Nmap 6:Network exploration and security auditing Cookbook
上QQ阅读APP看书,第一时间看更新

Discovering hosts with ARP ping scans

Ping scans are used by penetration testers and system administrators to determine if hosts are online. ARP ping scans are the most effective wayof detecting hosts in LAN networks.

Nmap really shines by using its own algorithm to optimize this scanning technique. The following recipe goes through the process of launching an ARP ping scan and its available options.

How to do it...

Open your favorite terminal and enter the following command:

# nmap -sP -PR 192.168.1.1/24 

You should see the list of hosts that responded to the ARP requests:

# nmap -sP -PR 192.168.1.1/24 


Nmap scan report for 192.168.1.102 
Host is up. 
Nmap scan report for 192.168.1.103 
Host is up (0.0066s latency). 
MAC Address: 00:16:6F:7E:E0:B6 (Intel) 
Nmap scan report for 192.168.1.254 
Host is up (0.0039s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.94 seconds 

How it works...

The arguments -sP -PR 192.168.1.1/24 make Nmap initiate an ARP ping scan of all if the 256 IPs (CIDR /24) in this private network.

ARP ping scanning works in a pretty simple way:

  • ARP requests are sent to the target
  • If the host responds with an ARP reply, it is pretty clear it's online

To send an ARP request, following command is used:

# nmap -sP -PR --packet-trace 192.168.1.254 

The result of this command would be as follows:

SENT (0.0734s) ARP who-has 192.168.1.254 tell 192.168.1.102 
RCVD (0.0842s) ARP reply 192.168.1.254 is-at 5C:4C:A9:F2:DC:7C 
NSOCK (0.1120s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 
NSOCK (0.1120s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 
NSOCK (0.1120s) Write request for 44 bytes to IOD #1 EID 27 [192.168.1.254:53]: .............254.1.168.192.in-addr.arpa..... 
NSOCK (0.1120s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] 
NSOCK (0.1120s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] 
NSOCK (0.2030s) Callback: READ SUCCESS for EID 18 [192.168.1.254:53] (44 bytes): .............254.1.168.192.in-addr.arpa..... 
NSOCK (0.2030s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 34 
Nmap scan report for 192.168.1.254 
Host is up (0.011s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds 

Note the ARP requests at the beginning of the scan output:

SENT (0.0734s) ARP who-has 192.168.1.254 tell 192.168.1.102 
RCVD (0.0842s) ARP reply 192.168.1.254 is-at 5C:4C:A9:F2:DC:7C 

The ARP reply reveals that host 192.168.1.254 is online and has the MAC address 5C:4C:A9:F2:DC:7C.

There's more...

Every time Nmap scans a private address, an ARP request needs to be made inevitably, because we need the target's destination before sending any probes. Since the ARP replies reveal that a host is online, no further testing actually needs to be done after this step. This is the reason why Nmap automatically uses this technique every time you perform a ping scan in a private LAN network, no matter what arguments were passed:

# nmap -sP -PS --packet-trace 192.168.1.254 

SENT (0.0609s) ARP who-has 192.168.1.254 tell 192.168.1.102 
RCVD (0.0628s) ARP reply 192.168.1.254 is-at 5C:4C:A9:F2:DC:7C 
NSOCK (0.1370s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 
NSOCK (0.1370s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 
NSOCK (0.1370s) Write request for 44 bytes to IOD #1 EID 27 [192.168.1.254:53]: 1............254.1.168.192.in-addr.arpa..... 
NSOCK (0.1370s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] 
NSOCK (0.1370s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] 
NSOCK (0.1630s) Callback: READ SUCCESS for EID 18 [192.168.1.254:53] (44 bytes): 1............254.1.168.192.in-addr.arpa..... 
NSOCK (0.1630s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 34 
Nmap scan report for 192.168.1.254 
Host is up (0.0019s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds 

To force Nmap to not perform an ARP ping scan when scanning a private address, use the option --send-ip. This will produce output similar to the following:

# nmap -sP -PS --packet-trace --send-ip 192.168.1.254 

SENT (0.0574s) TCP 192.168.1.102:63897 > 192.168.1.254:80 S ttl=53 id=435 iplen=44 seq=128225976 win=1024 <mss 1460> 
RCVD (0.0592s) TCP 192.168.1.254:80 > 192.168.1.102:63897 SA ttl=254 id=3229 iplen=44 seq=4067819520 win=1536 <mss 768> 
NSOCK (0.1360s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 
NSOCK (0.1360s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 
NSOCK (0.1360s) Write request for 44 bytes to IOD #1 EID 27 [192.168.1.254:53]: d~...........254.1.168.192.in-addr.arpa..... 
NSOCK (0.1360s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] 
NSOCK (0.1360s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] 
NSOCK (0.1610s) Callback: READ SUCCESS for EID 18 [192.168.1.254:53] (44 bytes): d~...........254.1.168.192.in-addr.arpa..... 
NSOCK (0.1610s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 34 
Nmap scan report for 192.168.1.254 
Host is up (0.0019s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds 

MAC address spoofing

It is possible to spoof your MAC address while performing an ARP ping scan. Use --spoof-mac to set a new MAC address:

# nmap -sP -PR --spoof-mac 5C:4C:A9:F2:DC:7C

See also

  • The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
  • The Discovering hosts with TCP SYN ping scans recipe
  • The Discovering hosts with TCP ACK ping scans recipe
  • The Discovering hosts with UDP ping scans recipe
  • The Discovering hosts with ICMP ping scans recipe
  • The Discovering hosts with IP protocol ping scans recipe
  • The Discovering hosts using broadcast pings recipe
  • The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information