Note:
To use Scapy to perform ARP discovery, you will need to have at least one system on the Local Area Network (LAN) that will respond to ARP requests.
To understand how ARP Scanning works, we will start by using Scapy to craft custom packets that will allow us to identify hosts on the LAN using ARP. To begin using Scapy in Kali Linux, enter the scapy command from the terminal. You can then use the display() function to see the default configurations for any ARP object created in Scapy in the following manner:
Have a look at the following commands:
>>> arp_request=ARP()
>>> arp_request.pdst="172.16.36.135" #Destination address
>>> response=sr1(arp_request, timeout=1)
The sr1() function is used to send the request over the wire and return the first response.
The timeout specifying the number of seconds to wait for an incoming response.
>>> print response
hwsrc=00:0c:29:3d:84:32 psrc=172.16.36.135 hwdst=00:0c:29:65:fc:d2
pdst=172.16.36.132 |>
>>> response.display()
Notice that a response is returned, indicating that the IP address of
172.16.36.135 is at the MAC address of 00:0C:29:3D:84:32 . If you perform the same task, but instead, assign a destination IP address that does not correspond to a live host on your lab network, you will not receive any response, and the function will continue to analyze the incoming traffic on the local interface indefinitely.
If you receive a reply then the host is alive, if we doesnt receive any reply then the host is not alive or dead.
Scapy can also be used as a library within the Python scripting language. This can be used to effectively automate redundant tasks performed in Scapy. Python and Scapy can be used to loop through each of the possible host addresses within the local subnet in sequence and send ARP requests to each one.
#!/usr/bin/python
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv) != 2:
print "Usage - ./arp_disc.py [interface]"
print "Example - ./arp_disc.py eth0"
print "Example will perform an ARP scan of the local subnet to
which eth0 is assigned"
sys.exit()
interface = str(sys.argv[1])
ip = subprocess.check_output("ifconfig " + interface + " | grep 'inet
addr' | cut -d ':' -f 2 | cut -d ' ' -f 1", shell=True).strip()
prefix = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' +
ip.split('.')[2] + '.'
for addr in range(0,254):
answer=sr1(ARP(pdst=prefix+str(addr)),timeout=1,verbose=0)
if answer == None:
pass
else:
print prefix+str(addr)
Have a look at the following command used to execute the script:
chmod +x ./arp_disc.py
./arp_disc.py
./arp_disc.py eth0
To use Scapy to perform ARP discovery, you will need to have at least one system on the Local Area Network (LAN) that will respond to ARP requests.
To understand how ARP Scanning works, we will start by using Scapy to craft custom packets that will allow us to identify hosts on the LAN using ARP. To begin using Scapy in Kali Linux, enter the scapy command from the terminal. You can then use the display() function to see the default configurations for any ARP object created in Scapy in the following manner:
Have a look at the following commands:
>>> arp_request=ARP()
>>> arp_request.pdst="172.16.36.135" #Destination address
>>> response=sr1(arp_request, timeout=1)
The sr1() function is used to send the request over the wire and return the first response.
The timeout specifying the number of seconds to wait for an incoming response.
>>> print response
pdst=172.16.36.132 |
>>> response.display()
Notice that a response is returned, indicating that the IP address of
172.16.36.135 is at the MAC address of 00:0C:29:3D:84:32 . If you perform the same task, but instead, assign a destination IP address that does not correspond to a live host on your lab network, you will not receive any response, and the function will continue to analyze the incoming traffic on the local interface indefinitely.
If you receive a reply then the host is alive, if we doesnt receive any reply then the host is not alive or dead.
Scapy can also be used as a library within the Python scripting language. This can be used to effectively automate redundant tasks performed in Scapy. Python and Scapy can be used to loop through each of the possible host addresses within the local subnet in sequence and send ARP requests to each one.
#!/usr/bin/python
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv) != 2:
print "Usage - ./arp_disc.py [interface]"
print "Example - ./arp_disc.py eth0"
print "Example will perform an ARP scan of the local subnet to
which eth0 is assigned"
sys.exit()
interface = str(sys.argv[1])
ip = subprocess.check_output("ifconfig " + interface + " | grep 'inet
addr' | cut -d ':' -f 2 | cut -d ' ' -f 1", shell=True).strip()
prefix = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' +
ip.split('.')[2] + '.'
for addr in range(0,254):
answer=sr1(ARP(pdst=prefix+str(addr)),timeout=1,verbose=0)
if answer == None:
pass
else:
print prefix+str(addr)
Have a look at the following command used to execute the script:
chmod +x ./arp_disc.py
./arp_disc.py
./arp_disc.py eth0
No comments:
Post a Comment