The ARP Scan Tool (also called ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment).
The ARP Scan Tool shows all active devices even if they have firewalls. Devices cannot hide from ARP packets like they can hide from Ping. To find active IP addresses outside your subnet, use the Ping Scan Tool (a Ping Sweep tool AKA NetScanner).
Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you
Binary packages are available for the following operating systems:
- Debian Linux:
arp-scanis part of the standard Debian distribution on Lenny and later.
- Ubuntu Linux:
arp-scanis available from gutsy (7.10) in universe.
arp-scanis available for Fedora 6 and later
- RedHat Enterprise Linux:
arp-scanis available for RedHat EL 5 and later
- Gentoo Linux
arp-scanis available from the FreeBSD ports collection
arp-scanis available as an OpenBSD package
Installation is usually as simple as shown below for Debian or Ubuntu like distributions:
root@debian:~# apt-get install arp-scan (or)
user@ubuntu:~$ apt-get install arp-scan
So in the above example
arp-scan was used to scan the network of the device
wlan0, and it discovered 29 alive nodes apart from localhost machine. The option
arp-scan scan the local network.
Here is an example showing
arp-scan being run against the network 10.0.1.0/24:
Now I’ve found 31 hosts that responded to this new sweep, so those two are my hidden servers.
arp-scan is a simple tool yet very powerful. Those of you who are familiar with Cisco Routers and switches, CheckPoint Firewall and Big-IP F5, you know it too well that sometimes the only way to find a device is by using a arp response. Once you’ve found the MAC address, you can find more info about that device by matching that MAC address to it’s vendor. It is importing to understand ARP/MAC responses for penetration tester and it is used heavily for arpspoof and Man-In-The-Middle Attack. It also helps in cases when someone is spoofing IP address and DoS-ing your server. You can however spoof MAC address easily to evade trace.
All in all, it’s a useful tool and you should try the commands shown above. It will help someday when you are scratching you head in the middle of a service outage!
Thanks for reading, do share.