ARPscanning is a fundamental technique employed by penetration testersto gather information about devices connected to a local network.
Understanding ARP:
AddressResolution Protocol (ARP) is a communication protocol that resides onLayer 2 of the OSI model, that is used in computer networks to map anIP address to a corresponding MAC (Media Access Control) address. Itenables devices within the same network to communicate with eachother using MAC addresses, which are unique identifiers assigned tonetwork interface cards (NICs).
Using ARP:
Whena device needs to send data to another device on the network, it usesARP to determine the MAC address of the destination device. Theprocess involves the following steps:
ARP Scanning:
The concept ofARP scanning, leverages this protocol to discover devices on a localnetwork. By sending an ARP request to all the possible IP addresseson the network, it is possible to identify all live devices.
Acomputer cannot refuse to answer an ARP request because ARP operatesat the data link layer of the network protocol stack (OSI Layer 2),which is a low-level layer responsible for the transmission andreception of data packets. At this layer, there is no mechanism for adevice to refuse or ignore ARP requests. When an ARP request isbroadcasted on the network, all devices within the same networksegment receive it.
Refusingto respond to ARP requests would hinder the normal functioning of thenetwork, potentially causing communication issues or disruptingconnectivity between devices. Therefore, it is not a feature orcapability of the ARP protocol for a computer to selectively ignoreor refuse ARP requests.
Itshould be noted, that because of the use of broadcast packets, ARPpackets cannot be forwarded beyond the local network and aretypically blocked by routers.
To conduct anARPscan, you can use tools such as “arpscan”, this is a simplecommand line tool that can be used as such:
arpscan <IP/CIDR> -I <interface>
arpscan -I <interface> -l
