When connecting to a new network, computers use the Address Resolution Protocol (MAC) to discover the MAC address of other devices on the same network. A hacker can use ARP messages to quietly discover the MAC and IP addresses of network devices or to actively search the network for spoofed ARP requests.
Why do we need ARP and what does it matter?
For devices to communicate In a network, they need to be able to link two important pieces of information together. The first is an IP address that you can think of as a parking space available on a network. The router checks which storage is available at any given time and assigns each device that connects to the network an IP address that is not used.
Your IP address on a network may be different every day because there may be different storage available at different times. Your IP address will also change each time you join a new Wi-Fi network because the router behind that network assigns you an IP address, depending on which network has been set up.
The second information required to provide information over a network is a MAC address. A MAC address is like the license plate of a vehicle and remains in the same way with your device. As your IP address changes depending on the network you are connected to, your MAC address will remain the same. Like the license plate of a vehicle, a MAC address remains unchanged as it is assigned to different parking spaces in networks during the day.
In our analogy of the vehicle parked in various parking lots, we would need two pieces of information to locate our vehicle vehicle at a given time. The first would be a clear description of the vehicle, such as the number plate or the MAC address, so we know when we will find it. The second is the car park or IP address to which the vehicle is currently assigned. This allows us to physically locate as well as verify that the right vehicle is in any space it could occupy.
Device MAC and IP Address The network is connected to a table called the ARP cache, which is used to route messages across a network. To populate this cache, computers request the MAC address of other devices that are assigned a specific IP address on the network by sending them an ARP request. While all devices in a network receive and process these requests, only devices with the appropriate IP address will respond with their MAC.
ARP requests indicate how computers in a network automatically poll the other user's IP and MAC address information. While they are essential for communicating with other devices on a network, they can also be misused because anyone can send an ARP request and contain incorrect information.
Why this is ARP is helpful in the Enlightenment, we can look at ARP requests in Wireshark . In the following shot, I listened to public traffic for about 60 seconds to identify ARP requests from local devices. These requirements are incredibly simple, but provide the background information the network needs to work.
In these requests, we can see the simplified version of the message. Each request asks "Who is at this IP address?" and lists an IP address to respond to with the requested information. Which device is at this IP address responds with its MAC address so that an attacker can sit back and use ARP to determine which device is at a particular IP address. In addition, MAC addresses can be used to look up the device manufacturer, so we can begin to guess what kind of device is under that IP address.
If you look at the structure of the ARP request in Wireshark, you can see that the destination MAC address is set to 00: 00: 00: 00: 00: 00, even though an IP address of the Sender is specified. This is the broadcast address, ie all devices on the network receive and process this request, but only respond if the "destination IP address" of 192.168.43.132 matches that of the device receiving the request.
We can use ARP calls to capture a network in two ways, active scans or passive detection.
Active vs. Passive Recon
With a hacker or a red team exploring a network, active scanning can be easily detected. One of the safest ways to avoid discovery is not to do things that are clearly related to attacks, such as aggressively scanning networks with tools that generate much suspicious traffic. ARP can be a gold mine when it comes to avoiding discovery in this way, and it can be used to locate almost any device on a network without performing a single scan.
When detection risk is not too high, more Through active ARP manipulation, a hacker can map, reroute, and even disable a network in minutes. In the first attack phase, a hacker can send ARP requests to any IP address on the network. After receiving a list of all devices on the market, the hacker can send ARP responses to trick each device on the network into assigning the attacker's MAC address to the router's IP address. This accidentally sends the reported traffic to the attacker's router.  The hacker can forward this traffic to the router while spying or modifying the data being traversed, or it can completely erase the traffic. When traffic is interrupted, the targeted device is disconnected from the network, allowing the hacker to selectively capture the data connection of any device it recognizes by sending forged ARP responses.
In this example, we examine two tools locating devices with ARP that use both active and passive detection.
You also need an Ethernet or Wi-Fi connection to snoop, even though it does not work for you Try this in a public place with a router that limits you to your own subnet. If so, the only ARP information you can get from active scanning is the MAC address of the router.
You should also note that you need the password for the network when using a Wi-Fi connection. You can not do this from outside a network, you must send ARP messages on the network to actively scan or monitor other traffic.
Recommended on Amazon: & # 39; IP Subnetting – From Zero to Guru by Paul Browning
Once you connect to a wired or wireless network wireless network, your computer starts storing ARP information in an ARP cache. It is stored in your computer's memory and added every time you receive an ARP response to update your computer's address book to see what devices are on the network and what their IP and MAC addresses are.
You can access the information Your computer has stored over your current network by opening a terminal window and typing arp -a to view your ARP cache.
