What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

ÜberhackerII, Chapter 9: Ethernet Exploration, continued...

How to Uncover the Identities of Computers on a LAN

Our first task is to learn how to discover almost all addresses on any LAN where you have a shell account, and how to identify every piece of Ethernet hardware on it. I say "almost," because if serious security gurus run the LAN you are exploring, they may hide some hardware. Switched Ethernet (if properly implemented - more on that later, muhahaha!) is one of these techniques.

Let's presume that your target domain won't let you do zone transfers (hosts -l or nslookup ls command). However, for many LANs, the following trick will reveal all.

Note - in exploring Ethernets, the commands we use are almost the same for both Unix-type operating systems and Windows 95/98/ME/NT/2000/XP/2003 (from the MS-DOS or cmd.exe prompt).

First we must figure out the broadcast address for the LAN you wish to explore. A broadcast address is one that will send a message out simultaneously addressed to everything on its network. In the case of a network with no submasks that uses Internet Protocol (IP) addresses, this is done by setting the IP address to 255 for the last three (or six, or nine) digits. For example, if you have a private network with a Class C (254 addresses on it without direct access to the Internet), your broadcast number might look something like

In general, the broadcast address is the highest address on a LAN given its netmask. For example, Vincent Larsen points out that a netmask of will create a subnet of which the highest IP address is So in this case the broadcast address is The network will send anything between and to the router, if it exists.

How does this work? We get to learn about netmasks now! Each of the 255s on the netmask keep the NICs on that subnet from looking at that part of the IP address. So they only look at the last segment of the address. There, they substract 192 from 255 to get 63, so the NICs on that network only look at 63 and below.

Joe Klemencic explains,

"This math equation assumes you will be operating on the network. You can easily be in the network range and still have a netmask. It all has to do with the binary bit boundaries for a netmask. Basically, the binary equivalent of the IP address is MASKed with the binary equivalent of the netmask. Network's are all binary zeros while the broadcast are all binary ones. Hosts are a combination of binary ones and zeros in between.

For example:
IP: = 11000000 10101000 01100100 00000000
Mask: = 11111111 11111111 11111111 11000000

While looking at the netmask, the rightmost bit that is set determines how many hosts can be on each network defined by the netmask. In this case, 11000000, the bits are set in the 128 and 64 fields:

Binary Values: 128 64 32 16 8 4 2 1
Netmask: 1 1 0 0 0 0 0 0
In this case, the rightmost bit is in the Binary Value 64, so only 64 hosts (including the network number and the broadcast address) can be contained within a network. Now, to find the broadcast address for the network:

Since we now know that only 64 hosts (including the network number and the broadcast address) can be on a network with the mask, you can create a table of available networks: - - -

Now, see where the last octet of your IP address fits into this table. If your IP address is, you will be in the - range, with being the network number and being the broadcast address. If you are unsure if you calculated it correctly, remember that the network number is always an EVEN number, while the broadcast number is always an ODD number.

So how to you find out for sure what the netmask and broadcast address are on the LAN you are exploring? If you (as a lowly user) have permission to use the ifconfig command on a box on that LAN, you are in luck. Here's what SuSE Linux tells us:

~> ifconfig
eth0 Link encap:Ethernet HWaddr 00:C0:F0:37:56:6A
inet addr: Bcast: Mask:

In Windows, you can use:

C:/>ipconfig /all

In Windows 95/98/ME, you can also get your MAC address at the DOS prompt with the command winipcfg.

If you can't use these commands, just guess. If your target network has computers that all start with 10.2.2., the broadcast address will probably be or, or (if you get really lucky) But be prepared for one heck of a bunch of return pings, including from your own computer.

Normally you can only broadcast within an Ethernet. Most routers block broadcast transmissions from leaving the LAN. So if you try to ping, you will not broadcast a ping to every address on the Internet.

More --->>

Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group

© 2013 Happy Hacker All rights reserved.