1
00:00:00,790 --> 00:00:07,450
Before talking about using our tables for passive scanning, let's talk a little bit about AAFP protocol

2
00:00:07,450 --> 00:00:08,800
and mechanism first.

3
00:00:09,520 --> 00:00:17,440
So address resolution protocol AAFP is a network layer protocol used for mapping a network address such

4
00:00:17,440 --> 00:00:22,090
as an IP v4 address to a physical address such as a Mac address.

5
00:00:23,100 --> 00:00:30,660
To simulate how the AARP mechanism works, we have a small network in the slide, a switch on top and

6
00:00:30,750 --> 00:00:32,340
three computers connected to it.

7
00:00:32,890 --> 00:00:35,100
Computer wants to talk to computers, see?

8
00:00:36,710 --> 00:00:42,650
It puts an ARP request onto the wire, which happens to be broadcast, essentially what it's saying

9
00:00:42,650 --> 00:00:45,890
is who has computers, his Mac address.

10
00:00:47,080 --> 00:00:51,280
Of course, because it's a broadcast, every system on the network hears it.

11
00:00:52,250 --> 00:00:58,790
Does everybody respond well, what happens is that B hears that A is looking for the Mac address of

12
00:00:58,790 --> 00:00:59,690
computers C.

13
00:01:01,010 --> 00:01:06,710
B knows that it's not computer C and therefore does not respond to the broadcast.

14
00:01:07,790 --> 00:01:15,410
The broadcast, the AAP request goes out to every system, but the only system that will reply is computer

15
00:01:15,410 --> 00:01:17,450
see with an AAP reply.

16
00:01:18,470 --> 00:01:24,680
In other words, Computer says, who has the Mac address of computer see and although all the workstations

17
00:01:24,680 --> 00:01:31,580
here, the question only C replies and says, I've got the Mac address of computer C and this is what

18
00:01:31,580 --> 00:01:32,050
it is.

19
00:01:32,750 --> 00:01:36,380
So they are purply sends back the Mac address the computer a.

20
00:01:37,240 --> 00:01:41,150
And each of these machines start building an ark table.

21
00:01:41,650 --> 00:01:43,090
So what is the Ark table?

22
00:01:44,220 --> 00:01:49,020
Since computers cannot send broadcast messages every time they need to connect with another network

23
00:01:49,020 --> 00:01:54,810
device, they store the IP addresses and the corresponding MAC addresses of systems they frequently

24
00:01:54,810 --> 00:01:58,100
communicate with in a table called ARP Table.

25
00:01:58,470 --> 00:02:00,810
All the systems in the land maintain this table.

26
00:02:01,880 --> 00:02:07,370
The entries in the Aakash table are generally short lived and are updated every 15 to 20 minutes.

27
00:02:08,060 --> 00:02:09,220
Now, let's get back to our topic.

28
00:02:09,500 --> 00:02:15,680
Can we say that one of the passive Skåne methods is just looking into the ARP table of a system which

29
00:02:15,680 --> 00:02:17,230
is a network that we are scanning?

30
00:02:17,630 --> 00:02:17,990
Wow.

31
00:02:18,140 --> 00:02:18,770
Sure we can.

32
00:02:19,550 --> 00:02:26,360
Inside an art table, we see the IP addresses of some of the systems of the network and their corresponding

33
00:02:26,360 --> 00:02:27,290
MAC addresses.

34
00:02:28,070 --> 00:02:34,790
Let's see the ARP tables in three different platforms, Mac OS, Windows and Debian Linux.

35
00:02:35,720 --> 00:02:37,580
We are in Mac OS operating system.

36
00:02:37,580 --> 00:02:44,990
First open the terminal first type terminal in the search box of the applications window, which brings

37
00:02:44,990 --> 00:02:46,250
you the terminal application.

38
00:02:46,700 --> 00:02:51,920
Typing ERP and hitting enter shows a small help for our common.

39
00:02:53,140 --> 00:03:00,670
If you want to see detailed help about the art command, you can use man command type MRN, AARP and

40
00:03:00,670 --> 00:03:02,620
hit enter, you'll get detailed help.

41
00:03:04,170 --> 00:03:11,730
A parameter is used to display all current ARP table entries, but hold on, it says A is used to delete

42
00:03:11,760 --> 00:03:12,960
all entries as well.

43
00:03:13,200 --> 00:03:14,170
How can that be?

44
00:03:14,790 --> 00:03:19,530
Well, to delete an ARP table entry, you use D parameter.

45
00:03:20,280 --> 00:03:27,480
If you use this parameter with a parameter, you are able to delete all entries of ARP tables ie parameter

46
00:03:27,480 --> 00:03:31,590
is used to see the entries of a single interface by default.

47
00:03:32,130 --> 00:03:36,090
ARP Command tries to show the display addresses symbolically.

48
00:03:37,060 --> 00:03:42,990
To see the IP addresses instead of display names of the systems, you have to use any parameter.

49
00:03:44,060 --> 00:03:46,460
Which means do not resolve names.

50
00:03:47,600 --> 00:03:55,760
OK, press cue to quit the man page of the AAP command now type IRP Dash A.N. to see all the entries

51
00:03:55,760 --> 00:03:56,540
of the ARP table.

52
00:03:57,580 --> 00:04:04,150
Since Mac OS is a BSD based operating system, the result of the command is displayed in BSD style.

53
00:04:05,190 --> 00:04:08,070
Sagging machine is a Microsoft Windows eight.

54
00:04:09,070 --> 00:04:14,530
Let's open a command prompt first, I have a shortcut on my status bar, so I click it to start a command

55
00:04:14,530 --> 00:04:14,950
prompt.

56
00:04:15,920 --> 00:04:22,670
Alternatively, press windows, plus are buttons, open the dialog box, run command and hit enter.

57
00:04:23,840 --> 00:04:28,370
If you type AARP and a Windows system, the help page of our command is displayed.

58
00:04:29,570 --> 00:04:37,400
Type IRP Dash A to see the entries of the ARP table, in my opinion, this display is more, I don't

59
00:04:37,400 --> 00:04:40,490
know, human readable than BSD style.

60
00:04:41,410 --> 00:04:45,550
Now, although we're not interested in these at the moment, I would like to talk a little about the

61
00:04:45,550 --> 00:04:50,020
IP addresses that start with two to four to calm your curiosity.

62
00:04:51,200 --> 00:04:59,120
Two two four zero zero Dota two is the multicast address for Internet group management Protocol two

63
00:04:59,120 --> 00:05:07,250
to four zero zero two five two is used by recent versions of Windows four link local multicast name

64
00:05:07,250 --> 00:05:12,920
resolution L.M. and are searching for local network computers.

65
00:05:13,820 --> 00:05:18,650
The third machine is our Collie, which is a Debian based Linux operating system.

66
00:05:19,440 --> 00:05:25,640
Open the terminal window if you type AARP and hit enter the ARP table.

67
00:05:25,640 --> 00:05:29,150
Entries are displayed in a human readable format.

68
00:05:29,840 --> 00:05:38,720
As you see, systems are listed with a known domain name, such as would always be wacom by default.

69
00:05:39,600 --> 00:05:48,750
AARP dash age brings you a small health page if you want a detailed HelpAge type man space AAFP.

70
00:05:51,300 --> 00:05:58,410
In a Debian based Linux system, that's a parameter of our command is used to see the entries in BSD

71
00:05:58,410 --> 00:06:04,650
format, which we saw in Mac OS, Dash is again to see the entries of a single interface.

72
00:06:05,340 --> 00:06:15,060
OK, press cue to quit the man page AARP dash a display's art table entries in BSD format and use any

73
00:06:15,060 --> 00:06:19,260
parameter to see the IP addresses instead of domain names of the systems.