Network Scanner.

Information gathering is one of the most important stage of hacking or penetration testing, you can’t gain access to any system if you don’t have enough information about the system.

If you happen to be on a network and your target is also connected to that same network, you need to be able to discover all the clients connected to the network, get their MAC and IP addresses, then you can get on to gathering more information or running some attacks, in other to gain access to your target. Nmap and netdiscover will be able to do this really well for you (I use this tools in the scanning and enumeration section of the Ethical hacking and Pen testing category), but we’re going to build our own scanner from scratch, to have a deeper understanding on how network scanners work and how networks work in general.

We are going to build a network scanner similar to netdiscover, it’s an in-built Kali network scanning tool, I recommend checking it out and see how it works.

So, because I’m certain not everyone has a wireless adapter to run the scans and attacks with the tools we’ll be building, I recommend downloading an installing a virtual windows machine to run theses scan and attacks against. You can chose to run these attacks against any machine but I recommend using virtual machines, it’s safer for beginners in case you break something and they are easy to fix. Windows is a common OS, that’s why I picked windows for the target machine.

Here’s a link to free Windows virtual machines that you can install, make sure you select the right host OS, and the right virtual machine image. Once downloaded, unzip and import to virtual machine, you can modify the machine to your taste (you don’t need much space on it).

If a pass word is required, the password is Passw0rd!

The easiest way to discover clients on the same network, is to replicate what a device would do to discover another device on the same network. Don’t forget that for devices to communicate within a network they make use of their MAC address and not IP address. To get the MAC address of a device whose IP address is already know, you use a protocol called ARP (Address Resolution Protocol),it’s a protocol that allows the linking of IP addresses to MAC addresses

The ARP send a request to a specific MAC address in the whole network (known as the broadcast MAC address), and all clients on the network receives the packet sent from the request to the broadcast MAC address, which basically asks all the devices, who has the IP address of the machine you’re looking for and the machine with the MAC address will respond, it’s called the ARP response and the MAC is shown in the response.

I’m going to show you a simple but terrible way to implement the ARP into a script, then we’ll begin building and making the script better. We’re going to use a module called Scapy. here’s the scapy documentation.

Here is how to import scapy according to the documentation. The ‘as scapy’ is just me telling it that when I call a function in the module, I’ll be using scapy, because it’s shorter, than scapy.all.

I created a function called scan, because it scans (obviously) and it takes an IP address as it’s variable, then I use a simple scapy module function, giving the IP to the function. Next I call the function and provide the IP I want to scan. Very simple like I promised.

I’m going to provide my router IP and use it for the scan, To get your router IP use this command in your terminal: ‘route -n’. Don’t forget you need root privileges for this, so add the sudo before the command, if you’re not already on root.

Now, here’s an advance script for network scanning but in order to do this without getting confused, we divide this problem into smaller problems, and solve the smaller ones one at a time, till everything is solved as a whole, by defining our own functions. Our goal is to discover clients on network (big problem), so here are the smaller problems:
• Create arp request directed to broadcast MAC asking for IP.
• Send packets and receive response.
• Parse the response
• Print the result.

Using Scapy to create ARP requests.

arp_request is a variable, that hold and arp packet. Scapy is the module that lets us create and arp packet object. The scapy.ARP class allows us to print a summary of the object created (scapy.ARP)

This works, but we need to have a variable to store the user input, because this script has a fixed IP. So we need to modify the object and set the value to any IP the user provides, to do this we’ll use another scapy function, the ls function. This would give us a list of all the fields that we can set, a description of what each field means, and the default value.

Next we need to make sure that the packet destination MAC is the broadcast MAC, so that all the clients on the network gets it. In order to do this we need an Ethernet frame, like I said, packets in network are sent using the MAC not the IP address, the MAC is the physical address and it’s set in the Ethernet part. Therefore, we need to create an Ethernet frame and append the arp_requests to it later. Creating this is very similar to how we created the arp_request.

NB: Don’t forget that you can call the variables whatever you like, just make sure they’re meaningful names.

The point of using ether is to make sure that the packet will be sent to the broadcast MAC address and not to only one device, for this, we need to set the MAC address to that of the broadcast. Just like we did for the IP, we’re going to use the scapy.ls function and use the name of the class we’re trying to get the information about, like this:

As you can see, it gave us the list of all the fields that can be set and their description. In our case the broadcast MAC address is virtual but even at that, when you send out a packet, all clients on the same network will receive it.

