Network Sleuth
Using ARP for Network Recon
When it comes to network recon, arp-scan allows you to collect device intel quickly and stealthily.
Special Thanks: This article was made possible by support from Linux Professional Institute
The most obvious thing system administrators and hackers have in common is the need for network reconnaissance (recon). In both cases, such recon needs to be carried out as quickly and with as little impact to users as possible. One such recon technique involves finding every network-connected device on a subnet. You might think that this is an easy task, but it isn’t. The first tool everyone thinks of is ping. However, ping can be, and usually is, blocked from use against important network-connected devices such as routers, firewalls, switches, intrusion detection appliances, intrusion prevention appliances, servers, and even workstations. Ping is not an effective tool for finding every network-connected device. Instead, an effective solution is to use the Address Resolution Protocol (ARP). ARP maps IP addresses to MAC (hardware) addresses.
ARP is effective in finding all network-connected devices, because you cannot block ARP. ARP must be allowed on a network for proper host-to-host communications. It is this feature (or flaw) that makes ARP a valuable reconnaissance tool. Fortunately, some clever programmers developed an easy-to-use, command-line tool, called ARP Scan (arp-scan), that makes quick work of this type of reconnaissance. The only limitation of using ARP in this manner is that its use is confined to a local subnet. In other words, you can scan all devices on the 192.168.1.0/24 subnet, but you cannot scan the 192.168.2.0/24 network unless you scan from one of those 192.168.2.xxx addresses. To put it simply: ARP is non-routable.
ARP Provides a Wealth of Information
Although arp-scan is a very versatile tool, my use of it is usually limited to the following five general usage scenarios:
- Discovery of all IPv4 network-connected devices.
- Quickly identify and map IP addresses to MAC addresses.
- Find duplicate IP addresses.
- Isolate and locate rogue devices.
- Identify devices by NIC vendor.
arp-scan can scan every address in a /22 (1,024 hosts) network and generate a report in under five seconds. Listing 1 shows the partial output of a typical ARP subnet scan, and the results from running arp-scan are displayed in columns: IP address, MAC address, and vendor. (I have obfuscated my actual MAC addresses with xx:xx:xx).
Listing 1
Partial Output of typical ARP Subnet Scan
192.168.1.1 3c:0e:23:xx:xx:xx Cisco Systems, Inc 192.168.1.2 b8:27:eb:xx:xx:xx Raspberry Pi Foundation 192.168.1.3 0c:c4:7a:xx:xx:xx Super Micro Computer, Inc. 192.168.1.4 00:15:5d:xx:xx:xx Microsoft Corporation 192.168.1.5 00:04:ac:xx:xx:xx IBM Corp 192.168.1.7 00:15:5d:xx:xx:xx Microsoft Corporation 192.168.1.11 5c:f9:dd:xx:xx:xx Dell Inc. 192.168.1.12 00:21:9b:xx:xx:xx Dell Inc. 192.168.1.18 00:21:9b:xx:xx:xx Dell Inc. 192.168.1.20 00:1e:2a:xx:xx:xx NETGEAR 192.168.1.26 00:15:17:xx:xx:xx Intel Corporate
As you can see from the sample arp-scan output in Listing 1, it provides a huge amount of information very quickly. Using this information, you can then perform a DNS lookup scan of all “live” IP addresses giving you enough information to identify every host on a subnet by name, IP address, MAC address, and NIC vendor.
As a system administrator, you can find rogue devices that users or outsiders have connected to your network. By having the MAC address, you can locate the switch port they are connected to and physically locate the device. arp-scan works equally well on wireless networks. It will be more difficult to locate a rogue device on a wireless network, but at least you have a good starting point from which to work. As a hacker, you now have all the information you need to spoof IP and MAC addresses and to exploit any vendor-related vulnerabilities. You also have a list of “live” IP addresses so that you could assign a free one to your rogue device, bypassing any required authentication protocol to obtain one via DHCP. And if your target uses MAC filtering, you can easily spoof one from your list.
What other information can you infer from this list? Using the vendor information, you can take a pretty good guess as to the device’s operating system. This information is handy because a port scan can set off alarms on a well-monitored network. For system administrators who’ve obtained permission to do so, port scanning is not an issue.
At the end of each arp-scan report, the program provides valuable statistics to the user as shown below.
94 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.2: 1024 hosts scanned in 4.759 seconds (215.17 hosts/sec). 94 responded
This information is valuable because it informs the user of how many devices are alive and connected to this particular subnet. Ninety-four hosts provide a lot of fodder for a hacker looking for vulnerabilities. And remember that hackers don’t just look for vulnerabilities in Windows, Linux, or macOS-based systems. An ARP sweep provides information about printers, network-attached storage devices, phones, postage meters, and any other network-connected device that might provide a vulnerability or an easy way to establish a presence on your network.
Installing arp-scan
Because arp-scan is a command-line only tool, you must either compile it from source or install it as a package using your distribution’s package manager. arp-scan has two dependencies whether you’re installing from source or using a package manager. You will need both automake and autoconf.
If you’re a purist or if your distribution doesn’t provide arp-scan as a package, you’ll need to install from source.
- Run git clone https://github.com/royhills/arp-scan.git to obtain the project source code.
- Run cd arp-scan to enter source directory.
- Run autoreconf --install to generate a viable ./configure file.
- Run ./configure to generate a makefile for your system.
- Run make to build the project. (Optionally run make check to verify that everything works as expected.)