_gateway (192.168.43.1) in b2: 72: bf: ee: 15: 42 [ether] on wlan0
To start, I see only the MAC address and the IP address of the Standard gateways, the router. If you need to find the router quickly, this is a great way.
This already gives us some useful information. The default gateway is 192.168.43.1. To embody the router, you can send an ARP response to each device that says that our MAC address is under this IP address.
If you do not run scans, we see what we can learn about the network and what IP addresses are in use by opening Wireshark and looking at ARP requests being transmitted over the network.
The first step in discovering devices on the same network is to simply access the network ARP requests that are automatically sent over the network. After opening Wireshark, select the network adapter that is connected to the network you want to monitor, and click the shark fin icon to start recording.
In "Record -> Options", click "Enable promiscuous mode for all interfaces" -> Enter if it is not checked. This allows you to receive packets even if they are not addressed to your device. To filter out packets that are not ARP requests, type arp in the display filter.
So what do we see? The router asks an IP address range for its MAC address to see if a device is connected. We may not see all the answers, but we can see that our device responds to the ARP requirements by providing its MAC address. We may see answers, but to take matters into our own hands we can send our own ARP messages.
ARP Scan is an extremely simple tool that allows you to create ARP messages to discover devices on a network. It should be installed by default on Kali, but if you do not have it you can install it with apt install arp-scan .
In a terminal window, you can run the simplest ARP scan by typing the following command and watching the results in Wireshark. The command arp-scan -l scans the local network, even if the network range is unknown.
Interface: wlan0, Data connection type: EN10MB (Ethernet) Launch Arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.2 e8: 11: 32: dc: 39: 80 Samsung Electronics Co., Ltd 192.168.0.1 40: 70: 09: 7a: 64: 97 ARRIS Group, Inc. 192.168.0.5 00: 09: 1b: 0c: 62: 0f Digital Generation Inc. 192.168.0.8 d4: 95: 24: c2: 36: 27 Clover Network, Inc. 192.168.0.6 10: 8e: e0: ef: 5d: f2 (unknown) 192.168.0.11 3c: dc: bc: 05: 77: d4 (unknown) 6 packets received from the filter, 0 packets discarded by the kernel Arp-scan 1.9.5: 256 hosts were scanned in 2.859 seconds (89.54 hosts / second). 6 replied
If we know the network reach, we can also use the command arp scan 192.168.0.0/24 to do the same or limit the number of IP addresses to scan.
In Wireshark we can see the answers this information gave us.
This is a little obvious, is not it? These packages are addressed to us, so it's obvious to anyone looking at the packages when they run an ARP scan to search for devices on the network. If this is not part of our job, this activity could cause our MAC address to be blacklisted.
When we look at the packets we intercepted, they are addressed to us. So how can we hide that?
By adding the flag -s we can specify an incorrect source for our ARP scan. That is, we can pretend someone else is doing the ARP scan! Not using our real MAC address means that we are not the MAC address of the sent packets.
To try this, we try to insert ourselves into the ARP requests that the router continues to send. With the IP address of the router 192.168.0.1, we perform an ARP scan with the source flag [19459020-s and -v to display more output.
arp-scan -l -s 192.168.0.1 -v
Interface: wlan0, Data connection type: EN10MB (Ethernet) Use of 192.168.0.0:255.255.255.0 for localnet Launch Arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.2 e8: 11: 32: dc: 39: 80 Samsung Electronics Co., Ltd 192.168.0.5 00: 09: 1b: 0c: 62: 0f Digital Generation Inc. 192.168.0.6 10: 8e: e0: ef: 5d: f2 (unknown) --- Pass 1 completed 192.168.0.8 d4: 95: 24: c2: 36: 27 Clover Network, Inc. 192.168.0.11 3c: dc: bc: 05: 77: d4 (unknown) 192.168.0.7 50: 33: 8b: 68: 2d: 73 (unknown) --- Pass 2 ready 6 packets received from the filter, 0 packets discarded by the kernel Arp-scan 1.9.5: 256 hosts were scanned in 2.551 seconds (100.35 hosts / sec). 6 replied
Awesome! We faked the router and discovered other devices on the network by sending ARP requests on behalf of the router. However, we used our MAC address instead of the MAC address of the router. Is that important? Let's look at Wireshark.
Wireshark has discovered what we are doing and made us guess! Because our MAC address was used with a different IP address on the network, Wireshark knows something is going awry and identifies this as suspicious behavior.
Instead, we can use an IP address that is not currently used to hide this behavior. If we run the same scan with an IP address near the end of the range of possible IP addresses on the network, Wireshark packets are not marked as suspicious.
Now that we've tested the ARP scan, we'll try another scanning tool that uses ARP. Netdiscover should be installed by default in Kali Linux. If this is not the case, you can install it by typing apt install netdiscover in a terminal window.
