WEBVTT

0
00:02.590 --> 00:10.000
In this lecture I'll show you how to scan your lan using a technique called ARP scanning. To understand

1
00:10.030 --> 00:11.810
how this scan works

2
00:11.830 --> 00:14.970
you have to deeply understand the ARP protocol.

3
00:15.010 --> 00:22.380
I'd recommend you to watch the video again where I've explained in detail what ARP protocol is and how

4
00:22.380 --> 00:23.530
it works.

5
00:23.750 --> 00:30.370
ARP Scanning is especially useful if there are hosts on the network that want to remain hidden or

6
00:30.430 --> 00:36.610
stealthy and they do not respond to any requests like ping, tcp or udp scans.

7
00:37.640 --> 00:46.160
There are a lot of firewalls that block any incoming packets except ARP. Since ARP is not routable,

8
00:46.160 --> 00:50.340
his type of scanning works  only on your local LAN.

9
00:50.420 --> 00:55.540
You can find wired or wireless hosts connected to the same LAN.

10
00:55.760 --> 00:59.800
The first tool I'm going to show you is called  arp-scan.

11
00:59.900 --> 01:06.500
If it's not already installed on your system you can install it using apt or the package manager of

12
01:06.500 --> 01:11.200
your Linux distribution. To check if ARP scan is installed

13
01:11.210 --> 01:15.320
you can simply execute arp-scan command as root.

14
01:15.590 --> 01:27.650
First I am becoming root. All of these are root commands  and I am executing the command. I can install

15
01:27.730 --> 01:34.910
it by executing apt install  arp-scan 

16
01:35.050 --> 01:43.450
Let's see the help of the command.

17
01:43.530 --> 01:52.250
It has a lot of options but one of the most useful is -l or -- local net.

18
01:52.260 --> 01:53.580
It will deduce the network 

19
01:53.580 --> 01:59.180
address of its own interface and scan the entireLAN.

20
01:59.250 --> 02:05.670
You don’t have to worry about subnetting or getting the LAN address from the IP address and its network

21
02:05.670 --> 02:06.950
mask.

22
02:06.990 --> 02:10.290
Lets start an ARP scanning.As root

23
02:10.300 --> 02:16.710
I'm executing arp -scan; an uppercase I; the name of the interface.

24
02:16.710 --> 02:18.780
Let's check the interface.

25
02:18.810 --> 02:22.860
Its name is enp0s3.

26
02:22.920 --> 02:25.650
In your case it can have another name.

27
02:25.830 --> 02:28.200
so arp - scan -

28
02:28.290 --> 02:34.600
I enp0s3 and -I.

29
02:34.900 --> 02:40.660
Take care of that to the option for the interface is -I in uppercase

30
02:40.710 --> 02:43.390
or you can use --interface instead.

31
02:44.910 --> 02:49.760
It has scanned the network and this is the output.

32
02:49.830 --> 02:56.130
These are the hosts on my LAN; if you don't specify the interface ARP

33
02:56.170 --> 03:03.940
scan will search the system interface list for the lowest numbered, configured up interface excluding

34
03:04.000 --> 03:13.060
loopback. The output looks great ARP scan is very noisy and the admin or an intrusion detection 

35
03:13.060 --> 03:17.740
system could find out very quickly that a scan is running.

36
03:18.040 --> 03:23.020
If you want to be stealthier you could use another tool called Net discover.

37
03:26.120 --> 03:30.800
This is both an active and passive ARP reconnaissance tool.

38
03:30.960 --> 03:35.460
We'll discuss the active and passive modes of operation in a minute.

39
03:36.530 --> 03:38.050
Let's install NET

40
03:38.050 --> 03:40.720
Discover if you don't have it already.

41
03:40.840 --> 03:49.450
It's not installed. apt update &&& apt install netdiscover

42
03:54.390 --> 03:57.310
sorry only to & signs.

43
04:05.160 --> 04:05.780
Okay.

44
04:05.810 --> 04:07.580
It was installed.

45
04:07.760 --> 04:19.160
Now you can start an arp scan simply by executing net discover as root;  netdiscover.

46
04:19.340 --> 04:26.510
This is the active mode of operation where a Net Discover is actively sending ARP requests packets

47
04:26.750 --> 04:31.080
in order to discover the other hosts on the network.

48
04:31.160 --> 04:39.190
We've already noticed some hosts; it's running continuously until you stop it by pressing on Q or control

49
04:39.190 --> 04:50.460
+c. I'm stopping it. Other useful options are  -i and the name of the interface to sniff packets

50
04:51.000 --> 04:56.460
and if no interface is specified the first one available will be used.

51
05:07.800 --> 05:17.790
Another useful option is-r. It's used to scan a given range instead of auto scan; for example let's

52
05:17.790 --> 05:25.560
scan the entire sub network 192.168.0.0

53
05:25.620 --> 05:26.810
/ 24

54
05:29.990 --> 05:39.460
It is scanning the entire sumnet. Okay. let's try a passive scan! if you want to run it in passive mode

55
05:39.730 --> 05:49.300
you just use -p option like this; if you enable the passive mode like shown in the example you

56
05:49.300 --> 05:54.190
are seeing right now Net Discover does not send anything, 

57
05:54.190 --> 05:56.070
it only sniffs the traffic.

58
05:59.840 --> 06:07.440
in fact it monitors ARP requests sent by the other hosts on the network, without sending anything.

59
06:07.700 --> 06:14.870
Remember that ARP request packets are sent to the broadcast address so each host on the LAN receives

60
06:14.990 --> 06:16.200
these packets.

61
06:16.310 --> 06:21.780
This technique is really stealthy and prevents you from being noticed by someone.

62
06:21.860 --> 06:27.200
It's common practice to change your own Mac address before launching a passive scan.