Using ARP for Network Recon

Special Thanks: This article was made possible by support from Linux Professional Institute

The most obvious thing system administrators and hackers have in common is the need for network reconnaissance (recon). In both cases, such recon needs to be carried out as quickly and with as little impact to users as possible. One such recon technique involves finding every network-connected device on a subnet. You might think that this is an easy task, but it isn’t. The first tool everyone thinks of is ping. However, ping can be, and usually is, blocked from use against important network-connected devices such as routers, firewalls, switches, intrusion detection appliances, intrusion prevention appliances, servers, and even workstations. Ping is not an effective tool for finding every network-connected device. Instead, an effective solution is to use the Address Resolution Protocol (ARP). ARP maps IP addresses to MAC (hardware) addresses.

ARP is effective in finding all network-connected devices, because you cannot block ARP. ARP must be allowed on a network for proper host-to-host communications. It is this feature (or flaw) that makes ARP a valuable reconnaissance tool. Fortunately, some clever programmers developed an easy-to-use, command-line tool, called ARP Scan (arp-scan), that makes quick work of this type of reconnaissance. The only limitation of using ARP in this manner is that its use is confined to a local subnet. In other words, you can scan all devices on the 192.168.1.0/24 subnet, but you cannot scan the 192.168.2.0/24 network unless you scan from one of those 192.168.2.xxx addresses. To put it simply: ARP is non-routable.

ARP Provides a Wealth of Information

Although arp-scan is a very versatile tool, my use of it is usually limited to the following five general usage scenarios:

• Discovery of all IPv4 network-connected devices.
• Quickly identify and map IP addresses to MAC addresses.
• Find duplicate IP addresses.
• Isolate and locate rogue devices.
• Identify devices by NIC vendor.

arp-scan can scan every address in a /22 (1,024 hosts) network and generate a report in under five seconds. Listing 1 shows the partial output of a typical ARP subnet scan, and the results from running arp-scan are displayed in columns: IP address, MAC address, and vendor. (I have obfuscated my actual MAC addresses with xx:xx:xx).

192.168.1.1   3c:0e:23:xx:xx:xx  Cisco Systems, Inc
192.168.1.2   b8:27:eb:xx:xx:xx  Raspberry Pi Foundation
192.168.1.3   0c:c4:7a:xx:xx:xx  Super Micro Computer, Inc.
192.168.1.4   00:15:5d:xx:xx:xx  Microsoft Corporation
192.168.1.5   00:04:ac:xx:xx:xx  IBM Corp
192.168.1.7   00:15:5d:xx:xx:xx  Microsoft Corporation
192.168.1.11  5c:f9:dd:xx:xx:xx  Dell Inc.
192.168.1.12  00:21:9b:xx:xx:xx  Dell Inc.
192.168.1.18  00:21:9b:xx:xx:xx  Dell Inc.
192.168.1.20  00:1e:2a:xx:xx:xx  NETGEAR
192.168.1.26  00:15:17:xx:xx:xx  Intel Corporate

As you can see from the sample arp-scan output in Listing 1, it provides a huge amount of information very quickly. Using this information, you can then perform a DNS lookup scan of all “live” IP addresses giving you enough information to identify every host on a subnet by name, IP address, MAC address, and NIC vendor.

As a system administrator, you can find rogue devices that users or outsiders have connected to your network. By having the MAC address, you can locate the switch port they are connected to and physically locate the device. arp-scan works equally well on wireless networks. It will be more difficult to locate a rogue device on a wireless network, but at least you have a good starting point from which to work. As a hacker, you now have all the information you need to spoof IP and MAC addresses and to exploit any vendor-related vulnerabilities. You also have a list of “live” IP addresses so that you could assign a free one to your rogue device, bypassing any required authentication protocol to obtain one via DHCP. And if your target uses MAC filtering, you can easily spoof one from your list.

What other information can you infer from this list? Using the vendor information, you can take a pretty good guess as to the device’s operating system. This information is handy because a port scan can set off alarms on a well-monitored network. For system administrators who’ve obtained permission to do so, port scanning is not an issue.

At the end of each arp-scan report, the program provides valuable statistics to the user as shown below.

94 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.2: 1024 hosts scanned in 4.759 seconds
(215.17 hosts/sec). 94 responded

This information is valuable because it informs the user of how many devices are alive and connected to this particular subnet. Ninety-four hosts provide a lot of fodder for a hacker looking for vulnerabilities. And remember that hackers don’t just look for vulnerabilities in Windows, Linux, or macOS-based systems. An ARP sweep provides information about printers, network-attached storage devices, phones, postage meters, and any other network-connected device that might provide a vulnerability or an easy way to establish a presence on your network.

Installing arp-scan

Because arp-scan is a command-line only tool, you must either compile it from source or install it as a package using your distribution’s package manager. arp-scan has two dependencies whether you’re installing from source or using a package manager. You will need both automake and autoconf.

If you’re a purist or if your distribution doesn’t provide arp-scan as a package, you’ll need to install from source.

1. Run git clone https://github.com/royhills/arp-scan.git to obtain the project source code.
2. Run cd arp-scan to enter source directory.
3. Run autoreconf --install to generate a viable ./configure file.
4. Run ./configure to generate a makefile for your system.
5. Run make to build the project. (Optionally run make check to verify that everything works as expected.)
6. Run make install to install (you’ll need root or sudo for this part).