To begin, let's take a look at Available Options. We can verify it by typing netdiscover -help in a new terminal window.
Netdiscover 0.3-pre-beta7 [Active/passive arp reconnaissance tool] Written by Jaime Penalba
Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-c] -i Device: Your network device -r range: Scan a specific area instead of the automatic scan. 192.168.6.0/24, / 16, / 8 -l file: Scans the list of scopes contained in the specified file -p passive mode: Send nothing, just sniff -m file: Scans the list of known MACs and hostnames -F filter: adjust PCAP filter expression (default: "arp") -s time: time to sleep between each arp request (milliseconds) -n node: Last IP octet used for scanning (from 2 to 253) -c count: number of transfers of each arp request (for packets with packet loss) -f Enable fast mode scan, save a lot of time, recommended for car -d Ignore home configuration files for Autoscan and Quick mode -S Enable suppression of idle time between each requirement (Hardcore mode) -P print results in a format suitable for analysis by another program -N Do not print header. Only valid if -P is activated. -L in parsable output mode (-P), continue to listen after the active scan is completed If -r, -l, or -p are not enabled, netdiscover looks for common LAN addresses.
To perform the most basic passive search, you can run Netdiscover in passive mode with the following command. Wait for the router and other devices on the network to send and respond to ARP responses, and the list will be populated.
Currently looking for: (passive) | Screen view: Unique hosts 9 Captured ARP Req / Rep packets from 7 hosts. Total size: 460 ____________________________________________________________________________ Number of IP addresses for MAC addresses Len MAC provider / hostname -------------------------------------------------- --------------------------- 192.168.0.7 50: 33: 8b: 68: 2d: 73 2 84 Texas Instruments 192.168.0.2 e8: 11: 32: dc: 39: 80 1 60 Samsung Electronics Co., Ltd 192.168.0.1 40: 70: 09: 7a: 64: 97 2 112 ARRIS Group, Inc. 192.168.0.5 00: 09: 1b: 0c: 62: 0f 1 60 Digital Generation Inc. 192.168.0.8 d4: 95: 24: c2: 36: 27 1 60 Clover Network, Inc. 192.168.0.6 10: 8e: e0: ef: 5d: f2 1 42 Samsung Electronics Co., Ltd 192.168.0.11 3c: dc: bc: 05: 77: d4 1 42 Samsung Electronics Co., Ltd.
Although we collect the same information, we collect the information in a way that is invisible from the point of view of monitoring network traffic.
If you want to map the network faster, you can also perform active scans with Netdiscover. Without specifying a network range, Netdiscover will track virtually all common network ranges, resulting in longer scan times. This can not always be accurate. I noticed that Netdiscover scanned the / 24 network I was connected to as / 16, which may take some time to complete or some hosts are missing.
You can also increase the number of ARP requests that you send with . -c Flag. To perform an active scan against the network with 20 ARP requests per IP address, you can run netdiscover -c 20 in a terminal window.
netdiscover -c 20
Currently performing a scan: 192.168.34.0 / 16 | Screen view: Unique hosts 100 captured ARP Req / Rep packets from 7 hosts. Total size: 5528 ____________________________________________________________________________ Number of IP addresses for MAC addresses Len MAC provider / hostname -------------------------------------------------- --------------------------- 192.168.0.2 e8: 11: 32: dc: 39: 80 19 1140 Samsung Electronics Co., Ltd 192.168.0.1 40: 70: 09: 7a: 64: 97 28 1568 ARRIS Group, Inc. 192.168.0.5 00: 09: 1b: 0c: 62: 0f 17 1020 Digital Generation Inc. 192.168.0.11 3c: dc: bc: 05: 77: d4 6 252 Samsung Electronics Co., Ltd 192.168.0.6 10: 8e: e0: ef: 5d: f2 8,336 Samsung Electronics Co., Ltd 192.168.0.8 d4: 95: 24: c2: 36: 27 16 960 Clover Network, Inc. 192.168.0.7 50: 33: 8b: 68: 2d: 73 6 252 Texas Instruments
When you explore a new network, ARP is the perfect tool to find out what else still there. Whether through passive listening to the natural flow of ARP requests or through active counterfeiting of ARP requests, pretending that someone else is sending them, manipulating ARP messages eliminates obvious or suspicious scans. If you want to learn the IP and MAC addresses of other devices on a network, have the protocol designed specifically for this task take care of you.
I hope you liked this guide to using ARP to detect devices in a network! If you have questions about this ARP protocol tutorial or have a comment, feel free to contact me via Twitter @KodyKinzie .
Don & # 39; t Miss: Top 5 Intrusive Nmap Scripts Reach Hackers and Pentesters Should Know