Hidden device with arp-scan

ARP (Address Resolution Protocol) use to map IP network address to the hardware address. Address Resolution Protocol use a message format contains one ARP request or response. The simple use ARP protocol is to map a network address like any IPV4 to a physical address like MAC address (Ethernet address). The APR will works on IPV4 , In IPV6 the APR functionality provided by NDP (Neighbor Discovery Protocol). The size of message depend upon upper layer and lower layer address size, and the payload of ARP packet consist four parameters first on is Hardware address, second one is protocol address, third is sender host and last one is receiver host.



To use ARP protocol we will use ARP scan Tool, is open source and very efficient tool to Scan ARP packets to show every active IPV4 device on your subnet. The device cannot hide form ARP even if they have firewalls (not like Ping). The APR works on Local subnet. If you want to scan device which is outside your subnet, you can use ping  Scan (like Nmap, Ping Sweep tool, NetScanner, or other). The arp-scan supports different platform like Linux, Unix.

Install arp-scan in Linux (Ubuntu, Debian or other)

apt-get install arp-scan

In Kali Linux arp-scan comes pre-installed.

Use arp-scan to find hidden devices

arp-scan works  with Ethernet (802.3) and Wireless network (802.11), and it also work with token ring and FDDI (Not tested). It currently not support PPP or SLIP (serial link) due to the ARP is not support them.

Discovering all host on local network

 sudo arp-scan --interface=eth0 --localnet

–interfacce=eth0 defines the interface use for scanning
–localnet to scan all possible IP address connected to interface

Interface name varies according to different Operating System. like eth0 is denoted to Ethernet and Wlan0 denoted to Wireless network.


vipin@kali:~# arp-scan --interface=wlan0 --localnet
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (    0c:1a:a0:c2:94:c0    Dell Inc    0b:0c:29:34:f9:6a    VMware, Inc.    d4:85:64:63:b7:48    Hewlett-Packard Company    0b:0c:29:6d:92:b5    VMware, Inc.    c2:e9:84:0e:c1:12    (Unknown)    23:80:23:ac:dd:c2    (Unknown)    0b:50:56:b1:80:db    VMware, Inc.    0b:50:56:b1:dc:a7    VMware, Inc.    19:a9:05:4b:61:58    Hewlett-Packard Company    ab:95:9a:69:f7:6c    (Unknown)    1e:a8:82:10:66:4a    (Unknown)    0b:50:56:b1:fd:63    VMware, Inc.    0b:50:56:b1:2b:18    VMware, Inc. (DUP: 2)    0b:50:56:b1:f3:b4    VMware, Inc. (DUP: 3)    0b:50:56:b1:f3:2c    VMware, Inc. (DUP: 4)    0b:50:56:b1:8f:5b    VMware, Inc. (DUP: 5)    0b:22:55:cb:59:85    CISCO SYSTEMS, INC.    3c:a8:2a:0f:d3:d2    (Unknown)    0b:25:84:69:6f:c1    CISCO SYSTEMS, INC.    3c:a8:2a:0e:c5:78    (Unknown)    0b:0c:29:4e:54:33    VMware, Inc.    0b:1b:54:97:68:8c    CISCO SYSTEMS, INC.    0b:21:d8:70:e4:4b    CISCO SYSTEMS, INC.    0b:19:55:9d:60:c1    CISCO SYSTEMS, INC.    bc:ea:fa:6f:ec:d2    (Unknown)    98:fc:11:ab:65:b9    Cisco-Linksys, LLC    48:5a:3f:12:d9:df    WISOL    f0:25:b7:3e:a1:b1    (Unknown)    60:57:18:71:c5:a5    Intel Corporate

29 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.259 seconds (113.32 hosts/sec). 29 responded

on above result, it descovered 29 live node apart from local machine

arp-scan with custom IP range

root@kali:~# arp-scan --interface=wlan0
vipin@ubuntu:~$ sudo arp-scan --interface=wlan0

ARP protocol not provides methods for any kind of authentication ARP replies on a network, APR reply come from system other than the one with required layer 2 address.