From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 29 23:42:25 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 77F1C16A41C
	for <freebsd-questions@freebsd.org>;
	Wed, 29 Jun 2005 23:42:25 +0000 (GMT)
	(envelope-from cblack@securecrossing.com)
Received: from mail2.securecrossing.com (209-254-39-195.ip.mcleodusa.net
	[209.254.39.195])
	by mx1.FreeBSD.org (Postfix) with SMTP id 326BB43D1F
	for <freebsd-questions@freebsd.org>;
	Wed, 29 Jun 2005 23:42:24 +0000 (GMT)
	(envelope-from cblack@securecrossing.com)
Received: (qmail 81239 invoked by uid 0); 29 Jun 2005 23:42:23 -0000
Received: from unknown (HELO localhost.localdomain)
	(cblack@securecrossing.com@127.0.0.1)
	by mail2.securecrossing.com with SMTP; 29 Jun 2005 23:42:23 -0000
From: Christopher Black <cblack@securecrossing.com>
To: Glenn Dawson <glenn@antimatter.net>
In-Reply-To: <6.1.0.6.2.20050629162738.0b118eb0@cobalt.antimatter.net>
References: <467b1e7a050629141856d72f91@mail.gmail.com>
	<6.1.0.6.2.20050629143657.083d5050@cobalt.antimatter.net>
	<467b1e7a05062914585928de07@mail.gmail.com>
	<20050629232054.J8551@unsane.co.uk>
	<6.1.0.6.2.20050629162738.0b118eb0@cobalt.antimatter.net>
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-1Cdx+enj/WKICR4q8RHW"
Organization: Secure Crossing
Date: Wed, 29 Jun 2005 19:42:28 -0400
Message-Id: <1120088548.920.13.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port 
Cc: Fabian Anklam <greatnorthern@gmail.com>, Vince Hoffman <jhary@unsane.co.uk>,
	freebsd-questions@freebsd.org
Subject: Re: Looking for arp scanner
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2005 23:42:25 -0000


--=-1Cdx+enj/WKICR4q8RHW
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2005-06-29 at 16:30 -0700, Glenn Dawson wrote:
> At 03:45 PM 6/29/2005, Vince Hoffman wrote:
>=20
>=20
> >On Wed, 29 Jun 2005, Fabian Anklam wrote:
> >
> >>On 6/29/05, Glenn Dawson <glenn@antimatter.net> wrote:
> >>>At 02:18 PM 6/29/2005, Fabian Anklam wrote:
> >>>>Hi there,
> >>>>
> >>>>I've browsing freshports.org for an arp scanner and found only
> >>>>arpscan, which is marked broken and knowlan, which hasn't been update=
d
> >>>>in years. What's the tool of choice to map out IP-Adresses on a subne=
t
> >>>>when you know that quite a few hosts are firewalled from ping?
> >>>
> >>>Try nmap.  It has a variety of different ways to "look" for systems on=
 a
> >>>given subnet.
> >>Thanks. Tried nmap. As I said, some systems that i want to have in my
> >>output are locally firewalled and  I doubt the -sP switch catches
> >>them. Port scans are out of the question.
> >
> >Thinking about it even if the host blocks ping then it will have to repl=
y=20
> >to an arp request. so make a short script to clear the arp cache ('arp -=
a=20
> >-d' as root) then do your nmap -sP xxx.xxx.xxx.xxx/yyy and do an arp -a
> >which will list all the arp entries in your arp cache (should be every=20
> >host that responded to an arp request when you did the ping scan but may=
be=20
> >pipe it through grep to only get the arps for ips in that range)
> >
> >also arping may be of use.
>=20
> I suppose if you need to be totally passive, you could do:
>=20
> tcpdump -i fxp0 arp
>=20
> (assuming of course that your network interface is on fxp0)
> and let it run for a bit.  Eventually you'll catch all the active hosts o=
n=20
> the network.
>=20
> -Glenn
>=20
>=20
> >Vince
> >
> >>
> >>>-Glenn
> >>>
> >>>
> >>>>Thanks, Fabian

Try putting this in a file called map.pl, and execute 'perl map.pl >
map.txt'.  It'd be better if it were mutli-threaded for speed and could
parse a subnet mask, but this is a start.  Be sure to edit the path to
arping if need be, change the 'wi0' in the ARPING_ARGS to whatever your
interface is, and set the subnet you want to search.  Good luck.

#!/usr/bin/perl -w
use strict;
$|=3D1;

my $ARPING =3D '/usr/local/sbin/arping';
my $ARPING_ARGS =3D '-i wi0 -c 1 -r';
my $BASEIP =3D '192.168.1';

print "Scanning...\n";
my $i;
for( $i=3D1; $i < 256; $i++ ){
        if( `$ARPING $ARPING_ARGS $BASEIP\.$i` ){
                print "$BASEIP.$i\n";
        }
}
print "Done.\n";

--=20
Christopher Black
Chief Security Engineer
Secure Crossing
22750 Woodward Suite 304 - Ferndale, MI 48220
Tel (800) 761-4299 | Direct (248) 658-6120
cblack@securecrossing.com | www.securecrossing.com

--=-1Cdx+enj/WKICR4q8RHW
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCwzHkAPxZlIbJ6AwRAiHHAJ4nW8Cy5RbRLCrypjLx7C94SXpFGwCglgvy
8zA0SJUdSHtYIY1zDVduQp8=
=mAn/
-----END PGP SIGNATURE-----

--=-1Cdx+enj/WKICR4q8RHW--