Arp-scan

Arp-scan is a command-line tool for system discovery and fingerprinting. It constructs and sends ARP requests to the specified IP addresses, and displays any responses that are received.

arp-scan allows you to:

    • Send ARP packets to any number of destination hosts, using a configurable output bandwidth or packet rate.

      • This is useful for system discovery, where you may need to scan large address spaces.

    • Construct the outgoing ARP packet in a flexible way.

      • arp-scan gives control of all of the fields in the ARP packet and the fields in the Ethernet frame header.

    • Decode and display any returned packets.

      • arp-scan will decode and display any received ARP packets and lookup the vendor using the MAC address.

    • Fingerprint IP hosts using the arp-fingerprint tool.

k0sasp

Instalación

~$ ./configure

make

sudo make install

Uso

~$./arp-scan [options] [hosts...]

Opciones

Note: where an option takes a value, that value is specified as a letter in

angle brackets. The letter indicates the type of data that is expected:

<s> A character string, e.g. --file=hostlist.txt.

<i> An integer, which can be specified as a decimal number or as a hexadecimal

number if preceeded with 0x, e.g. --arppro=2048 or --arpro=0x0800.

<f> A floating point decimal number, e.g. --backoff=1.5.

<m> An Ethernet MAC address, which can be specified either in the format

01:23:45:67:89:ab, or as 01-23-45-67-89-ab. The alphabetic hex characters

may be either upper or lower case. E.g. --arpsha=01:23:45:67:89:ab.

<a> An IPv4 address, e.g. --arpspa=10.0.0.1

<h> Binary data specified as a hexadecimal string, which should not

include a leading 0x. The alphabetic hex characters may be either

upper or lower case. E.g. --padding=aaaaaaaaaaaa

<x> Something else. See the description of the option for details.

--help or -h Display this usage message and exit.

--file=<s> or -f <s> Read hostnames or addresses from the specified file

instead of from the command line. One name or IP

address per line. Use "-" for standard input.

--localnet or -l Generate addresses from network interface configuration.

Use the network interface IP address and network mask

to generate the list of target host addresses.

The list will include the network and broadcast

addresses, so an interface address of 10.0.0.1 with

netmask 255.255.255.0 would generate 256 target

hosts from 10.0.0.0 to 10.0.0.255 inclusive.

If you use this option, you cannot specify the --file

option or specify any target hosts on the command line.

The interface specifications are taken from the

interface that arp-scan will use, which can be

changed with the --interface option.

--retry=<i> or -r <i> Set total number of attempts per host to <i>,

default=2.

--timeout=<i> or -t <i> Set initial per host timeout to <i> ms, default=100.

This timeout is for the first packet sent to each host.

subsequent timeouts are multiplied by the backoff

factor which is set with --backoff.

--interval=<x> or -i <x> Set minimum packet interval to <x>.

This controls the outgoing bandwidth usage by limiting

the rate at which packets can be sent. The packet

interval will be no smaller than this number.

If you want to use up to a given bandwidth, then it is

easier to use the --bandwidth option instead.

The interval specified is in milliseconds by default,

or in microseconds if "u" is appended to the value.

--bandwidth=<x> or -B <x> Set desired outbound bandwidth to <x>, default=256000.

The value is in bits per second by default. If you

append "K" to the value, then the units are kilobits

per sec; and if you append "M" to the value, the

units are megabits per second.

The "K" and "M" suffixes represent the decimal, not

binary, multiples. So 64K is 64000, not 65536.

You cannot specify both --interval and --bandwidth

because they are just different ways to change the

same underlying parameter.

--backoff=<f> or -b <f> Set timeout backoff factor to <f>, default=1.50.

The per-host timeout is multiplied by this factor

after each timeout. So, if the number of retries

is 3, the initial per-host timeout is 500ms and the

backoff factor is 1.5, then the first timeout will be

500ms, the second 750ms and the third 1125ms.

--verbose or -v Display verbose progress messages.

Use more than once for greater effect:

1 - Display the network address and mask used when the

--localnet option is specified, display any

nonzero packet padding, display packets received

from unknown hosts, and show when each pass through

the list completes.

2 - Show each packet sent and received, when entries

are removed from the list, the pcap filter string,

and counts of MAC/Vendor mapping entries.

3 - Display the host list before scanning starts.

--version or -V Display program version and exit.

--random or -R Randomise the host list.

This option randomises the order of the hosts in the

host list, so the ARP packets are sent to the hosts in

a random order. It uses the Knuth shuffle algorithm.

--numeric or -N IP addresses only, no hostnames.

With this option, all hosts must be specified as

IP addresses. Hostnames are not permitted. No DNS

lookups will be performed.

--snap=<i> or -n <i> Set the pcap snap length to <i>. Default=64.

This specifies the frame capture length. This

length includes the data-link header.

The default is normally sufficient.

--interface=<s> or -I <s> Use network interface <s>.

If this option is not specified, arp-scan will search

the system interface list for the lowest numbered,

configured up interface (excluding loopback).

The interface specified must support ARP.

--quiet or -q Only display minimal output.

If this option is specified, then only the minimum

information is displayed. With this option, the

OUI files are not used.

--ignoredups or -g Don't display duplicate packets.

By default, duplicate packets are displayed and are

flagged with "(DUP: n)".

--ouifile=<s> or -O <s> Use OUI file <s>, default=/usr/local/share/arp-scan/ieee-oui.txt

This file provides the IEEE Ethernet OUI to vendor

string mapping.