- Run make install to install (you’ll need root or sudo for this part).
For example, to install a distribution package on CentOS/Red Hat, use:
sudo yum -y install arp-scan
To check usage options, use the following:
arp-scan - -help
or
man arp-scan
Using arp-scan on a Subnet
A good place to begin is to run a complete scan of your local network. You must run the arp-scan tool as root.
sudo arp-scan --localnet
If you receive an error at this point, be sure that you are running the arp-scan tool as root. If you are running as root and you receive an interface error, issue the ifconfig command to identify your network devices. For example: eth0, em1, or enp0s3. And use the –I option to specify which network device with which you’re scanning. Remember that you can use any interface for scanning including wireless, such as wlan0.
The command in Listing 2 is equivalent to the one given above but specifies the network interface and the subnet.
Listing 2
Running a Network Interface and Subnet Scan
sudo arp-scan -I enp0s3 192.168.1.0/24 Interface: enp0s3, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9.2 with 256 hosts (http://www.nta-monitor.com/ tools-resources/security-tools/arp-scan/) 192.168.1.81 10:dd:b1:xx:xx:xx Apple, Inc. 192.168.1.64 60:30:d4:xx:xx:xx (Unknown) 192.168.1.69 28:cf:e9:xx:xx:xx Apple, Inc. 192.168.1.71 dc:68:eb:xx:xx:xx (Unknown) 192.168.1.72 88:71:e5:xx:xx:xx (Unknown) 192.168.1.76 8c:70:5a:xx:xx:xx Intel Corporate 192.168.1.75 84:a9:3e:xx:xx:xx (Unknown) 192.168.1.79 cc:6d:a0:xx:xx:xx Roku, Inc. 192.168.1.86 cc:6d:a0:xx:xx:xx Roku, Inc. 10 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.2: 256 hosts scanned in 1.939 seconds (132.03 hosts/sec). 10 responded
Unknown devices are not necessarily rogue; they are simply not in the arp-scan vendor databases. To identify a device, you can use one of the online MAC finder sites. You only need to provide the first three octets. For example, one of Apple, Inc.’s Organizationally Unique Identifiers (OUI) is 10:dd:b1; The unknown OUI 84:a9:3e in Listing 2 is Hewlett Packard. My guess as to why arp-scan didn’t identify this vendor is that the HP printer that I have connected to my network is too new and its OUI is not yet in the arp-scan database.
Alternatively, you can update the arp-scan databases. There are two methods for updating the databases. The first method, is:
cd /usr/share/arp-scan sudo get-iab -v -u http://standards.ieee.org/develop/regauth/iab/iab.txt sudo get-oui -v -u http://standards.ieee.org/develop/regauth/oui/oui.txt
This process might fail. If it does, use second method:
cd /usr/share/arp-scan sudo wget http://standards.ieee.org/develop/regauth/oui/oui.txt sudo wget http://standards.ieee.org/develop/regauth/iab/iab.txt
The second method is slow, so be patient.
Also, the second method delivers the updates in a format that cannot be used by arp-scan directly. You have to convert it:
sudo get-iab –u sudo get-oui –u file:///usr/share/arp-scan/oui.txt
These commands convert the raw iab.txt and oui.txt to ieee-iab.txt and ieee-oui.txt. You do not have to convert the files if the first method works for you. The get scripts perform that function.
Now, run the arp-scan command again as shown in Listing 3, which shows that the update has accurately identified all devices on my network.
Listing 3
Accurately Identifying All Devices on a Network
sudo arp-scan -I enp0s3 192.168.1.0/24 Interface: enp0s3, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9.2 with 256 hosts (http://www.nta-monitor.com/ tools-resources/security-tools/arp-scan/) 192.168.1.81 10:dd:b1:xx:xx:xx Apple, Inc. 192.168.1.75 84:a9:3e:xx:xx:xx Hewlett Packard 192.168.1.69 28:cf:e9:xx:xx:xx Apple, Inc. 192.168.1.76 8c:70:5a:xx:xx:xx Intel Corporate 192.168.1.79 cc:6d:a0:xx:xx:xx Roku, Inc. 192.168.1.71 dc:68:eb:xx:xx:xx Nintendo Co.,Ltd 192.168.1.86 cc:6d:a0:xx:xx:xx Roku, Inc. 192.168.1.72 88:71:e5:xx:xx:xx Amazon Technologies Inc. 9 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.2: 256 hosts scanned in 1.953 seconds (131.08 hosts/sec). 9 responded
The final scenario that I use arp-scan for is in finding duplicate IP addresses. This is a great feature for locating a device with a duplicate IP address if you have a mixed static and DHCP network like many of us do. You can easily find duplicates by filtering a scan with:
sudo arp-scan -I enp0s3 192.168.1.0/24 |grep –i dup 192.168.1.81 10:dd:b1:xx:xx:xx Apple, Inc. (DUP.) 192.168.1.81 84:a9:3e:xx:xx:xx Hewlett Packard (DUP. 2)
By using the MAC address, you can check your switches to find the device with the duplicate IP address and fix the problem.
This introduction to arp-scan gives you an overview of this tool's power for network device reconnaissance. For me, arp-scan is an essential system administrator tool. If I were a hacker or pen tester, it would also be one of my favorite recon tools to gain as much information as quickly and as stealthily as possible. Please remember to use this and other security tools responsibly and always get permission to run them on your network.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.