If you want to discover the live hosts on your subnetwork how can you exploit the ARP protocol in order to scan stealthily?
Would an arp scan be picked up as suspicious activity?
Could you spoof the source address of ARP requests to remain stealthy?
Asked
Active
Viewed 2,366 times
2
-
A good resource: [CERT Traffic Wireshark](http://www-users.cselabs.umn.edu/classes/Fall-2014/csci4211/reflib/wireshark/cert_trafficwireshark.pdf) Read over to page 12/13 where you can find good information regarding the subject you are asking. – Joao Miesler Apr 12 '16 at 11:06
2 Answers
3
No, if you wanted to scan a whole subnet your computer is basically sending out packets saying
- Who has 192.168.1.0?
- Who has 192.168.1.1?
- Who has 192.168.1.2?
- Who has 192.168.1.3?
and this might be noticed should sufficient monitoring be in place.
A way to circumvent this is to run a passive scan using something like netdiscover. This can listen for ARP packets and output a list of all IPs encountered.
SilverlightFox
- 33,408
- 6
- 67
- 178
2
The definition of stealthy is bounded to who is monitoring the network.
In general, you can use ARP ping using some automated tool like nmap. It's more faster and reliable than normal IP ping scan.
can you exploit the ARP protocol in order to scan stealthily?
Normally, ARP activity on LAN is legit, but if you were intense and aggressive in your scan, you might be noticed.
Would an arp scan be picked up as suspicious activity?
No, but as I said, only if the admin hasn't noticed. For example, if you want to stay stealthy, try to automate the scan with long time periods.
Could you spoof the source address of ARP requests to remain stealthy?
If you spoofed the MAC to some random one, you might be stealthy, but the scan activity will still be noticeable, and you may rise a suspension.
In the end, my only advise is to stay stealthy by lowering time spaces between ARP pings.
Eibo
- 2,485
- 3
- 19
- 32