Broadcast pings send ICMP echo requests to the local broadcast address, and even if they do not work all the time, they are a nice way of discovering hosts in a network without sending probes to the other hsts.
This recipe describes how to discover new hosts with a broadcast ping using Nmap NSE.
Open your terminal and type the following command:
# nmap --script broadcast-ping
You should see the list of hosts that responded to the broadcast ping:
Pre-scan script results: | broadcast-ping: | IP: 192.168.1.105 MAC: 08:00:27:16:4f:71 | IP: 192.168.1.106 MAC: 40:25:c2:3f:c7:24 |_ Use --script-args=newtargets to add the results as targets WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 3.25 seconds
A broadcast ping works by sending an ICMP echo request to the local broadcast address 255.255.255.255, and then waiting for hosts to reply with an ICMP echo reply. It produce output similar to the following:.
# nmap --script broadcast-ping --packet-trace NSOCK (0.1000s) PCAP requested on device 'wlan2' with berkeley filter 'dst host 192.168.1.102 and icmp[icmptype]==icmp-echoreply' (promisc=0 snaplen=104 to_ms=200) (IOD #1) NSOCK (0.1000s) PCAP created successfully on device 'wlan2' (pcap_desc=4 bsd_hack=0 to_valid=1 l3_offset=14) (IOD #1) NSOCK (0.1000s) Pcap read request from IOD #1 EID 13 NSOCK (0.1820s) Callback: READ-PCAP SUCCESS for EID 13 NSOCK (0.1820s) Pcap read request from IOD #1 EID 21 NSOCK (0.1850s) Callback: READ-PCAP SUCCESS for EID 21 NSOCK (0.1850s) Pcap read request from IOD #1 EID 29 NSOCK (3.1850s) Callback: READ-PCAP TIMEOUT for EID 29 NSE: > | CLOSE Pre-scan script results: | broadcast-ping: | IP: 192.168.1.105 MAC: 08:00:27:16:4f:71 | IP: 192.168.1.106 MAC: 40:25:c2:3f:c7:24 |_ Use --script-args=newtargets to add the results as targets WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 3.27 seconds
To increase the number of ICMP echo requests, use the script argument broadcast-ping.num_probes:
# nmap --script broadcast-ping --script-args broadcast-ping.num_probes=5
When scanning large networks, it might be useful to increase the timeout limit, by using --script-args broadcast-ping.timeout=<time in ms>, to avoid missing hosts with bad latency.
# nmap --script broadcast-ping --script-args broadcast-ping.timeout=10000
You can specify the network interface by using broadcast-ping.interface. If you don't specify an interface, broadcast-ping will send probes using all of the interfaces with an IPv4 address.
# nmap --script broadcast-ping --script-args broadcast-ping.interface=wlan3
The argument --script-args=newtargets forces Nmap to use these new-found hosts as targets:
# nmap --script broadcast-ping --script-args newtargets Pre-scan script results: | broadcast-ping: | IP: 192.168.1.105 MAC: 08:00:27:16:4f:71 |_ IP: 192.168.1.106 MAC: 40:25:c2:3f:c7:24 Nmap scan report for 192.168.1.105 Host is up (0.00022s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind MAC Address: 08:00:27:16:4F:71 (Cadmus Computer Systems) Nmap scan report for 192.168.1.106 Host is up (0.49s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 40:25:C2:3F:C7:24 (Intel Corporate) Nmap done: 2 IP addresses (2 hosts up) scanned in 7.25 seconds
Note that we did not specify a target, but the newtargets argument still added the IPs 192.168.1.106 and 192.168.1.105 to the scanning queue anyway.
The argument max-newtargets sets the maximum number of hosts to be added to the scanning queue:
# nmap --script broadcast-ping --script-args max-newtargets=3
- The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
- The Discovering hosts with TCP SYN ping scans recipe
- The Discovering hosts with TCP ACK ping scans recipe
- The Discovering hosts with UDP ping scans recipe
- The Discovering hosts with ICMP ping scans recipe
- The Discovering hosts with IP protocol ping scans recipe
- The Discovering hosts with ARP ping scans recipe
- The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information