Network reconnaissance with arp-scan

Jun 5, 2022 by Thibault Debatty | 331 views

Offensive Security

https://cylab.be/blog/220/network-reconnaissance-with-arp-scan

arp-scan is a simple tool that can be used list the IP addresses (and devices) used in a network. It works by sender ARP 'who-has' requests for every IP address of the subnet. If the IP address is used by a device, it will reply with an ARP 'reply' packet.

Installation

arp-scan is available in the repositories of most distributions:

sudo apt install arp-scan

Usage

You can run a scan from the command line. The only caveat is that you should indicate the network interface on which arp-scan must send the ARP requests:

sudo arp-scan -I <interface> <subnet>

For example:

sudo arp-scan -I wlp0s20f3 192.168.178.0/24

To list devices, arp-scan will send a series of ARP request packets.

arpscan-wireshark.png

The result will show the MAC address and manufacturer of each device, like on the screenshot below:

arpscan-01.png

Database update

As you may know, the 3 first Bytes of a MAC address allow to find the vendor of a network interface (unless the administrator has manually changed the MAC address of the device). This block of 3 Bytes is called the Organizationally Unique Identifier (OUI). arp-scan uses a database to find the manufacturer of each device. You can update this database by downloading the latest version directly from the GitHub repository of the project:

cd /usr/share/arp-scan/
sudo rm ieee-iab.txt
sudo wget -q https://github.com/royhills/arp-scan/raw/master/ieee-iab.txt

sudo rm ieee-oui.txt
sudo wget -w https://github.com/royhills/arp-scan/raw/master/ieee-oui.txt

arpscan-update.png

This time, you should get more information about the different vendors:

arpscan-02.png

Individual Address Block (IAB)

As you may have noticed, we downloaded 2 files to update the arp-scan database: the OUI and the IAB. The IAB is a legacy system, similar to the OUI, but where each manufacturer receives a block of only 12 bits. Hence a single IAB allows to assign a unique MAC address to maximum 4096 (2^12) network interfaces.

Orchestration script to simulate user activity on multiple machines thanks to the GHOSTS framework
The GHOSTS Framework is an open-source project created by Dustin Updyke, a cybersecurity researcher from the Carnegie Mellon University. It's a framework which offers a way to simulate user activity, usually for cyber awareness trainings or research in the field of cyber defense.
MITRE ATT&CK and the ATT&CK Matrix
Defining cyber attacks is a difficult task. They vary in origins, goals and, at first glance, the techniques used might seem very different. Luckily a popular model was defined by Lockheed Martin, still used to this day, which illustrates very well the lifecycle of a typical cyber attack. The Cyber Kill Chain, popular but controversial, defines the 7 principal steps of an attack. There have been many advances, since its original conception, one of which is the wildly acclaimed ATT&CK Matrix for Enterprise.
Kali Linux and Parrot Sec OS, Penetration Environment Comparison
For years, hackers have been the main characters of movies, books and generally have captured the imagination of regular folks. When we see these hackers use the tools of their trade, we usually see a black screen with green text flashing as fast as possible on the screen, lost in commands and bright flashing lights. This can't be any further from reality, as most hackers will spend hours and days on end to accomplish their tasks, usually staring at a screen, using their programs of choice.