Looking for arp scanner
Christopher Black
cblack at securecrossing.com
Wed Jun 29 23:42:25 GMT 2005
On Wed, 2005-06-29 at 16:30 -0700, Glenn Dawson wrote:
> At 03:45 PM 6/29/2005, Vince Hoffman wrote:
>
>
> >On Wed, 29 Jun 2005, Fabian Anklam wrote:
> >
> >>On 6/29/05, Glenn Dawson <glenn at antimatter.net> wrote:
> >>>At 02:18 PM 6/29/2005, Fabian Anklam wrote:
> >>>>Hi there,
> >>>>
> >>>>I've browsing freshports.org for an arp scanner and found only
> >>>>arpscan, which is marked broken and knowlan, which hasn't been updated
> >>>>in years. What's the tool of choice to map out IP-Adresses on a subnet
> >>>>when you know that quite a few hosts are firewalled from ping?
> >>>
> >>>Try nmap. It has a variety of different ways to "look" for systems on a
> >>>given subnet.
> >>Thanks. Tried nmap. As I said, some systems that i want to have in my
> >>output are locally firewalled and I doubt the -sP switch catches
> >>them. Port scans are out of the question.
> >
> >Thinking about it even if the host blocks ping then it will have to reply
> >to an arp request. so make a short script to clear the arp cache ('arp -a
> >-d' as root) then do your nmap -sP xxx.xxx.xxx.xxx/yyy and do an arp -a
> >which will list all the arp entries in your arp cache (should be every
> >host that responded to an arp request when you did the ping scan but maybe
> >pipe it through grep to only get the arps for ips in that range)
> >
> >also arping may be of use.
>
> I suppose if you need to be totally passive, you could do:
>
> tcpdump -i fxp0 arp
>
> (assuming of course that your network interface is on fxp0)
> and let it run for a bit. Eventually you'll catch all the active hosts on
> the network.
>
> -Glenn
>
>
> >Vince
> >
> >>
> >>>-Glenn
> >>>
> >>>
> >>>>Thanks, Fabian
Try putting this in a file called map.pl, and execute 'perl map.pl >
map.txt'. It'd be better if it were mutli-threaded for speed and could
parse a subnet mask, but this is a start. Be sure to edit the path to
arping if need be, change the 'wi0' in the ARPING_ARGS to whatever your
interface is, and set the subnet you want to search. Good luck.
#!/usr/bin/perl -w
use strict;
$|=1;
my $ARPING = '/usr/local/sbin/arping';
my $ARPING_ARGS = '-i wi0 -c 1 -r';
my $BASEIP = '192.168.1';
print "Scanning...\n";
my $i;
for( $i=1; $i < 256; $i++ ){
if( `$ARPING $ARPING_ARGS $BASEIP\.$i` ){
print "$BASEIP.$i\n";
}
}
print "Done.\n";
--
Christopher Black
Chief Security Engineer
Secure Crossing
22750 Woodward Suite 304 - Ferndale, MI 48220
Tel (800) 761-4299 | Direct (248) 658-6120
cblack at securecrossing.com | www.securecrossing.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050629/4efdeb96/attachment.bin
More information about the freebsd-questions
mailing list