FOSS Security Tools: The arp-scan Package

Free and open source software (FOSS) offers a range of security tools. In this first article in the new series on FOSS security tools, we will explore the arp-scan package.

arp-scan is a command-line utility for discovering IPv4 hosts in the network. It is written by Roy Hills and is available for GNU/Linux, MacOS, BSD and Solaris. It is primarily written in C and released under the GPLv3 licence. You can use it to send ARP (address resolution protocol) packets with configurable options, and customise the fields in the ARP packet. The tool can decode the packets received from the hosts and provide vendor information based on the MAC address. It can also fingerprint the hosts on the local network. You can install the same on Ubuntu using:

$ sudo apt install arp-scan

The version of arp-scan that we will use is 1.9.7 on Ubuntu 22.04.4 LTS:

$ arp-scan --version
arp-scan 1.9.7
Copyright (C) 2005-2019 Roy Hills, NTA Monitor Ltd.
arp-scan comes with NO WARRANTY to the extent permitted by law.
You may redistribute copies of arp-scan under the terms of the GNU
General Public License.
For more information about these matters, see the file named COPYING.
libpcap version 1.10.1 (with TPACKET_V3)

Localnet

The –localnet or -l option generates the addresses from the interface configuration and netmask, and scans them in the local network. For example:

$ sudo arp-scan --localnet


Interface: eth0, type: EN10MB, MAC: d4:ba:ba:af:ff:f1, IPv4: 10.0.0.104
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)

10.0.0.1 2c:54:91:88:c9:e3 (Unknown)
10.0.0.100 8c:1f:64:a2:d0:01 IEEE Registration Authority
10.0.0.103 00:0a:95:9d:68:16 (Unknown: locally administered)
10.0.0.1 2c:54:91:88:c9:e3 (Unknown) (DUP: 2)
10.0.0.1 2c:54:91:88:c9:e3 (Unknown) (DUP: 3)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.957 seconds (130.81 hosts/sec). 5 responded

Verbose

You can increase the verbosity of the output messages by increasing the number of v’s in the option.

$ sudo arp-scan -vv 10.0.0.100
Interface: eth0, type: EN10MB, MAC: d4:ba:ba:af:ff:f1, IPv4: 10.0.0.103
DEBUG: pcap filter string: “ether dst d4:ba:ba:af:ff:f1 and (arp or (ether[14:4]=0xaaaa0300 and ether[20:2]=0x0806) or (ether[12:2]=0x8100 and ether[16:2]=0x0806) or (ether[12:2]=0x8100 and ether[18:4]=0xaaaa0300 and ether[24:2]=0x0806))”

DEBUG: Loaded 30082 IEEE OUI/Vendor entries from ieee-oui.txt.
DEBUG: Loaded 4575 IEEE IAB/Vendor entries from /usr/share/arp-scan/ieee-iab.txt.
DEBUG: Loaded 6 MAC/Vendor entries from /usr/share/arp-scan/mac-vendor.txt.

DEBUG: pkt len=64 bytes, bandwidth=256000 bps, interval=2000 us

Starting arp-scan 1.9.7 with 1 hosts (https://github.com/royhills/arp-scan)

--- Sending packet #1 to host 10.0.0.100 tmo 500000

--- Pass 1 complete

--- Sending packet #2 to host 10.0.0.100 tmo 750000

--- Received packet #1 from 10.0.0.100

10.0.0.100 00:0a:95:9d:68:16 (Unknown: locally administered)

--- Removing host 10.0.0.100 - Received 60 bytes

1 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.9.7: 1 hosts scanned in 0.717 seconds (1.39 hosts/sec). 1 responded

$ sudo arp-scan -vvv 10.0.0.100

Interface: eth0, type: EN10MB, MAC: d4:ba:ba:af:ff:f1, IPv4: 10.0.0.103

DEBUG: pcap filter string: “ether dst d4:ba:ba:af:ff:f1 and (arp or (ether[14:4]=0xaaaa0300 and ether[20:2]=0x0806) or (ether[12:2]=0x8100 and ether[16:2]=0x0806) or (ether[12:2]=0x8100 and ether[18:4]=0xaaaa0300 and ether[24:2]=0x0806))”

DEBUG: Loaded 30082 IEEE OUI/Vendor entries from ieee-oui.txt.

DEBUG: Loaded 4575 IEEE IAB/Vendor entries from /usr/share/arp-scan/ieee-iab.txt.

DEBUG: Loaded 6 MAC/Vendor entries from /usr/share/arp-scan/mac-vendor.txt.

DEBUG: pkt len=64 bytes, bandwidth=256000 bps, interval=2000 us

Starting arp-scan 1.9.7 with 1 hosts (https://github.com/royhills/arp-scan)

Host List:

Entry IP Address

1 10.0.0.100

Total of 1 host entries.

--- Sending packet #1 to host 10.0.0.100 tmo 500000

--- Received packet #1 from 10.0.0.100

10.0.0.100 00:0a:95:9d:68:16 (Unknown: locally administered)

--- Removing host 10.0.0.100 - Received 60 bytes

1 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.9.7: 1 hosts scanned in 0.320 seconds (3.12 hosts/sec). 1 responded

The maximum number of v’s allowed are three.

