Using ARP for Network Recon
Network Sleuth
When it comes to network recon, arp-scan allows you to collect device intel quickly and stealthily.
The most obvious thing system administrators and hackers have in common is the need for network reconnaissance (recon). In both cases, such recon needs to be carried out as quickly and with as little impact to users as possible. One such recon technique involves finding every network-connected device on a subnet. You might think that this is an easy task, but it isn't. The first tool everyone thinks of is ping. However, ping can be, and usually is, blocked from use against important network-connected devices such as routers, firewalls, switches, intrusion detection appliances, intrusion prevention appliances, servers, and even workstations. Ping is not an effective tool for finding every network-connected device. Instead, an effective solution is to use the Address Resolution Protocol (ARP). ARP maps IP addresses to MAC (hardware) addresses.
ARP is effective in finding all network-connected devices, because you cannot block ARP. ARP must be allowed on a network for proper host-to-host communications. It is this feature (or flaw) that makes ARP a valuable reconnaissance tool. Fortunately, some clever programmers developed an easy-to-use, command-line tool, called ARP Scan (arp-scan
), that makes quick work of this type of reconnaissance. The only limitation of using ARP in this manner is that its use is confined to a local subnet. In other words, you can scan all devices on the 192.168.1.0/24 subnet, but you cannot scan the 192.168.2.0/24 network unless you scan from one of those 192.168.2.xxx addresses. To put it simply: ARP is non-routable.
ARP Provides a Wealth of Information
Although arp-scan
is a very versatile tool, my use of it is usually limited to the following five general usage scenarios:
- Discovery of all IPv4 network-connected devices.
- Quickly identify and map IP addresses to MAC addresses.
- Find duplicate IP addresses.
- Isolate and locate rogue devices.
- Identify devices by NIC vendor.
arp-scan
can scan every address in a /22 (1,024 hosts) network and generate a report in under five seconds. Listing 1 shows the partial output of a typical ARP subnet scan, and the results from running arp-scan
are displayed in columns: IP address, MAC address, and vendor. (I have obfuscated my actual MAC addresses with xx:xx:xx
).
Listing 1
Partial Output of ARP Subnet Scan
As you can see from the sample arp-scan
output in Listing 1, it provides a huge amount of information very quickly. Using this information, you can then perform a DNS lookup scan of all "live" IP addresses giving you enough information to identify every host on a subnet by name, IP address, MAC address, and NIC vendor.
As a system administrator, you can find rogue devices that users or outsiders have connected to your network. By having the MAC address, you can locate the switch port they are connected to and physically locate the device. arp-scan
works equally well on wireless networks. It will be more difficult to locate a rogue device on a wireless network, but at least you have a good starting point from which to work. As a hacker, you now have all the information you need to spoof IP and MAC addresses and to exploit any vendor-related vulnerabilities. You also have a list of "live" IP addresses so that you could assign a free one to your rogue device, bypassing any required authentication protocol to obtain one via DHCP. And if your target uses MAC filtering, you can easily spoof one from your list.
What other information can you infer from this list? Using the vendor information, you can take a pretty good guess as to the device's operating system. This information is handy because a port scan can set off alarms on a well-monitored network. For system administrators who've obtained permission to do so, port scanning is not an issue.
At the end of each arp-scan
report, the program provides valuable statistics to the user as shown below.
94 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.2: 1024 hosts scanned in 4.759 seconds (215.17 hosts/sec). 94 responded
This information is valuable because it informs the user of how many devices are alive and connected to this particular subnet. Ninety-four hosts provide a lot of fodder for a hacker looking for vulnerabilities. And remember that hackers don't just look for vulnerabilities in Windows, Linux, or macOS-based systems. An ARP sweep provides information about printers, network-attached storage devices, phones, postage meters, and any other network-connected device that might provide a vulnerability or an easy way to establish a presence on your network.
