Date: Wed, 29 Jun 2005 19:42:28 -0400 From: Christopher Black <cblack@securecrossing.com> To: Glenn Dawson <glenn@antimatter.net> Cc: Fabian Anklam <greatnorthern@gmail.com>, Vince Hoffman <jhary@unsane.co.uk>, freebsd-questions@freebsd.org Subject: Re: Looking for arp scanner Message-ID: <1120088548.920.13.camel@localhost> In-Reply-To: <6.1.0.6.2.20050629162738.0b118eb0@cobalt.antimatter.net> References: <467b1e7a050629141856d72f91@mail.gmail.com> <6.1.0.6.2.20050629143657.083d5050@cobalt.antimatter.net> <467b1e7a05062914585928de07@mail.gmail.com> <20050629232054.J8551@unsane.co.uk> <6.1.0.6.2.20050629162738.0b118eb0@cobalt.antimatter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-1Cdx+enj/WKICR4q8RHW
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2005-06-29 at 16:30 -0700, Glenn Dawson wrote:
> At 03:45 PM 6/29/2005, Vince Hoffman wrote:
>=20
>=20
> >On Wed, 29 Jun 2005, Fabian Anklam wrote:
> >
> >>On 6/29/05, Glenn Dawson <glenn@antimatter.net> wrote:
> >>>At 02:18 PM 6/29/2005, Fabian Anklam wrote:
> >>>>Hi there,
> >>>>
> >>>>I've browsing freshports.org for an arp scanner and found only
> >>>>arpscan, which is marked broken and knowlan, which hasn't been update=
d
> >>>>in years. What's the tool of choice to map out IP-Adresses on a subne=
t
> >>>>when you know that quite a few hosts are firewalled from ping?
> >>>
> >>>Try nmap. It has a variety of different ways to "look" for systems on=
a
> >>>given subnet.
> >>Thanks. Tried nmap. As I said, some systems that i want to have in my
> >>output are locally firewalled and I doubt the -sP switch catches
> >>them. Port scans are out of the question.
> >
> >Thinking about it even if the host blocks ping then it will have to repl=
y=20
> >to an arp request. so make a short script to clear the arp cache ('arp -=
a=20
> >-d' as root) then do your nmap -sP xxx.xxx.xxx.xxx/yyy and do an arp -a
> >which will list all the arp entries in your arp cache (should be every=20
> >host that responded to an arp request when you did the ping scan but may=
be=20
> >pipe it through grep to only get the arps for ips in that range)
> >
> >also arping may be of use.
>=20
> I suppose if you need to be totally passive, you could do:
>=20
> tcpdump -i fxp0 arp
>=20
> (assuming of course that your network interface is on fxp0)
> and let it run for a bit. Eventually you'll catch all the active hosts o=
n=20
> the network.
>=20
> -Glenn
>=20
>=20
> >Vince
> >
> >>
> >>>-Glenn
> >>>
> >>>
> >>>>Thanks, Fabian
Try putting this in a file called map.pl, and execute 'perl map.pl >
map.txt'. It'd be better if it were mutli-threaded for speed and could
parse a subnet mask, but this is a start. Be sure to edit the path to
arping if need be, change the 'wi0' in the ARPING_ARGS to whatever your
interface is, and set the subnet you want to search. Good luck.
#!/usr/bin/perl -w
use strict;
$|=3D1;
my $ARPING =3D '/usr/local/sbin/arping';
my $ARPING_ARGS =3D '-i wi0 -c 1 -r';
my $BASEIP =3D '192.168.1';
print "Scanning...\n";
my $i;
for( $i=3D1; $i < 256; $i++ ){
if( `$ARPING $ARPING_ARGS $BASEIP\.$i` ){
print "$BASEIP.$i\n";
}
}
print "Done.\n";
--=20
Christopher Black
Chief Security Engineer
Secure Crossing
22750 Woodward Suite 304 - Ferndale, MI 48220
Tel (800) 761-4299 | Direct (248) 658-6120
cblack@securecrossing.com | www.securecrossing.com
--=-1Cdx+enj/WKICR4q8RHW
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQBCwzHkAPxZlIbJ6AwRAiHHAJ4nW8Cy5RbRLCrypjLx7C94SXpFGwCglgvy
8zA0SJUdSHtYIY1zDVduQp8=
=mAn/
-----END PGP SIGNATURE-----
--=-1Cdx+enj/WKICR4q8RHW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1120088548.920.13.camel>