Using ARP for Network Recon

Network Sleuth

© Lead Image © Andrea De Martin,

© Lead Image © Andrea De Martin,

Article from Issue 226/2019

When it comes to network recon, arp-scan allows you to collect device intel quickly and stealthily.

The most obvious thing system administrators and hackers have in common is the need for network reconnaissance (recon). In both cases, such recon needs to be carried out as quickly and with as little impact to users as possible. One such recon technique involves finding every network-connected device on a subnet. You might think that this is an easy task, but it isn't. The first tool everyone thinks of is ping. However, ping can be, and usually is, blocked from use against important network-connected devices such as routers, firewalls, switches, intrusion detection appliances, intrusion prevention appliances, servers, and even workstations. Ping is not an effective tool for finding every network-connected device. Instead, an effective solution is to use the Address Resolution Protocol (ARP). ARP maps IP addresses to MAC (hardware) addresses.

ARP is effective in finding all network-connected devices, because you cannot block ARP. ARP must be allowed on a network for proper host-to-host communications. It is this feature (or flaw) that makes ARP a valuable reconnaissance tool. Fortunately, some clever programmers developed an easy-to-use, command-line tool, called ARP Scan (arp-scan), that makes quick work of this type of reconnaissance. The only limitation of using ARP in this manner is that its use is confined to a local subnet. In other words, you can scan all devices on the subnet, but you cannot scan the network unless you scan from one of those addresses. To put it simply: ARP is non-routable.

ARP Provides a Wealth of Information

Although arp-scan is a very versatile tool, my use of it is usually limited to the following five general usage scenarios:

  • Discovery of all IPv4 network-connected devices.
  • Quickly identify and map IP addresses to MAC addresses.
  • Find duplicate IP addresses.
  • Isolate and locate rogue devices.
  • Identify devices by NIC vendor.

arp-scan can scan every address in a /22 (1,024 hosts) network and generate a report in under five seconds. Listing 1 shows the partial output of a typical ARP subnet scan, and the results from running arp-scan are displayed in columns: IP address, MAC address, and vendor. (I have obfuscated my actual MAC addresses with xx:xx:xx).

Listing 1

Partial Output of ARP Subnet Scan


As you can see from the sample arp-scan output in Listing 1, it provides a huge amount of information very quickly. Using this information, you can then perform a DNS lookup scan of all "live" IP addresses giving you enough information to identify every host on a subnet by name, IP address, MAC address, and NIC vendor.

As a system administrator, you can find rogue devices that users or outsiders have connected to your network. By having the MAC address, you can locate the switch port they are connected to and physically locate the device. arp-scan works equally well on wireless networks. It will be more difficult to locate a rogue device on a wireless network, but at least you have a good starting point from which to work. As a hacker, you now have all the information you need to spoof IP and MAC addresses and to exploit any vendor-related vulnerabilities. You also have a list of "live" IP addresses so that you could assign a free one to your rogue device, bypassing any required authentication protocol to obtain one via DHCP. And if your target uses MAC filtering, you can easily spoof one from your list.

What other information can you infer from this list? Using the vendor information, you can take a pretty good guess as to the device's operating system. This information is handy because a port scan can set off alarms on a well-monitored network. For system administrators who've obtained permission to do so, port scanning is not an issue.

At the end of each arp-scan report, the program provides valuable statistics to the user as shown below.

94 packets received by filter,
0 packets dropped by kernel
Ending arp-scan 1.9.2:
1024 hosts scanned in 4.759 seconds
(215.17 hosts/sec). 94 responded

This information is valuable because it informs the user of how many devices are alive and connected to this particular subnet. Ninety-four hosts provide a lot of fodder for a hacker looking for vulnerabilities. And remember that hackers don't just look for vulnerabilities in Windows, Linux, or macOS-based systems. An ARP sweep provides information about printers, network-attached storage devices, phones, postage meters, and any other network-connected device that might provide a vulnerability or an easy way to establish a presence on your network.

Installing arp-scan

Because arp-scan is a command-line only tool, you must either compile it from source or install it as a package using your distribution's package manager. arp-scan has two dependencies whether you're installing from source or using a package manager. You will need both automake and autoconf.

If you're a purist or if your distribution doesn't provide arp-scan as a package, you'll need to install from source.

  1. Run git clone to obtain the project source code.
  2. Run cd arp-scan to enter source directory.
  3. Run autoreconf --install to generate a viable ./configure file.
  4. Run ./configure to generate a makefile for your system.
  5. Run make to build the project. (Optionally run make check to verify that everything works as expected.)
  6. Run make install to install (you'll need root or sudo for this part).

For example, to install a distribution package on CentOS/Red Hat, use:

sudo yum -y install arp-scan

To check usage options, use the following:

arp-scan --help


man arp-scan

Using arp-scan on a Subnet

A good place to begin is to run a complete scan of your local network. You must run the arp-scan tool as root.

sudo arp-scan --localnet

If you receive an error at this point, be sure that you are running the arp-scan tool as root. If you are running as root and you receive an interface error, issue the ifconfig command to identify your network devices. For example: eth0, em1, or enp0s3. And use the --I option to specify which network device with which you're scanning. Remember that you can use any interface for scanning including wireless, such as wlan0.

The command in Listing 2 is equivalent to the one given above but specifies the network interface and the subnet.

Listing 2

Network Interface and Subnet Scan


Unknown devices are not necessarily rogue; they are simply not in the arp-scan vendor databases. To identify a device, you can use one of the online MAC finder sites. You only need to provide the first three octets. For example, one of Apple, Inc.'s Organizationally Unique Identifiers (OUI) is 10:dd:b1; The unknown OUI 84:a9:3e in Listing 2 is Hewlett Packard. My guess as to why arp-scan didn't identify this vendor is that the HP printer that I have connected to my network is too new and its OUI is not yet in the arp-scan database.

Alternatively, you can update the arp-scan databases. There are two methods for updating the databases. The first method, is:

cd /usr/share/arp-scan
sudo get-iab -v -u
sudo get-oui -v -u

This process might fail. If it does, use the second method:

cd /usr/share/arp-scan
sudo wget
sudo wget

The second method is slow, so be patient.

Also, the second method delivers the updates in a format that cannot be used by arp-scan directly. You have to convert it:

sudo get-iab --u
sudo get-oui --u file:///usr/share/arp-scan/oui.txt

These commands convert the raw iab.txt and oui.txt to ieee-iab.txt and ieee-oui.txt. You do not have to convert the files if the first method works for you. The get scripts perform that function.

Now, run the arp-scan command again as shown in Listing 3, which shows that the update has accurately identified all devices on my network.

Listing 3

Identifying Network Devices


The final scenario that I use arp-scan for is in finding duplicate IP addresses. This is a great feature for locating a device with a duplicate IP address if you have a mixed static and DHCP network like many of us do. You can easily find duplicates by filtering a scan as in Listing 4.

Listing 4

Finding Duplicate IP Addresses


By using the MAC address, you can check your switches to find the device with the duplicate IP address and fix the problem.

This introduction to arp-scan gives you an overview of this tool's power for network device reconnaissance. For me, arp-scan is an essential system administrator tool. If I were a hacker or pen tester, it would also be one of my favorite recon tools to gain as much information as quickly and as stealthily as possible. Please remember to use this and other security tools responsibly and always get permission to run them on your network.

Special Thanks

This article was made possible by support from Linux Professional Institute.

The Author

Ken Hess is a freelance technical writer and journalist. He covers a variety of open source topics, including Linux databases, and virtualization. You can reach him via his website at [].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Using ARP for Network Recon

    When it comes to network recon, arp-scan allows you to collect device intel quickly and stealthily.

  • Scanning with Zenmap

    Discover your network with the user-friendly Zenmap network scanner.

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Dr. Portscan

    Regularly scanning the ports on your own network prevents intruders from sneaking in, but if you have dozens or hundreds of servers, you'll need professional help: Dr. Portscan to the rescue.

  • News

    Fedora Project announces Fedora 30; the Apache Software Foundation completes migration to GitHub; Canonical combines its services in a single package; Black Hole Image has an open source connection; Ubuntu 19.04 released; Linux Mint founder calls for better developer support; and VMware patches critical vulnerabilities.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95