Using ARP for Network Recon

Network Sleuth

© Lead Image © Andrea De Martin,

© Lead Image © Andrea De Martin,

Article from Issue 226/2019

When it comes to network recon, arp-scan allows you to collect device intel quickly and stealthily.

The most obvious thing system administrators and hackers have in common is the need for network reconnaissance (recon). In both cases, such recon needs to be carried out as quickly and with as little impact to users as possible. One such recon technique involves finding every network-connected device on a subnet. You might think that this is an easy task, but it isn't. The first tool everyone thinks of is ping. However, ping can be, and usually is, blocked from use against important network-connected devices such as routers, firewalls, switches, intrusion detection appliances, intrusion prevention appliances, servers, and even workstations. Ping is not an effective tool for finding every network-connected device. Instead, an effective solution is to use the Address Resolution Protocol (ARP). ARP maps IP addresses to MAC (hardware) addresses.

ARP is effective in finding all network-connected devices, because you cannot block ARP. ARP must be allowed on a network for proper host-to-host communications. It is this feature (or flaw) that makes ARP a valuable reconnaissance tool. Fortunately, some clever programmers developed an easy-to-use, command-line tool, called ARP Scan (arp-scan), that makes quick work of this type of reconnaissance. The only limitation of using ARP in this manner is that its use is confined to a local subnet. In other words, you can scan all devices on the subnet, but you cannot scan the network unless you scan from one of those addresses. To put it simply: ARP is non-routable.

ARP Provides a Wealth of Information

Although arp-scan is a very versatile tool, my use of it is usually limited to the following five general usage scenarios:


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Using ARP for Network Recon

    When it comes to network recon, arp-scan allows you to collect device intel quickly and stealthily.

  • Scanning with Zenmap

    Discover your network with the user-friendly Zenmap network scanner.

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Dr. Portscan

    Regularly scanning the ports on your own network prevents intruders from sneaking in, but if you have dozens or hundreds of servers, you'll need professional help: Dr. Portscan to the rescue.

  • News

    Fedora Project announces Fedora 30; the Apache Software Foundation completes migration to GitHub; Canonical combines its services in a single package; Black Hole Image has an open source connection; Ubuntu 19.04 released; Linux Mint founder calls for better developer support; and VMware patches critical vulnerabilities.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95