Installing arp-scan
Because arp-scan
is a command-line only tool, you must either compile it from source or install it as a package using your distribution's package manager. arp-scan
has two dependencies whether you're installing from source or using a package manager. You will need both automake
and autoconf
.
If you're a purist or if your distribution doesn't provide arp-scan
as a package, you'll need to install from source.
- Run
git clone https://github.com/royhills/arp-scan.git
to obtain the project source code. - Run
cd arp-scan
to enter source directory. - Run
autoreconf --install
to generate a viable./configure
file. - Run
./configure
to generate amakefile
for your system. - Run
make
to build the project. (Optionally runmake check
to verify that everything works as expected.) - Run
make install
to install (you'll need root or sudo for this part).
For example, to install a distribution package on CentOS/Red Hat, use:
sudo yum -y install arp-scan
To check usage options, use the following:
arp-scan --help
or
man arp-scan
Using arp-scan on a Subnet
A good place to begin is to run a complete scan of your local network. You must run the arp-scan
tool as root.
sudo arp-scan --localnet
If you receive an error at this point, be sure that you are running the arp-scan tool as root. If you are running as root and you receive an interface error, issue the ifconfig
command to identify your network devices. For example: eth0
, em1
, or enp0s3
. And use the --I
option to specify which network device with which you're scanning. Remember that you can use any interface for scanning including wireless, such as wlan0
.
The command in Listing 2 is equivalent to the one given above but specifies the network interface and the subnet.
Listing 2
Network Interface and Subnet Scan
Unknown devices are not necessarily rogue; they are simply not in the arp-scan
vendor databases. To identify a device, you can use one of the online MAC finder sites. You only need to provide the first three octets. For example, one of Apple, Inc.'s Organizationally Unique Identifiers (OUI) is 10:dd:b1
; The unknown OUI 84:a9:3e
in Listing 2 is Hewlett Packard. My guess as to why arp-scan
didn't identify this vendor is that the HP printer that I have connected to my network is too new and its OUI is not yet in the arp-scan
database.
Alternatively, you can update the arp-scan
databases. There are two methods for updating the databases. The first method, is:
cd /usr/share/arp-scan sudo get-iab -v -u http://standards.ieee.org/develop/regauth/iab/iab.txt sudo get-oui -v -u http://standards.ieee.org/develop/regauth/oui/oui.txt
This process might fail. If it does, use the second method:
cd /usr/share/arp-scan sudo wget http://standards.ieee.org/develop/regauth/oui/oui.txt sudo wget http://standards.ieee.org/develop/regauth/iab/iab.txt
The second method is slow, so be patient.
Also, the second method delivers the updates in a format that cannot be used by arp-scan directly. You have to convert it:
sudo get-iab --u sudo get-oui --u file:///usr/share/arp-scan/oui.txt
These commands convert the raw iab.txt
and oui.txt
to ieee-iab.txt
and ieee-oui.txt
. You do not have to convert the files if the first method works for you. The get
scripts perform that function.
Now, run the arp-scan
command again as shown in Listing 3, which shows that the update has accurately identified all devices on my network.
Listing 3
Identifying Network Devices
The final scenario that I use arp-scan
for is in finding duplicate IP addresses. This is a great feature for locating a device with a duplicate IP address if you have a mixed static and DHCP network like many of us do. You can easily find duplicates by filtering a scan as in Listing 4.
Listing 4
Finding Duplicate IP Addresses
By using the MAC address, you can check your switches to find the device with the duplicate IP address and fix the problem.
This introduction to arp-scan
gives you an overview of this tool's power for network device reconnaissance. For me, arp-scan
is an essential system administrator tool. If I were a hacker or pen tester, it would also be one of my favorite recon tools to gain as much information as quickly and as stealthily as possible. Please remember to use this and other security tools responsibly and always get permission to run them on your network.
Special Thanks
This article was made possible by support from Linux Professional Institute.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.