Network reconnaissance with arp-scan

Jun 5, 2022 by Thibault Debatty | 4428 views

Offensive Security

https://cylab.be/blog/220/network-reconnaissance-with-arp-scan

arp-scan is a simple tool that can be used list the IP addresses (and devices) used in a network. It works by sender ARP 'who-has' requests for every IP address of the subnet. If the IP address is used by a device, it will reply with an ARP 'reply' packet.

Installation

arp-scan is available in the repositories of most distributions:

sudo apt install arp-scan

Usage

You can run a scan from the command line. The only caveat is that you should indicate the network interface on which arp-scan must send the ARP requests:

sudo arp-scan -I <interface> <subnet>

For example:

sudo arp-scan -I wlp0s20f3 192.168.178.0/24

To list devices, arp-scan will send a series of ARP request packets.

arpscan-wireshark.png

The result will show the MAC address and manufacturer of each device, like on the screenshot below:

arpscan-01.png

Database update

As you may know, the 3 first Bytes of a MAC address allow to find the vendor of a network interface (unless the administrator has manually changed the MAC address of the device). This block of 3 Bytes is called the Organizationally Unique Identifier (OUI). arp-scan uses a database to find the manufacturer of each device. You can update this database by downloading the latest version directly from the GitHub repository of the project:

cd /usr/share/arp-scan/
sudo rm ieee-iab.txt
sudo wget -q https://github.com/royhills/arp-scan/raw/master/ieee-iab.txt

sudo rm ieee-oui.txt
sudo wget -w https://github.com/royhills/arp-scan/raw/master/ieee-oui.txt

arpscan-update.png

This time, you should get more information about the different vendors:

arpscan-02.png

Individual Address Block (IAB)

As you may have noticed, we downloaded 2 files to update the arp-scan database: the OUI and the IAB. The IAB is a legacy system, similar to the OUI, but where each manufacturer receives a block of only 12 bits. Hence a single IAB allows to assign a unique MAC address to maximum 4096 (2^12) network interfaces.

This blog post is licensed under CC BY-SA 4.0

How to detect filtered (and opened) outgoing ports on a network?
Sometimes you want to access services running on unusual ports, like a SSH server running on port 2222 for example. If connection fails, how can we detect the outgoing ports that are filtered or open on the network?
May 16, 2023 | 1108 views
Adv-Bot: Realistic Adversarial Botnet Attacks against Network Intrusion Detection Systems
Due to the numerous advantages of machine learning (ML) algorithms, many applications now incorporate them. However, many studies in the field of image classification have shown that MLs can be fooled by a variety of adversarial attacks. This raises many questions in the cybersecurity field, where a growing number of researchers are recently investigating the feasibility of such attacks against machine learning-based security systems, such as intrusion detection systems.
Mar 28, 2023 | 918 views
SQLMap : additional techniques
In a previous blog post, we have explained what SQL injection is, and how to exploit it using sqlmap. In this blog post, we will show some additional techniques: how to exploit web applications that use clean URLs, how to exploit a POSTed form, how to hide traces etc.
Mar 21, 2023 | 1477 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept