|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + ARP (the Address Resolution Protocol) is a companion protocol to IPv4. |
| 4 | + Its purpose is to resolve internet layer addresses (as IPv4) of stations |
| 5 | + on the local network to their corresponding link layer addresses |
| 6 | + (for example, Ethernet). |
| 7 | + |
| 8 | + (As a side note, in IPv6 this task is assolved by the Neighbour Discovery |
| 9 | + protocol.) |
| 10 | + |
| 11 | + The discovery is limited to the broadcast domain of the local network; |
| 12 | + so you cannot discover hosts that aren't directly connected to your LAN. |
| 13 | + |
| 14 | +## Target Devices |
| 15 | + |
| 16 | + All the devices on a network should reply to ARP requests for communication |
| 17 | + and duplicate address detection, so usually every device should be |
| 18 | + discoverable. |
| 19 | + |
| 20 | +## Verification Steps |
| 21 | + |
| 22 | + Here we suppose the local network is 192.168.0.0/24: |
| 23 | + |
| 24 | + 1. Start msfconsole |
| 25 | + 2. Do `use auxiliary/scanner/discovery/arp_sweep` |
| 26 | + 3. Set the RHOSTS according to your local network. For example, on a |
| 27 | + 192.168.0.0/24 network: |
| 28 | + `set rhosts 192.168.0.0/24` |
| 29 | + 4. Do `run` |
| 30 | + |
| 31 | +## Scenarios |
| 32 | + |
| 33 | + An example output on a home network: |
| 34 | + |
| 35 | + ``` |
| 36 | + msf > use auxiliary/scanner/discovery/arp_sweep |
| 37 | + msf auxiliary(arp_sweep) > set RHOSTS 192.168.0.0/24 |
| 38 | + RHOSTS => 192.168.0.0/24 |
| 39 | + msf auxiliary(arp_sweep) > run |
| 40 | + |
| 41 | + [*] 192.168.0.1 appears to be up (D-Link International). |
| 42 | + [*] 192.168.0.2 appears to be up (UNKNOWN). |
| 43 | + [*] 192.168.0.4 appears to be up (ASUSTek COMPUTER INC.). |
| 44 | + [*] Scanned 256 of 256 hosts (100% complete) |
| 45 | + [*] Auxiliary module execution completed |
| 46 | + ``` |
| 47 | + |
| 48 | +## Confirming using NMAP |
| 49 | + |
| 50 | +The `-PR` flags are utilized to perform ARP/Neighbor Discovery scans. |
| 51 | + |
| 52 | + ``` |
| 53 | + nmap -n -sn -PR 192.168.0.0/24 |
| 54 | +
|
| 55 | + Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 00:33 CEST |
| 56 | + Nmap scan report for 192.168.0.1 |
| 57 | + Host is up (0.041s latency). |
| 58 | + MAC Address: CC:B2:55:14:CO:FE (D-Link International) |
| 59 | + Nmap scan report for 192.168.0.4 |
| 60 | + Host is up (0.076s latency). |
| 61 | + MAC Address: C8:85:50:4C:BE:EF (ASUSTek COMPUTER INC.) |
| 62 | + Host is up (0.052s latency). |
| 63 | + Nmap done: 256 IP addresses (2 hosts up) scanned in 2.76 seconds |
| 64 | + ``` |
0 commit comments