Have you ever been in a situation where you want to know whether the local build machine on which you are working on is up and running. The same could be asked for DB server, webserver, NIS server etc. Many times we want to know who are all connected to the local network but don’t have a proper method or tool to do so.
There are some simple solutions to find this, like you can ping to the broadcast address of your network and then check your arp cache for the entries. This is a 2 step process and we need to manually check the details.
What if we can use an open source tool to do the same and that too without the other hosts knowing that you are the one who is talking to it.
Arp-scan is the tool which we use can do this for us. If you are using a latest linux distro this package can be installed using the corresponding package manager. This package doesn’t come installed by default.
arp-scan allows you to:
- Send ARP packets to any number of destination hosts, using a configurable output bandwidth or packet rate. This is useful for system discovery, where you may need to scan large address spaces.
- Construct the outgoing ARP packet in a flexible way. arp-scan gives control of all of the fields in the ARP packet and the fields in the Ethernet frame header.
- Decode and display any returned packets. arp-scan will decode and display any received ARP packets and lookup the vendor using the MAC address.
- Fingerprint IP hosts using the arp-fingerprint tool.
Installation on debian and Ubuntu clones:
apt-get update && apt-get install arp-scan
If you are using any other distro, use the corresponding package manager to install this package.
Now that we got the package installed in our machine let’s try to do a scan to find the list of hosts in the network.
The command to do this:
arp-scan –I <interface name> –localnet
Let’s get into more detail on this:
Arp-scan is the main command which we need to execute.
-I <interface name> — here we need to give the interface name which is connected to that network.
Our machines can have many Ethernet interfaces in the form of PCI devices as well as USB to Ethernet devices. The same is true for WLAN interface also. Pls make sure that you are using the correct interface name.
–localnet — is specified to tell the package that we are doing a scan on the local network.
Now let’s see a sample output of the above command:
Here in the above command eno1 is my Ethernet interface which is connected to the local network (192.168.1.0/24).
Just with this simple command we are able to get the hosts that are up and running in the local network. It gives a clear mapping between IP address and MAC addresses also. This is much useful when the hosts are getting IP addresses through DHCP and there is a possibility that the hosts IP may change.
The way this command works internally is, it sends an arp-request to all the hosts on the local network to which the hosts respond with an arp-reply. The payload of the reply is the MAC address and IP address of the hosts which is replying to the request.
If we run wireshark or tcpdump on this interface we will be able to see the above discussed transaction’s that is happening.
This tool discovers all active devices in a IPv4 range (usually a subnet) even if protected by software designed to hide the presence of the device – personal firewalls, operating system firewalls or other stealth programs. If you are using IPv4 ethernet or WIFI, the devices on your LAN must respond to ARP or they cannot communicate.
Specifying a list of IP addresses
It is possible to specify a list of IP addresses instead of using –localnet :
Specify a list of IP addresses
e.g. arp-scan <interface name> 192.168.1.1 192.168.1.2 192.168.1.3
Specify the inclusive address range in <start>-<end> format:
e.g. arp-scan <interface name> 192.168.1.3-192.168.1.27
Read the list of IP addresses from a file:
e.g. arp-scan <interface name> –file=ip-address-list.txt
If you send the ARP requests to an Ethernet multicast address it will only be received by those systems that are listening on that multicast address, this can be used to find systems that are running in promiscuous mode, or listen on particular multicast addresses.
The below command detects system listening to OSPF packets:
arp-scan <interface name> –destaddr=01:00:5e:00:00:05 <host ip addresses>
With the command discussed in the previous section we will be able to do a scan locally and get the list of hosts that are available in the local network. But this tool can do more, what if we don’t want the other hosts to know that we are the one who is talking to them. Technically, how about hiding the MAC address of the host from which we execute this command. This way the other hosts who are responding to the request won’t know to whom they are talking to but our host will get the reply from them.
To do this run the below command:
arp-scan –I <interface name> -g –S <spoofed MAC address> –localnet
Now two more options has been added:
-g – this one suppress the redundant responses
-S <spoofed MAC address> — we can give any MAC address we want. It is good to give MAC address as all zeros.
Below is the sample output of the above command:
Now even if the other hosts monitor the network packets they won’t be able to see the MAC address of our machine. The source MAC address in layer3 header will all be zeros in the arp-request packet. But still the layer 2 header will have the actual MAC address of the host from which we are executing the above command.
Arp-scan can be used on the WLAN interface also. This is useful for tracking mobile devices who are predominantly connected through WIFI.
Arp-scan has lot more options other than this which can be seen using the –h option.
In the another blog let us discuss something similar but for IPv6 hosts.