--iabfile=<s> or -F <s> Use IAB file <s>, default=/usr/local/share/arp-scan/ieee-iab.txt

This file provides the IEEE Ethernet IAB to vendor

string mapping.

--macfile=<s> or -m <s> Use MAC/Vendor file <s>, default=/usr/local/share/arp-scan/mac-vendor.txt

This file provides the custom Ethernet MAC to vendor

string mapping.

--srcaddr=<m> or -S <m> Set the source Ethernet MAC address to <m>.

This sets the 48-bit hardware address in the Ethernet

frame header for outgoing ARP packets. It does not

change the hardware address in the ARP packet, see

--arpsha for details on how to change that address.

The default is the Ethernet address of the outgoing

interface.

--destaddr=<m> or -T <m> Send the packets to Ethernet MAC address <m>

This sets the 48-bit destination address in the

Ethernet frame header.

The default is the broadcast address ff:ff:ff:ff:ff:ff.

Most operating systems will also respond if the ARP

request is sent to their MAC address, or to a

multicast address that they are listening on.

--arpsha=<m> or -u <m> Use <m> as the ARP source Ethernet address

This sets the 48-bit ar$sha field in the ARP packet

It does not change the hardware address in the frame

header, see --srcaddr for details on how to change

that address. The default is the Ethernet address of

the outgoing interface.

--arptha=<m> or -w <m> Use <m> as the ARP target Ethernet address

This sets the 48-bit ar$tha field in the ARP packet

The default is zero, because this field is not used

for ARP request packets.

--prototype=<i> or -y <i> Set the Ethernet protocol type to <i>, default=0x0806.

This sets the 16-bit protocol type field in the

Ethernet frame header.

Setting this to a non-default value will result in the

packet being ignored by the target, or sent to the

wrong protocol stack.

--arphrd=<i> or -H <i> Use <i> for the ARP hardware type, default=1.

This sets the 16-bit ar$hrd field in the ARP packet.

The normal value is 1 (ARPHRD_ETHER). Most, but not

all, operating systems will also respond to 6

(ARPHRD_IEEE802). A few systems respond to any value.

--arppro=<i> or -p <i> Use <i> for the ARP protocol type, default=0x0800.

This sets the 16-bit ar$pro field in the ARP packet.

Most operating systems only respond to 0x0800 (IPv4)

but some will respond to other values as well.

--arphln=<i> or -a <i> Set the hardware address length to <i>, default=6.

This sets the 8-bit ar$hln field in the ARP packet.

It sets the claimed length of the hardware address

in the ARP packet. Setting it to any value other than

the default will make the packet non RFC compliant.

Some operating systems may still respond to it though.

Note that the actual lengths of the ar$sha and ar$tha

fields in the ARP packet are not changed by this

option; it only changes the ar$hln field.

--arppln=<i> or -P <i> Set the protocol address length to <i>, default=4.

This sets the 8-bit ar$pln field in the ARP packet.

It sets the claimed length of the protocol address

in the ARP packet. Setting it to any value other than

the default will make the packet non RFC compliant.

Some operating systems may still respond to it though.

Note that the actual lengths of the ar$spa and ar$tpa

fields in the ARP packet are not changed by this

option; it only changes the ar$pln field.

--arpop=<i> or -o <i> Use <i> for the ARP operation, default=1.

This sets the 16-bit ar$op field in the ARP packet.

Most operating systems will only respond to the value 1

(ARPOP_REQUEST). However, some systems will respond

to other values as well.

--arpspa=<a> or -s <a> Use <a> as the source IP address.

The address should be specified in dotted quad format;

or the literal string "dest", which sets the source

address to be the same as the target host address.

This sets the 32-bit ar$spa field in the ARP packet.

Some operating systems check this, and will only

respond if the source address is within the network

of the receiving interface. Others don't care, and

will respond to any source address.

By default, the outgoing interface address is used.

WARNING: Setting ar$spa to the destination IP address

can disrupt some operating systems, as they assume

there is an IP address clash if they receive an ARP

request for their own address.

--padding=<h> or -A <h> Specify padding after packet data.

Set the padding data to hex value <h>. This data is

appended to the end of the ARP packet, after the data.

Most, if not all, operating systems will ignore any

padding. The default is no padding, although the

Ethernet driver on the sending system may pad the

packet to the minimum Ethernet frame length.

--llc or -L Use RFC 1042 LLC framing with SNAP.

This option causes the outgoing ARP packets to use

IEEE 802.2 framing with a SNAP header as described

in RFC 1042. The default is to use Ethernet-II

framing.

arp-scan will decode and display received ARP packets

in either Ethernet-II or IEEE 802.2 formats

irrespective of this option.

--vlan=<i> or -Q <i> Use 802.1Q tagging with VLAN id <i>.

This option causes the outgoing ARP packets to use

802.1Q VLAN tagging with a VLAN ID of <i>, which should

be in the range 0 to 4095 inclusive.

arp-scan will always decode and display received ARP

packets in 802.1Q format irrespective of this option.

--pcapsavefile=<s> or -W <s> Write received packets to pcap savefile <s>.

This option causes received ARP responses to be written

to the specified pcap savefile as well as being decoded

and displayed. This savefile can be analysed with

programs that understand the pcap file format, such as

"tcpdump" and "wireshark".

Referencias

    • http://www.nta-monitor.com/

    • http://www.nta-monitor.com/wiki/index.php/Arp-scan_Documentation