Discovering hosts with ARP ping scans
Ping scans are used by penetration testers and system administrators to determine if hosts are online. ARP ping scans are the most effective wayof detecting hosts in LAN networks.
Nmap really shines by using its own algorithm to optimize this scanning technique. The following recipe goes through the process of launching an ARP ping scan and its available options.
How to do it...
Open your favorite terminal and enter the following command:
# nmap -sP -PR 192.168.1.1/24
You should see the list of hosts that responded to the ARP requests:
# nmap -sP -PR 192.168.1.1/24 Nmap scan report for 192.168.1.102 Host is up. Nmap scan report for 192.168.1.103 Host is up (0.0066s latency). MAC Address: 00:16:6F:7E:E0:B6 (Intel) Nmap scan report for 192.168.1.254 Host is up (0.0039s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 256 IP addresses (3 hosts up) scanned in 14.94 seconds
How it works...
The arguments -sP -PR 192.168.1.1/24
make Nmap initiate an ARP ping scan of all if the 256 IPs (CIDR /24) in this private network.
ARP ping scanning works in a pretty simple way:
- ARP requests are sent to the target
- If the host responds with an ARP reply, it is pretty clear it's online
To send an ARP request, following command is used:
# nmap -sP -PR --packet-trace 192.168.1.254
The result of this command would be as follows:
SENT (0.0734s) ARP who-has 192.168.1.254 tell 192.168.1.102 RCVD (0.0842s) ARP reply 192.168.1.254 is-at 5C:4C:A9:F2:DC:7C NSOCK (0.1120s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 NSOCK (0.1120s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 NSOCK (0.1120s) Write request for 44 bytes to IOD #1 EID 27 [192.168.1.254:53]: .............254.1.168.192.in-addr.arpa..... NSOCK (0.1120s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] NSOCK (0.1120s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] NSOCK (0.2030s) Callback: READ SUCCESS for EID 18 [192.168.1.254:53] (44 bytes): .............254.1.168.192.in-addr.arpa..... NSOCK (0.2030s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 34 Nmap scan report for 192.168.1.254 Host is up (0.011s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Note the ARP requests at the beginning of the scan output:
SENT (0.0734s) ARP who-has 192.168.1.254 tell 192.168.1.102 RCVD (0.0842s) ARP reply 192.168.1.254 is-at 5C:4C:A9:F2:DC:7C
The ARP reply reveals that host 192.168.1.254
is online and has the MAC address 5C:4C:A9:F2:DC:7C
.
There's more...
Every time Nmap scans a private address, an ARP request needs to be made inevitably, because we need the target's destination before sending any probes. Since the ARP replies reveal that a host is online, no further testing actually needs to be done after this step. This is the reason why Nmap automatically uses this technique every time you perform a ping scan in a private LAN network, no matter what arguments were passed:
# nmap -sP -PS --packet-trace 192.168.1.254 SENT (0.0609s) ARP who-has 192.168.1.254 tell 192.168.1.102 RCVD (0.0628s) ARP reply 192.168.1.254 is-at 5C:4C:A9:F2:DC:7C NSOCK (0.1370s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 NSOCK (0.1370s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 NSOCK (0.1370s) Write request for 44 bytes to IOD #1 EID 27 [192.168.1.254:53]: 1............254.1.168.192.in-addr.arpa..... NSOCK (0.1370s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] NSOCK (0.1370s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] NSOCK (0.1630s) Callback: READ SUCCESS for EID 18 [192.168.1.254:53] (44 bytes): 1............254.1.168.192.in-addr.arpa..... NSOCK (0.1630s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 34 Nmap scan report for 192.168.1.254 Host is up (0.0019s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
To force Nmap to not perform an ARP ping scan when scanning a private address, use the option --send-ip
. This will produce output similar to the following:
# nmap -sP -PS --packet-trace --send-ip 192.168.1.254 SENT (0.0574s) TCP 192.168.1.102:63897 > 192.168.1.254:80 S ttl=53 id=435 iplen=44 seq=128225976 win=1024 <mss 1460> RCVD (0.0592s) TCP 192.168.1.254:80 > 192.168.1.102:63897 SA ttl=254 id=3229 iplen=44 seq=4067819520 win=1536 <mss 768> NSOCK (0.1360s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 NSOCK (0.1360s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 NSOCK (0.1360s) Write request for 44 bytes to IOD #1 EID 27 [192.168.1.254:53]: d~...........254.1.168.192.in-addr.arpa..... NSOCK (0.1360s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] NSOCK (0.1360s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] NSOCK (0.1610s) Callback: READ SUCCESS for EID 18 [192.168.1.254:53] (44 bytes): d~...........254.1.168.192.in-addr.arpa..... NSOCK (0.1610s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 34 Nmap scan report for 192.168.1.254 Host is up (0.0019s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
See also
- The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
- The Discovering hosts with TCP SYN ping scans recipe
- The Discovering hosts with TCP ACK ping scans recipe
- The Discovering hosts with UDP ping scans recipe
- The Discovering hosts with ICMP ping scans recipe
- The Discovering hosts with IP protocol ping scans recipe
- The Discovering hosts using broadcast pings recipe
- The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information