (ARP) packets to discover all active IPv4 devices in a local network. Devices must respond to ARP requests or else they cannot communicate on the network. This holds true for both ethernet (wired) or wifi connected devices. This makes arp-scan an effective tool at discovering devices even if protected by a firewall designed to hide their presence.
- At the prompt type the following command and press enter to issue the command:
After a couple of seconds,
arp-scan completes scanning the local network (IPv4 addresses in the range of 192.168.0.0 – 192.168.0.255). The IPv4 address followed by the MAC address of each device is displayed in the output table. The network gateway with IP address of 192.168.0.1 is discovered along with the network interfaces of two other virtual machines.
- Display the manual for arp-scan to see where you can learn more:
In this Lab Step, we used
arp-scan to discover all devices on the local network. arp-scan can effectively discover all active IPv4 devices because it uses ARP packets which devices must respond to in order to communicate over the network. ARP is not routable so scanning is restricted to local networks when using ARP.
Network Mapping Using Nmap
Nmap is a well-known network scanning tool. It can be used for a multitude of security purposes. This Lab Step focuses on using
nmap to discover hosts on the local network. When used to discover hosts on a local network
nmap will use ARP due to its efficiency over IP packets for discovery.
When used to discover hosts outside of the local network,
nmap will use IP-based requests including ICMP (ping requests) and TCP. This makes
nmap a more versatile tool than
arp-scan for discovering hosts.
nmap is also compatible with IPv6.
1. In your Kali Linux terminal, enter the following command to discover hosts on the local network:
nmap -sn 192.168.0.0/24
192.168.0.0/24 is the CIDR notation for the local network IPv4 address range. The output summary shows that 4 hosts are up.
nmap includes the Kali Linux host you are currently using (kali.ca.labs) with IPv4 address of 192.168.0.100. Besides that,
nmap discovers the same hosts that
2. Open a second terminal window by clicking File > New Window:
3. In the new terminal window, issue the following command:
tcpdump -i eth0 arp
tcpdump command outputs any
arp traffic on the
eth0 network interface (the interface used to communicate on the network). This will give you insight into what
nmap is doing to discover hosts.
4. In the first terminal window, re-issue the following command:
nmap -sn 192.168.0.0/24
We can see that
nmap is indeed using ARP packets to discover hosts when scanning the local network. The output shows
nmap sequentially sends ARP requests to each IP address on the local network to perform the host discovery.
In this Lab Step, we used
nmap to discover hosts on the local network. Similar to
nmap uses ARP to discover hosts on the local network because it is more efficient and effective. However, when discovering hosts outside of the local network
nmap is able to use other types of requests making it more versatile than
Network Mapping Using Zenmap
Zenmap is an official cross-platform graphical user interface (GUI) for Nmap. Zenmap makes it easier to begin using Nmap and also providing features useful for advanced users. It offers a variety of convenient features including:
- Save frequently used scans
- Interactive command creator
- Save scan results for later viewing
- Compare two scan results by highlighting their differences
- Recent scan results are indexed in a searchable database
In this Lab Step, we will familiarize ourselves with Zenmap and use it to discover hosts on the local network.
1. Click the eye icon in the left toolbar to open Zenmap:
Alternatively, you can open Zenmap from the terminal by entering
The Zenmap GUI appears:
The GUI includes elements for constructing and issuing
nmap commands at the top including:
- Target: The target specification you are considering, such as the local subnet 192.168.0.0/24
- Profile: A list of saved commands to choose from
- Command: The command to run. This can be generated using a profile or manually entered.
- Scan: Issue the command to begin the scan
- Cancel: Cancel a running command
The lower portion of the GUI is for presenting scan results.
2. Select Ping Scan from the Profile drop-down menu:
Notice the Command changed to nmap -sn. This is the same command we used to scan the local network. When targetting a local network ARP packets are used instead of ICMP (Ping) packets.
3. Click Scan to run the command:
The Nmap Output tab displays the command that was issued in a drop-down menu with the command output below it. We can use the drop-down menu to select previously issued commands to view their output at your convenience. The output indicates that No targets were specified, so 0 hosts were scanned. Zenmap will not try to infer a target or use a default when one is not provided.
4. Enter 192.168.0.0/24 in the Target field and click Scan
Notice the Target is automatically appended on the end of the Command. The output is updated:
The left panel parses the hosts that are discovered. The ARP scan doesn’t include any information to identify the operating systems (OS) so a question mark icon is shown in that column.
5. Click the Topology tab to view a network topology and then click one of the green nodes to draw the topology in a more readable format:
Using the output information, Zenmap draws a topology using the information it has available. Each ring represents a hop in the network.
6. Click the black node representing localhost:
Based on the scan results, Zenmap knows that all of the discovered hosts are one hop away from the host running the scan.
In this Lab Step, We learned how to use Zenmap, the official GUI for
nmap, and interpret its results.