Results 1 to 3 of 3

Thread: Arp Hunting For Unknown Ip And Mac Addresses

  1. #1
    Senior Member
    Join Date
    Mar 2005

    Lightbulb Arp Hunting For Unknown Ip And Mac Addresses


    The job:

    You are hired to make changes to a client's network, making changes to routing, promote a router or change a combo router/switch's internal webserver settings to the appropriate information. You ping IPs on a network inventory scan but only 8 of the 9 routers or router/switches respond. You port scan the local subnet but again only 8 of 9 respond.
    (For our purposes, consider this a single physical subnetted network.)

    Although everything is working fine (before the changes) you cannot get that 9th router to respond to your queries. It simply refuses all attempts to divulge it's IP or ports, even though it seems to work well.

    What to do?

    Replace it, sure if you have a replacement in your back pocket and computerMart has it in stock.

    Or consider this?

    1) We need a tool that has XRay vision, returning both a MAC address with an IP address.
    2) We need a tool that is immovable, cannot be redirected by routers causing confusion and mistakes.
    3) We need a tool that is faster than pinging, faster than portmapping, faster than...
    4) We need a tool that is fearless, not depending on the vagaries of the TCP/IP stack.
    5) We need a tool without which basic hardware communications cannot exist.
    6) We need a tool ... (insert: leap tall buildings with single bound?) ahh...not just right yet.

    That tool is the ARP protocol (and it's lesser known cousins InARP or RARP).

    It qualifies for at least 5 of the 6 requests above.

    ARP was not originally designed as an IP-only protocol although today it is primarily used to map IP addresses to MAC addresses. ARP can be used to resolve MAC to many different Layer 3 protocols. ARP has also been adapted to resolve other kinds of Layer 2 addresses; for example, ATMARP is used to resolve ATM NSAP addresses in the Classical IP over ATM protocol.. Source: Wikipedia

    An ARP scanner (called ARP Viewer) uses connectionless packets at the data link level (MAC) and so it's quite fast. It doesn't wait for connections, doesn't burden us with options but speeds through to do it's job. If two pieces of ethernet capable equipment must communicate, a most basic level communication protocol that allows that communication and subsequent higher level TCP/IP operation is ARP.
    Sounds like the tool for the job.

    To call upon an ARP scanner (ARP Viewer, in our case) to accomplish this job, we must use it to find the unknown.

    First we decide the scope of the reach we want ARP Viewer to search, both in IP and in Subnet mask.
    The IP of the network wire to which we are attached, in this case, is with a subnet mask of

    Let's limit the scope of this simple search from to, for our first go-round. Since the first two IP address octets stayed the same, our subnet mask is

    To perform this, set your laptop/computer to an IP of and set your subnet mask to (even if you are on a subnet network), and reboot if you must.
    (Don't worry if you cannot ping the local network or communicate with the internet at this time, it's supposed to be this way, we are now stealth to the local subnet).
    Ensure your network setttings reflect this IP change by opening a command line and typing "ipconfig /all"

    Next, connect your laptop/computer to the router or combo router/switch on the LAN side, do not connect to the WAN port. It's probably firewalled. Now power up the router.

    Here we open up ARP Viewer and set the start IP to (use tab to enter next box) and set the end IP to Notice there is no subnet mask option, as ARP Viewer is going to use your laptop/computer subnet mask entry. Be fearless and simply click on the Discover button.

    ARP Viewer will now check all addresses, inside and outside your local wired subnet for devices and will present both the IP and MAC addresses of any equipment able to respond to basic communication. As a bonus feature, ARP Viewer will provide the NBT device name. If you need to stop the scan, click "Stop Discovery" and it immediately stops.

    [Potential miss scans]
    If the program's taskbar does not show how many computers are being scanned, then you might have allowed too many numbers in each IP input box. Clear them out and start over.

    If you get no response, although it scanned, either the equipment is so broke it cannot communicate at a basic level (which in this case, it would not work) or your scanned IP range needs modification.

    Here's a few large private ranges of IP and subnet combinations to scan for devices:

    IP Range -------------------------------Laptop IP---------------Laptop Subnet Mask------------ARP Viewer Start IP

    (Realize that breaking these suggested ranges into more manageable scans will speed the discovery)

    This method of discovery saves time by scanning inside and outside your wired subnet, based on your applied subnet mask values.

    {Author reserves right to make grammatical and spelling mistakes, your reading mileage may vary}
    Beta tester of "0"s and "1"s"

  2. #2
    Elite Hacker
    Join Date
    Mar 2003
    I just wanted to ask something real quick about the tutorial. Are you sure ARP uses UDP? Is UDP also a generic term for things that don't use tcp/ip? From what I understand UDP requires an IP header and is connectionless. I believe ARP doesn't have an IP header. Just an Ethernet or whatever header and the ARP header.

    Other than that, great tutorial. Sounds like a really good way to find hosts on a network.

    Also, you may find this interesting:

    How does the new ARP scan work?

    Fyodor: Well, Nmap has traditionally performed host discovery by spewing IP packets throughout the target networks and listening for replies. Obviously many firewalls block ICMP ping packets and other packet types. Nmap gets around this by sending a user-specified combination of IP packets in the hope that at least one will get through and elicit a response. Nmap can send TCP SYN or ACK packets to a list of ports, UDP packets to arbitrary ports, and ICMP netmask and timestamp request queries.

    But on local Ethernet networks, which is one of the most common Nmap usage scenarios, there is a better solution. When Nmap tries to send a raw IP packet such as an ICMP echo request, the operating system must determine the destination hardware (MAC) address corresponding to the target IP so that it can properly address the Ethernet frame. This is often slow and problematic, since operating systems weren't written with the expectation that they would need to do millions of ARP requests against unavailable hosts in a short time period. Nmap now takes over this role. And when it receives an ARP response back, it knows the host is up so it doesn't even need to bother sending the IP packets. The net effect is that scanning your local network is now much faster and more accurate. Nmap automatically detects when conditions are proper for doing this, so you don't even need to remember an extra flag.
    source: http://www.securityfocus.com/columnists/384

    I read that a while back and was thinking about it while reading your tutorial.

  3. #3
    Senior Member
    Join Date
    Mar 2005
    I corrected that to Data Link level MAC.
    I need a proofreader.
    Beta tester of "0"s and "1"s"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts