+0 000-000-00-00

Сетевые команды Linux

Чтобы найти все устройства в сети, используется команда nmap. Утилита устанавливается командой 

sudo apt-get install nmap -y

Сканирование сети командой

nmap -sP

Можно узнать, какие операционные системы на устройствах и их MAC адреса командой

sudo nmap -sT -O

Для того, чтобы узнать MAC адрес устройства, нужно сначала его пропинговать командой ping, потом запросить список подключенных устройств командов arp

arp will slowly return you a list of active MAC addresses and IPs or their hostnames if they have one. If you want it to go faster, you can use arp -n which should skip the DNS lookups. If you need to parse it into something arp -an will skip the fixed width columns.

arp -n (только IP, без dns) 

The -a option uses and alternate BSD-style output and prints all known IP addresses found on your LAN.

Можно пинговать MAC адреса при помощи утилиты arpping. Устанавливается командой

sudo apt install arping

Пинг командой
> arping aa.bb.cc.dd.ee.ff

Более удобный вывод у команды arp-scan. Установка

sudo apt-get install arp-scan


sudo arp-scan -l

В принципе, эта компанда выдает все, что нужно.

Полезная информация

How to find a network ID and subnet mask - Use command ip a

Выдержка из мануала на nmap

nmap -sn (No port scan)

This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by a list scan of every single IP address and host name.

Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local Ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

In previous releases of Nmap, -sn was known as -sP. (Skip port scan)

-PE; -PP; -PM (ICMP Ping Types) . In addition to the unusual TCP, UDP and SCTP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts.. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by RFC 1122[2]. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the -PE option to enable this echo request behavior.

-A (Aggressive scan options) . This option enables additional advanced and aggressive options.

21,23,80,3389 Ports to search through

192.168.1.* Range of IPs. replace with yours