Using ARP for Network Reconnaissance

Objective

Learn how to use the Address Resolution Protocol (ARP) and the arp command to map IP addresses to MAC addresses, discover devices on a network, and troubleshoot network issues. This lab also demonstrates how attackers can use ARP spoofing for reconnaissance and potential exploitation.

Prerequisites

Linux or Windows Environment:
- Both Linux and Windows systems come with built-in ARP tools.
Basic Networking Knowledge:
- Familiarity with IP and MAC addresses.
- Understanding the purpose of ARP in resolving IP-to-MAC address mapping.
Local Network Access:
- A testing environment where you have access to the local network.

Step 1: Understanding ARP

What is ARP?
- ARP resolves IP addresses to MAC addresses for communication within a local network.
- Each device maintains an ARP table mapping IPs to MAC addresses.
ARP Table Usage:
- Helps devices identify the physical address associated with an IP address.
Common Use Cases:
- Network troubleshooting.
- Discovering devices on a network.
- Detecting or performing ARP spoofing attacks (in ethical contexts).

Step 2: Viewing the ARP Table

On Linux

Open a terminal and type:
```
arp -n
```
Analyze the output:
- Address: IP address of the device.
- HWaddress: MAC address of the device.
- Iface: Network interface used to communicate with the device.
Example Output:
```
Address               HWaddress           Flags Mask            Iface
192.168.1.1           00:11:22:33:44:55  C                     eth0
```

On Windows

Open Command Prompt and type:
```
arp -a
```

Review the output:

Internet Address: IP address.
Physical Address: MAC address.
Type: Dynamic (learned via ARP) or Static.

Example Output:

Interface: 192.168.1.100 --- 0x2
  Internet Address      Physical Address      Type
  192.168.1.1           00-11-22-33-44-55     dynamic

Step 3: Adding a Static ARP Entry

On Linux

Add a static ARP entry:
```
sudo arp -s <ip_address> <mac_address>
```
- Replace <ip_address> with the IP (e.g., 192.168.1.50).
- Replace <mac_address> with the MAC address (e.g., 00:aa:bb:cc:dd:ee).
Verify the entry:
```
arp -n
```

On Windows

Add a static ARP entry:
```
arp -s <ip_address> <mac_address>
```
Verify the entry:
```
arp -a
```

Deleting a Static ARP Entry

On Linux:
```
sudo arp -d <ip_address>
```
On Windows:
```
arp -d <ip_address>
```

Step 4: Using ARP for Network Discovery

Discover Devices:
- Ping all devices in the local subnet:
```
ping -b 192.168.1.255
```
  - Replace 192.168.1.255 with your subnet’s broadcast address.
- View the updated ARP table:
```
arp -n
```
Cross-Verify Results:
- Use tools like nmap to compare discovered devices.

Step 5: Detecting ARP Spoofing

What is ARP Spoofing?
- An attacker sends fake ARP responses to redirect traffic or impersonate devices.
Detect Duplicates:
- Look for duplicate MAC addresses in the ARP table.
Use Detection Tools:
- Tools like arpwatch monitor and alert on suspicious ARP activity.
Installation (Linux):
```
sudo apt install arpwatch
```
Run arpwatch to monitor traffic and log activity.

Step 6: Ethical Considerations

Permission Required:
- Only use ARP commands and tools on networks you own or have explicit permission to test.
Minimize Impact:
- Avoid flooding the network with ARP requests.
Document Findings:
- Record any suspicious activity or misconfigurations.

Additional Tips and Insights

Combine with Other Tools:
- Use tcpdump or Wireshark alongside ARP for packet analysis.
Regular Monitoring:
- Periodically check the ARP table for unauthorized devices.
Automation:
- Write scripts to automate ARP table checks and compare results over time.
Transition to Modern Tools:
- The ip neigh command offers similar functionality with additional features:
```
ip neigh show
```

Key Takeaways

The arp command is a simple but powerful tool for mapping IPs to MAC addresses and detecting anomalies.
Understanding ARP is essential for troubleshooting local network issues.
Use ARP tools responsibly and within authorized environments to ensure network security.