Use arp-scan to find hidden devices in your network

Follow by Email


The ARP Scan Tool (also called ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment).

The ARP Scan Tool shows all active devices even if they have firewalls. Devices cannot hide from ARP packets like they can hide from Ping. To find active IP addresses outside your subnet, use the Ping Scan Tool (a Ping Sweep tool AKA NetScanner).

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you

Install arp-scan

Binary packages are available for the following operating systems:

  1. Debian Linux: arp-scan is part of the standard Debian distribution on Lenny and later.
  2. Ubuntu Linux: arp-scan is available from gutsy (7.10) in universe.
  3. Fedora: arp-scan is available for Fedora 6 and later
  4. RedHat Enterprise Linux: arp-scan is available for RedHat EL 5 and later
  5. Gentoo Linux
  6. FreeBSD: arp-scan is available from the FreeBSD ports collection
  7. OpenBSD: arp-scan is available as an OpenBSD package

Installation is usually as simple as shown below for Debian or Ubuntu like distributions:

[email protected]:~# apt-get install arp-scan (or)

[email protected]:~$ apt-get install arp-scan

So in the above example arp-scan was used to scan the network of the device wlan0, and it discovered 29 alive nodes apart from localhost machine. The option --localnet makes arp-scan scan the local network.


Here is an example showing arp-scan being run against the network

Now I’ve found 31 hosts that responded to this new sweep, so those two are my hidden servers.


arp-scan is a simple tool yet very powerful.  Those of you who are familiar with Cisco Routers and switches, CheckPoint Firewall and Big-IP F5, you know it too well that sometimes the only way to find a device is by using a arp response. Once you’ve found the MAC address, you can find more info about that device by matching that MAC address to it’s vendor. It is importing to understand ARP/MAC responses for penetration tester and it is used heavily for arpspoof and Man-In-The-Middle Attack. It also helps in cases when someone is spoofing IP address and DoS-ing your server. You can however spoof MAC address easily to evade trace.

All in all, it’s a useful tool and you should try the commands shown above. It will help someday when you are scratching you head in the middle of a service outage!

Thanks for reading, do share.

Follow by Email

Like the article? please consider sharing it. Thank you

Advertisment ad adsense adlogger