Interface

You can explicitly specify the network interface to scan using the -I option. For example:

$ sudo arp-scan --localnet -I wlan0
Interface: wlan0, type: EN10MB, MAC: 58:6c:25:ed:5d:d7, IPv4: 10.0.0.105
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)

10.0.0.1 2c:54:91:88:c9:e3 (Unknown)
10.0.0.100 8c:1f:64:a2:d0:01 IEEE Registration Authority

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.959 seconds (130.68 hosts/sec). 2 responded

Netmask

arp-scan scans all the possible hosts available in the network. In the above example, it searched for 256 hosts. You can explicitly specify a netmask to limit the range as indicated below:

$ sudo arp-scan 10.0.0.103/28
Interface: eth0, type: EN10MB, MAC: d4:ba:ba:af:ff:f1, IPv4: 10.0.0.104
WARNING: host part of 10.0.0.103/28 is non-zero
Starting arp-scan 1.9.7 with 16 hosts (https://github.com/royhills/arp-scan)
10.0.0.100 8c:1f:64:a2:d0:01 IEEE Registration Authority
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 16 hosts scanned in 1.466 seconds (10.91 hosts/sec). 1 responded

Hosts

You can also explicitly list the hosts that you want to scan with the arp-scan command. For example:

$ sudo arp-scan --interface=eth0 10.0.0.1 10.0.0.100 10.0.0.103
Interface: eth0, type: EN10MB, MAC: d4:ba:ba:af:ff:f1, IPv4: 10.0.0.104
Starting arp-scan 1.9.7 with 3 hosts (https://github.com/royhills/arp-scan)
10.0.0.1 2c:54:91:88:c9:e3 (Unknown)
10.0.0.100 8c:1f:64:a2:d0:01 IEEE Registration Authority
10.0.0.103 00:0a:95:9d:68:16 (Unknown: locally administered)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 3 hosts scanned in 0.734 seconds (4.09 hosts/sec). 3 responded

Options

The following options can be used for the outgoing ARP packets:

An example for the hardware address length option is shown below:

$ sudo arp-scan --arphln=6 -l
Interface: eth0, type: EN10MB, MAC: d4:ba:ba:af:ff:f1, IPv4: 10.0.0.103
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)

10.0.0.1 2c:54:91:88:c9:e3 (Unknown)
10.0.0.102 8c:1f:64:a2:d0:01 IEEE Registration Authority

10.0.0.1 2c:54:91:88:c9:e3 (Unknown) (DUP: 2)
10.0.0.1 2c:54:91:88:c9:e3 (Unknown) (DUP: 3)
10.0.0.1 2c:54:91:88:c9:e3 (Unknown) (DUP: 4)
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.973 seconds (129.75 hosts/sec). 5 responded

The Ethernet frame options include:

Format

The header and footer text in the output can be suppressed by using the –plain option as shown below:

sudo arp-scan -l --plain
10.0.0.1 2c:54:91:88:c9:e3 (Unknown)
10.0.0.100 8c:1f:64:a2:d0:01 IEEE Registration Authority

In the arp-scan 1.10.0 version, you have the –format option for the output:

$ sudo arp-scan --plain --format=’${ip},${mac},”${vendor}”’ -
10.0.122.1,52:54:00:37:45:95,”QEMU”

PCAP

The responses from arp-scan can be saved to a .pcap file using the –pcapcsavefile option. Here’s an example:

$ sudo arp-scan -I eth0 --pcapsavefile=arp.pcap 10.0.0.100
Interface: eth0, type: EN10MB, MAC: d4:ba:ba:af:ff:f1, IPv4: 10.0.0.104
Starting arp-scan 1.9.7 with 1 hosts (https://github.com/royhills/arp-scan)
10.0.0.100 8c:1f:64:a2:d0:01 IEEE Registration Authority
1 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 1 hosts scanned in 0.173 seconds (5.78 hosts/sec). 1 responded

You can view the contents of the .pcap file using tcpdump as follows:

$ tcpdump -n -r arp.pcap
reading from file arp.pcap, link-type EN10MB (Ethernet), snapshot length 64
20:40:04.125747 ARP, Reply 10.0.0.100 is-at 8c:1f:64:a2:d0:01, length 46

arp-fingerprint

The arp-fingerprint command can be used to fingerprint a specific host. You cannot provide multiple networks, or hosts as input. It uses arp-scan to send and receive the ARP requests. An example is shown below:

$ sudo arp-fingerprint -o “--interface=eth0 --numeric” 10.0.0.100
10.0.0.100 01010100000 Linux 2.2, 2.4, 2.6, 3.2, 3.8, 4.0, 4.6, Vista, 2008, Windows7, Windows8, Windows10

$ sudo arp-fingerprint -o “--interface=wlan0 --numeric” 10.0.1.15
10.0.1.15 11110000000 Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7, Catalyst 1900, BeOS, WIZnet W5100

get-oui

The get-oui utility is used to obtain the arp-scan OUI (organizationally unique identifier) file from the IEEE website. It is written in Perl, obtains the latest MAC/vendor data from the IEEE website, and stores it in an ieee-oui.txt file.

$ get-oui -v
Fetching OUI data from file://var/lib/ieee-data/oui.txt
Fetched 4626538 bytes
Opening output file ieee-oui.txt
30082 OUI entries written to file ieee-oui.txt

Each line in the ieee-oui.txt file contains the following mapping:

<OUI><TAB><Vendor>

The <OUI> represents the first three bytes of the MAC address, and <Vendor> is the name of the vendor.

The lines beginning with ‘#’ and empty lines are ignored.

A sample list of entries from the file is given below:

002272 American Micro-Fuel Device Corp.
00D0EF IGT
086195 Rockwell Automation
F4BD9E Cisco Systems, Inc
5885E9 Realme Chongqing MobileTelecommunications Corp Ltd
BC2392 BYD Precision Manufacture Company Ltd.
405582 Nokia

You are encouraged to read the arp-scan, arp-fingerprint, and get-oui manual pages to learn more. In the next article in the series, we will discuss another FOSS security tool that you can try out. Till then, happy learning.