Re: Looking for arp scanner
From: Christopher Black (cblack_at_securecrossing.com)
Date: 06/30/05
- Previous message: fbsd_user: "ipfw2 & flush state table"
- In reply to: Glenn Dawson: "Re: Looking for arp scanner"
- Next in thread: Erik Nørgaard: "Re: Looking for arp scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Glenn Dawson <glenn@antimatter.net> Date: Wed, 29 Jun 2005 19:42:28 -0400
On Wed, 2005-06-29 at 16:30 -0700, Glenn Dawson wrote:
> At 03:45 PM 6/29/2005, Vince Hoffman wrote:
>
>
> >On Wed, 29 Jun 2005, Fabian Anklam wrote:
> >
> >>On 6/29/05, Glenn Dawson <glenn@antimatter.net> wrote:
> >>>At 02:18 PM 6/29/2005, Fabian Anklam wrote:
> >>>>Hi there,
> >>>>
> >>>>I've browsing freshports.org for an arp scanner and found only
> >>>>arpscan, which is marked broken and knowlan, which hasn't been updated
> >>>>in years. What's the tool of choice to map out IP-Adresses on a subnet
> >>>>when you know that quite a few hosts are firewalled from ping?
> >>>
> >>>Try nmap. It has a variety of different ways to "look" for systems on a
> >>>given subnet.
> >>Thanks. Tried nmap. As I said, some systems that i want to have in my
> >>output are locally firewalled and I doubt the -sP switch catches
> >>them. Port scans are out of the question.
> >
> >Thinking about it even if the host blocks ping then it will have to reply
> >to an arp request. so make a short script to clear the arp cache ('arp -a
> >-d' as root) then do your nmap -sP xxx.xxx.xxx.xxx/yyy and do an arp -a
> >which will list all the arp entries in your arp cache (should be every
> >host that responded to an arp request when you did the ping scan but maybe
> >pipe it through grep to only get the arps for ips in that range)
> >
> >also arping may be of use.
>
> I suppose if you need to be totally passive, you could do:
>
> tcpdump -i fxp0 arp
>
> (assuming of course that your network interface is on fxp0)
> and let it run for a bit. Eventually you'll catch all the active hosts on
> the network.
>
> -Glenn
>
>
> >Vince
> >
> >>
> >>>-Glenn
> >>>
> >>>
> >>>>Thanks, Fabian
Try putting this in a file called map.pl, and execute 'perl map.pl >
map.txt'. It'd be better if it were mutli-threaded for speed and could
parse a subnet mask, but this is a start. Be sure to edit the path to
arping if need be, change the 'wi0' in the ARPING_ARGS to whatever your
interface is, and set the subnet you want to search. Good luck.
#!/usr/bin/perl -w
use strict;
$|=1;
my $ARPING = '/usr/local/sbin/arping';
my $ARPING_ARGS = '-i wi0 -c 1 -r';
my $BASEIP = '192.168.1';
print "Scanning...\n";
my $i;
for( $i=1; $i < 256; $i++ ){
if( `$ARPING $ARPING_ARGS $BASEIP\.$i` ){
print "$BASEIP.$i\n";
}
}
print "Done.\n";
-- Christopher Black Chief Security Engineer Secure Crossing 22750 Woodward Suite 304 - Ferndale, MI 48220 Tel (800) 761-4299 | Direct (248) 658-6120 cblack@securecrossing.com | www.securecrossing.com
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: fbsd_user: "ipfw2 & flush state table"
- In reply to: Glenn Dawson: "Re: Looking for arp scanner"
- Next in thread: Erik Nørgaard: "Re: Looking for arp scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
