Hack Like a Pro: Using Netdiscover & ARP to Find Internal IP and MAC Addresses

Using Netdiscover & ARP to Find Internal IP and MAC Addresses

Welcome back, my fledgling hackers!

A number of you have written me in recent weeks asking how to find IP addresses of a potential target. There are numerous ways to do this, but in this tutorial I will show you how to use a tool built into BackTrack that leverages Address Resolution Protocol or ARP to discover live hosts on the network.

As you know, ARP is used to map MAC addresses to IP addresses on an internal network. The router and switches send out broadcast ARP requests to all the MAC addresses on the network asking them to respond with their IP addresses. Each system will then respond with their IP address and the switch or other device will then create a small database that maps the MAC to the IP address, so that it it knows "who is who".

We can use this same protocol to discover the IP addresses on a corporate, educational, wireless or other network by using Netdiscover. Its a simple tool that simply sends out ARP's—just like a switch or router would—asking for everyone's IP address on the network. In this way, we can gather the IP's we need and then to attack those machines with a MitM attack, Metasploit or other attack.

Before we get started, let's open Wireshark and look at some normal network traffic. As you can see in the screenshot below, once we open Wireshark and just wait a short while, I begin to send ARP requests. Packets 2113 and 2114 show an ARP exchange. If you look at 2113 and then scan across to the info section to the far right, you can see "who has". In the following packet, we see the response " is at xx:xx:xx:xx:xx:xx". That is normal ARP traffic.

We can now create a filter in Wireshark to just look for ARP tarffic by typing "arp" in the filter window at the upper left. Now, all we see is ARP traffic as Wireshark has filtered out everything else.

Now that we see a bit of normal ARP traffic and how it works, let's fire up BackTrack and abuse the ARP protocol to learn the IP and MAC addresses of everyone on the network.

Step 1: Find Netdiscover

We can find netdiscover by going to Backtrack, then Information Gathering, then Network Analysis, then Identify Live Hosts and finally, about midway down the long list of discovery tools we find Netdiscover.

Step 2: Open Netdiscover

When we click on netdiscover, it opens a screen like that below and displays some basic help. Netdiscover is a relatively simple tool, so there are not a lot of options.

Step 3: Netdiscover Command

To discover the IP's on an internal network, we will usually want to scan a range of IP addresses. In netdiscover, we can use the -r switch (for range) and then in CIDR notation provide it the network range we want it to scan. In the command below, we are asking netdiscover to find all the live hosts with IP addresses between to We do this by typing;

  • netdiscover -r

Step 4: Activate Netdiscover

As soon as we enter the command, netdiscover begins sending out ARP requests over the network and then logging the results on our screen. The process is live and interactive, so that as soon as new machines come on the network they pop up on our screen.

Netdiscover is a simple but powerful tool that uses the ARP protocol to discover live network hosts. As long as you are connected to the network and ARP is enabled on the network, you should be able to discover every live host's IP and MAC address. Once you have those, then you can begin your strategy of exploiting those hosts.

Keep coming back, my fledgling hackers for more adventures in Hackerland!

Cover image based on presenting modern technology via Shutterstock


What do you do if all you have is a person's email address and do not know what range their IP address is in or what MAC address it comes under?

How can I make my target connects to my network so that I would know one of the IP addresses given by netdiscover is my target's IP? Do you think chatting him would do?

Bros , using this you can only find those ips which are in your network
Lan to find your victim's ip you can use several methods like ip logging websites etc.

What if I first comprompised one pc in the network?

After that i could run these and see what computers are on the network, i think its possible to make a malicious code paste it in a word document, (don't really paste it but more like make it with a certain program, there is a threat on here about that too,) If some low-life in a HQ opens it then i have gained myself a backdoor, there is this one program wich fixes that for me, then from there i can do multiple things upload a virus, download critical data all that...is this ''legitness'' or nah

There's an app for that: Fing

If There any Softer who create facke location


Yes, there is software to create a fake location such as a honeypot.


where Should i get that.

what if we are running backtrack on vmware and our connection i.e chat or other is on the original OS... will wireshark still be able to get the IP?? or do we need to get a connection through the browser on backtrack?

Hey, I am running a live version of Kali Linux. I have been trying to use NetDiscover, but to no avail. Using both the auto scan and the -r switch, I have been unable to find ANY thing on my network. This includes my phone, wireless card, and other computers in my house. I am sure that I am using the correct ip address, I have checked with ifconfig.

Any help would be appreciated.

What is your IP address and what subnet are you scanning?

My IP address for my router is And the command I am using is netdiscover -r

Still no luck. I am using my my alfa wireless card, and it is not working. Any other tips?

What are trying to scan?

Have you connected to a wireless AP?

Are you using a VM?

I need details to diagnose this.

I am trying to find the MAC addresses of the my internal home network, and my school network. I have connected to the AP. I am not using a VM; I am using a live boot version of Kali Linux.

I have been looking on Wireshark and I can not find any ARP traffic.

Could the error be as simple as netdiscover not using the correct device to send out ARP requests? Or is there another program that is similar that I could try?

Thank you for the help! I will try netdiscover at my school network to see if for some reason it works.

Edit: It is now working after I used the -i switch and specified what device to use.

master otw:

i hv connected with my local network and give the command " netdiscover -r" but it is not displaying any result


i checked my ip and mask by ipconfig/all.....and my ip is not working with nmap either..................while working with xprobe

my ip was

OK. Now are you using a VM, Live CD or Dual boot?

Ok. Try using an -i <interface> in you command.

netdiscover -i etho ???

thnx a lot for ur quick responses master....

Dear OTW,

I was wondering how would I target a specific computer with just one public IP address. My friend is giving me permission to hack one of his computers but multiple computers on his network share the same public ip address, how would I target one of them? Thanks

Dear otw,

Can you teach me how to install netdiscover in my windows 7 home basic. thanks


Netdiscover is a Linux program. It won't install on Windows 7. Install Kali and it is already installed.


i want to know the location of a person via his emails. Can you please guide me.

There are many ways, but since you are new here, I suggest you download email tracker pro. It has its limitations, but for many emails, it does work to at least give you the city.

Is obtaining the IP address from the header the only way?

when i tried this it seems like it is showing other devices that are not live at the moment. like my xbox

are you sure this will only show hosts that are live?
also it only says unknown vendor.
so i cant tell what everything is.

Hi I have the same issues as some users above, When I run the command it goes almost straight to "finished" w/o finding anything. I'm dual booted and invoking my network card like so and still nothing

netdiscover -i eth0 -r (aswell as

Thanks for all the help, I just signed up!

is it active or passive scan?? i hav seen ARP request on wireshark , so i take it as active scan.
do network admin maintains logs of ARP request?
presently i am using wired internet. Is there any way of knowing whether there are any NIDS running by my ISP.

like always , great tutorial

in the subnet command, why do we use 24? i know it means the whole subnet 0-255 , but why do we use exactly 24 not other numbers like 255 or something?

How do I get a public IP from an email o social network page, any good guide for that?

But... CAN you use this to discover by name if a computer is connected in a public wi fi hotspot? Like hoisting...

Can Anybody help me out.How to get ip address of any wifi router without connecting with the wifi

Share Your Thoughts

  • Hot
  • Latest