From the above, the result tells us that the packet will be sent from the IP address, which is my Kali machine, to the MAC address of the broadcast. We already have the arp_request variable, using the arp object from scapy, to ask who has the target IP and we’ve also set the destination MAC to the broadcast. Which is the first and second part of our small problem.
Now we have to combine this two packets into one and our first small problem is solved, to do this in scapy, we’ll use the forward slash (/), which appends the arp to the broadcast.

You can see that the result, shows an Ether part and an ARP part, We can print out more details about the contents of the packet sent, like this, you can use the show method on all the other packets.

This is the .show combination of the two (objects we created), the Ether and ARP packet, which contains two (2) parts. The Ethernet part, which makes sure that the packet is directed to the broadcast MAC and the ARP part asks who has the IP that is passed in the function.

Sending & Receiving Packets.

The first step of our algorithm is done, now we have to try to send the created packet into the network and wait to get response. We’ll use a scapy function for this, called srp. Scapy has a function called sr, which means send an receive but we’ll be using a different version of this function called srp and the difference is that the srp allows the sending of packets with custom Ether part. So, because the Ether we’re using is custom, we’re using the srp function, which will send the packet we give and receive the response but we’ll need to capture the returned function in a variable. It returns more than one (1) value, it’ll capture two (2) values, one for the answered packets and the other the unanswered packets.

I added a timeout, so the program when run, waits for the specified time and if there’s no response, it moves on, instead of waiting forever.

The second small problem is solved.

Parse The Response.

The response that we get is stored in a variable called answered, it makes the result easier for us to read but what if it was being used by a different user? And the user wants to use the MAC address returned, to carry out further attacks. Then we need to be able to extract the MAC address on its own, we just have to print out only the MAC & IP addresses and we need to parse the response to extract the useful information from it.

If you did read through the scapy documentation, you hopefully saw that it tells us the send and response function, returns back to the list, one for the answered and the other for the unanswered.
Here’s an overview of lists, this is also included in the Ethical hacking category in the Python basics section, you should definitely check it out.

In other languages, they are called arrays, but in Python arrays are referred to as lists. Lists are a list of elements/values, stored in one variable. Lists are made using square brackets [], and for every value in the list, the indexing starts from zero (0) and to access any element from a list, you use the variable name and the index of the element within square brackets [].

Highly recommend reading up on lists, to get a broader understanding of them, as we’ll be using them a lot in this course and they’re quite powerful too.

The for loop is to iterate the answered list, so for each element in the answered list, it prints the element.

From the result, you can see that the MAC address needed is the element of one(1), so we’ll add [1] after our print element. To print the IP address sending the packet and the MAC address receiving the packet.

This is the end of step three (3), parsing the captured values, in the answered list, we used loops to iterate through the list

Print Result, Nicely.

This is the last step, which we kinda already achieved in the previous step, but in a case where the user has multiple IP addresses to iterate through, we need to make sure that the print out is nice and easy to read

So we basically want our result to be printed out like the Kali tool netdiscover, which allows us to list all the IP addresses and their associated MAC addresses in the current network. Similar to what our program already prints out but way nicer and arranged.

We have come to the end of our small problems.

I’m leaving the user input for the IP address to you. You can check the MAC changing post or just google it.

As usual, we’re going to clean up our code, our result will still be the same, I promise, but I like to have functions in my programs to do specific things, which makes it cleaner and easier for others to read, understand and use.
For this, I’ll b e using a dictionary, which is a better implementation and a good way of introducing you to dictionaries.

You can think of dictionaries as lists, they are similar because they have a variable that corresponds to a number of elements and use keys to access the elements, instead of indexes.
In lists, elements are accessed based on their location, but in dictionaries, a key is defined for each element and the elements are accessed based on the keys, and dictionaries use curly brackets {}.

This is a list of dictionaries, where each index has a list of values and each value has a key. So from our print out, we get the IP and MAC addresses. IP and MAC will be keys for their respective values and the combination of these values and their individual keys, have their own index. I know, very confusing but here’s what that looks like:

As you can see from the result, we have a big list that starts and ends with the square brackets, inside it are the dictionaries, with their keys (ip & mac). Now that we’ve created our list of dictionaries and have the data stored, lets iterate through the data and print the useful information.

For anyone who doesn’t know how to get user input, using the argparse which is the newer version of the deprecated optparse module. Here’s the code for it.

Here’s the finished program.

We have finally come to the end off building a network scanner. Next, we’ll be building an ARP Spoofer.

Don’t be shy, leave a comment or ask a question, if you’ve got one or more.

As always, Until next time, Keep learning. Keep hacking. And don’t forget to breathe!