I've been wondering if there's a possibility to find the IP addresses of all the nodes connected to a particular LAN without assigning your NIC an IP address.Taking under consideration that some nodes are on different IP subnets.
I'm aware of tools such as angryipscanner, nmap, arp-scan and etc, but they all need an IP address assigned to you NIC in turn to use then.
I was thinking if there's a way to use libpcap or another tool in turn to forge an ARP-request frame and make all the nodes within the LAN answer to the broadcast address ( so you could sniff it) or to the port where my NIC is connected to.
Best Answer
It doesn't have to be that complicated.
As long as your switch isn't using a feature similar to Dynamic ARP Inspection, the simple way to detect addresses is to use
arping
... you can find this in most linux distributions (although CLI options sometimes vary depending on whatarping
build you have).You can write a script to cycle through as many addresses as you like; usually it's a good idea to sniff with wireshark and see what subnets could be used in that vlan (i.e. by looking at the source address in ARP requests).
Dynamic ARP Inspection
If you are running Dynamic ARP Inspection (DAI), you can't detect addresses like this as long as DAI checks IP address validity... I tested this on a Cisco 2960 running this configuration:
When I used
arping
as shown above, the switch noticed the invalid0.0.0.0
source IP address in the ARP frame, and dropped it: