Using Backtrack: Network Mapping: Identify Live Hosts: arping

arping

Purpose:

To find hosts using address resolution protocol (ARP, which probes at layer 2) rather than ICMP, a layer 3 protocol that is usually blocked at routers these days. Initially it was solely a utility for making sure an IP address isn’t taken before you assign it.

Discussion:

The ability to slip through the network at the MAC level (layer 2) and detect hosts addressable by IP address

Be very careful of online man pages for arping. There are multiple implementations with wildly different options, in particular. A few examples:

Can I reach an IP address (a host) on a network even if I don’t have an IP myself?

[root@bt4]# arping -I eth0 -c 2 192.168.1.13
ARPING 192.168.100.13 from 192.168.1.254 eth0
Unicast reply from 192.168.100.13 [00:8F:C8:E8:4F:8E] 3.519ms
Unicast reply from 192.168.100.13 [00:8F:C8:E8:4F:8E] 2.596ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s

A duplicate address probe: Is the address in use?

[root@bt4]# arping -D -q -I eth0 -c 2 192.168.1.3
[root@bt4]# echo $?
1
[root@bt4]# arping -D -q -I eth0 -c 2 192.168.1.4
[root@bt4]# echo $?
0

In the first test above, the answer is yes, while the second answer is no, meaning I can take that IP address. Note how you use the resulting error code to get your answer.

How about an “unsolicited arp,” which I blissfully expect my fellow network cards to accept:

[root@bt4]# arping -U -I {Interface-Name} {IP-Address}
[root@bt4]# arping -U -I eth1 10.2.12.2

 

  • -U : Unsolicited ARP update of neighbors’ ARP caches. No reply is expected.
  • -I eth1 : Name of network device to which ARP REQUEST packets will be sent. Required.
  • 10.2.12.2 : The IP address I’m taking.

Or a “gratuitous reply” to a question that was never asked, which does the same as the above to update my neighbors’ ARP caches:

[root@bt4]# arping -A -c 3 -I eth0 192.168.1.14

See more examples below.

Opening Instructions:

Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
-f : quit on first reply
-q : be quiet
-b : keep broadcasting, don’t go unicast
-D : duplicate address detection mode
-U : Unsolicited ARP mode, update your neighbours
-A : ARP answer mode, update your neighbours
-V : print version and exit
-c count : how many packets to send
-w timeout : how long to wait for a reply
-I device : which ethernet device to use (eth0)
-s source : source ip address
destination : ask for what ip address

Stage:

Information gathering, network mapping

Home Page:

http://www.skbuff.net/iputils/

Tutorial:

A very simple one at http://linux-ip.net/html/tools-arping.html

Get the interesting PDF discussion of ARP at http://www.habets.pp.se/synscan/docs.php.

Consider the details of cache updating: http://www.cyberciti.biz/faq/update-arp-cache-for-ip-address/.

Exploit: IP takeover attack: http://hack2live.blogspot.com/2008/07/ip-takeover-attack-with-arping.html.