For example, to install a distribution package on CentOS/Red Hat, use:

sudo yum -y install arp-scan

To check usage options, use the following:

arp-scan - -help

or

man arp-scan

Using arp-scan on a Subnet

A good place to begin is to run a complete scan of your local network. You must run the arp-scan tool as root.

sudo arp-scan --localnet

If you receive an error at this point, be sure that you are running the arp-scan tool as root. If you are running as root and you receive an interface error, issue the ifconfig command to identify your network devices. For example: eth0, em1, or enp0s3. And use the –I option to specify which network device with which you’re scanning. Remember that you can use any interface for scanning including wireless, such as wlan0.

The command in Listing 2 is equivalent to the one given above but specifies the network interface and the subnet.

sudo arp-scan -I enp0s3 192.168.1.0/24

Interface: enp0s3, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.2 with 256 hosts (http://www.nta-monitor.com/
  tools-resources/security-tools/arp-scan/)

192.168.1.81  10:dd:b1:xx:xx:xx  Apple, Inc.
192.168.1.64  60:30:d4:xx:xx:xx  (Unknown)
192.168.1.69  28:cf:e9:xx:xx:xx  Apple, Inc.
192.168.1.71  dc:68:eb:xx:xx:xx  (Unknown)
192.168.1.72  88:71:e5:xx:xx:xx  (Unknown)
192.168.1.76  8c:70:5a:xx:xx:xx  Intel Corporate
192.168.1.75  84:a9:3e:xx:xx:xx  (Unknown)
192.168.1.79  cc:6d:a0:xx:xx:xx  Roku, Inc.
192.168.1.86  cc:6d:a0:xx:xx:xx  Roku, Inc.

10 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.2: 256 hosts scanned in 1.939 seconds
  (132.03 hosts/sec). 10 responded

Unknown devices are not necessarily rogue; they are simply not in the arp-scan vendor databases. To identify a device, you can use one of the online MAC finder sites. You only need to provide the first three octets. For example, one of Apple, Inc.’s Organizationally Unique Identifiers (OUI) is 10:dd:b1; The unknown OUI 84:a9:3e in Listing 2 is Hewlett Packard. My guess as to why arp-scan didn’t identify this vendor is that the HP printer that I have connected to my network is too new and its OUI is not yet in the arp-scan database.

Alternatively, you can update the arp-scan databases. There are two methods for updating the databases. The first method, is:

cd /usr/share/arp-scan
sudo get-iab -v -u http://standards.ieee.org/develop/regauth/iab/iab.txt
sudo get-oui -v -u http://standards.ieee.org/develop/regauth/oui/oui.txt

This process might fail. If it does, use second method:

cd /usr/share/arp-scan
sudo wget http://standards.ieee.org/develop/regauth/oui/oui.txt
sudo wget http://standards.ieee.org/develop/regauth/iab/iab.txt

The second method is slow, so be patient.

Also, the second method delivers the updates in a format that cannot be used by arp-scan directly. You have to convert it:

sudo get-iab –u
sudo get-oui –u file:///usr/share/arp-scan/oui.txt

These commands convert the raw iab.txt and oui.txt to ieee-iab.txt and ieee-oui.txt. You do not have to convert the files if the first method works for you. The get scripts perform that function.

Now, run the arp-scan command again as shown in Listing 3, which shows that the update has accurately identified all devices on my network.

sudo arp-scan -I enp0s3 192.168.1.0/24
Interface: enp0s3, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.2 with 256 hosts (http://www.nta-monitor.com/
  tools-resources/security-tools/arp-scan/)
192.168.1.81  10:dd:b1:xx:xx:xx  Apple, Inc.
192.168.1.75  84:a9:3e:xx:xx:xx  Hewlett Packard
192.168.1.69  28:cf:e9:xx:xx:xx  Apple, Inc.
192.168.1.76  8c:70:5a:xx:xx:xx  Intel Corporate
192.168.1.79  cc:6d:a0:xx:xx:xx  Roku, Inc.
192.168.1.71  dc:68:eb:xx:xx:xx  Nintendo Co.,Ltd
192.168.1.86  cc:6d:a0:xx:xx:xx  Roku, Inc.
192.168.1.72  88:71:e5:xx:xx:xx  Amazon Technologies Inc.

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.2: 256 hosts scanned in 1.953 seconds 
(131.08 hosts/sec). 9 responded

The final scenario that I use arp-scan for is in finding duplicate IP addresses. This is a great feature for locating a device with a duplicate IP address if you have a mixed static and DHCP network like many of us do. You can easily find duplicates by filtering a scan with:

sudo arp-scan -I enp0s3 192.168.1.0/24 |grep –i dup
192.168.1.81  10:dd:b1:xx:xx:xx  Apple, Inc. (DUP.)
192.168.1.81  84:a9:3e:xx:xx:xx  Hewlett Packard (DUP. 2)

By using the MAC address, you can check your switches to find the device with the duplicate IP address and fix the problem.

This introduction to arp-scan gives you an overview of this tool's power for network device reconnaissance. For me, arp-scan is an essential system administrator tool. If I were a hacker or pen tester, it would also be one of my favorite recon tools to gain as much information as quickly and as stealthily as possible. Please remember to use this and other security tools responsibly and always get permission to run them on your network.