arping – Backtrack 5 – Information Gathering – Network Analysis – Identify Live Hosts – arping
Posted by alex in Security at 4:48 AMThe arping application is a simple command that will allow you to ping devices by hostname, IP address, or MAC address. The unfortunate part is that most device will not respond to the arp requests, which are directed broadcast ICMP echo requests, though there are some out there that do. I go into more detail below regarding pinging via MAC address by providing an example of the typical output, example output when a MAC address responds to the ICMP echo requests, and details about how to configure hosts to respond to these ICMP echo requests. I also show a couple of the switches available with arping and provide examples of using arping to ping devices by IP and host.
arping – Backtrack Linux > Information Gathering > Network Analysis > Identify Live Hosts
arping man page - click to expand
arping(8) arping(8)
NAME
arping – sends arp and/or ip pings to a given host
SYNOPSIS
arping [-abdDeFhpqrRd0uv] [-S host/ip] [-T host/ip] [-s MAC] [-t MAC] [-c count] [-i interface] [ -w us ]
arping –help
DESCRIPTION
The arping utility sends ARP and/or ICMP requests to the specified host and displays the replies. The host may be specified by its hostname, its IP address, or its MAC address.
One request is sent each second.
When pinging an IP an ARP who-has query is sent. When pinging a MAC address a directed broadcast ICMP Echo request is sent. For more technical explaination and an FAQ, see the
README file.
Note on timing
ARP packets are usually replied to (on a LAN) so fast that the OS task scheduler can’t keep up to get exact enough timing. On an idle system the roundtrip times will be pretty
much accurate, but with more load the timing gets less exact.
To get more exact timing on a non-idle system, re-nice arping to -15 or so.
# nice -n -15 arping foobar
This is not just an issue with arping, it is with normal ping also (at least it is on my system). But it doesn’t show up as much with ping since arping packets (when pinging IP)
doesn’t traverse the IP stack when received and are therefore replied to faster.
OPTIONS
–help Show extended help. Not quite as extensive as this manpage, but more than -h.
-0 Use this option to ping with source IP address 0.0.0.0. Use this when you haven’t configured your interface yet. Note that this may get the MAC-ping unanswered. This is
an alias for -S 0.0.0.0.
-a Audible ping.
-A Only count addresses matching requested address (This *WILL* break most things you do. Only useful if you are arpinging many hosts at once. See arping-scan-net.sh for an
example).
-b Like -0 but source broadcast source address (255.255.255.255). Note that this may get the arping unanswered since it’s not normal behavior for a host.
-B Use instead of host if you want to address 255.255.255.255.
-c count
Only send count requests.
-d Find duplicate replies. Exit with 1 if there are answers from two different MAC addresses.
-D Display answers as dots and missing packets as exclamation points. Like flood ping on a Cisco.
-e Like -a but beep when there is no reply.
-F Don’t try to be smart about the interface name. Even if this switch is not given, -i disables this smartness.
-h Displays a help message and exits.
-i interface
Don’t guess, use the specified interface.
-p Turn on promiscious mode on interface, use this if you don’t “own” the MAC address you are using.
-q Does not display messages, except error messages.
-r Raw output: only the MAC/IP address is displayed for each reply.
-R Raw output: Like -r but shows “the other one”, can be combined with -r.
-s MAC Set source MAC address. You may need to use -p with this.
-S IP Like -b and -0 but with set source address. Note that this may get the arping unanswered if the target does not have routing to the IP. If you don’t own the IP you are
using, you may need to turn on promiscious mode on the interface (with -p). With this switch you can find out what IP-address a host has without taking an IP-address your‚Äê
self.
-t MAC Set target MAC address to use when pinging IP address.
-T IP Use -T as target address when pinging MACs
-u Show index=received/sent instead of just index=received when pinging MACs.
-v Verbose output. Use twice for more messages.
-w Time to wait between pings, in microseconds.
EXAMPLES
# arping -c 3 88.123.180.225
ARPING 88.123.180.225
60 bytes from 00:11:85:4c:01:01 (88.123.180.225): index=0 time=13.910 msec
60 bytes from 00:11:85:4c:01:01 (88.123.180.225): index=1 time=13.935 msec
60 bytes from 00:11:85:4c:01:01 (88.123.180.225): index=2 time=13.944 msec
— 88.123.180.225 statistics —
3 packets transmitted, 3 packets received, 0% unanswered
# arping -c 3 00:11:85:4c:01:01
ARPING 00:11:85:4c:01:01
60 bytes from 88.123.180.225 (00:11:85:4c:01:01): icmp_seq=0 time=13.367 msec
60 bytes from 88.123.180.225 (00:11:85:4c:01:01): icmp_seq=1 time=13.929 msec
60 bytes from 88.123.180.225 (00:11:85:4c:01:01): icmp_seq=2 time=13.929 msec
— 00:11:85:4c:01:01 statistics —
3 packets transmitted, 3 packets received, 0% unanswered
BUGS
You have to use -B instead of arpinging 255.255.255.255, and -b instead of -S 255.255.255.255. This is libnets fault.
SEE ALSO
ping(8), arp(8), rarp(8)
AUTHOR
Arping was written by Thomas Habets <thomas@habets.pp.se>.
http://www.habets.pp.se/synscan/
git clone http://github.com/ThomasHabets/arping.git
arping 21th June, 2003 arping(8)
arping Functionality – Ping Host By IP
root@bt:~# arping -c 3 192.168.44.210 ARPING 192.168.44.210 60 bytes from 00:25:90:77:aa:a3 (192.168.44.210): index=0 time=306.129 usec 60 bytes from 00:25:90:77:aa:a3 (192.168.44.210): index=1 time=303.984 usec 60 bytes from 00:25:90:77:aa:a3 (192.168.44.210): index=2 time=434.875 usec --- 192.168.44.210 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) root@bt:~#
The arping command sends arp who-has queries instead of ping which sends ICMP echo requests. Notice how the responses are in usec’s or microseconds which provides a more granular view into the response time from a device. So because of the method used to contact hosts and because its layer 2 arping is for communications on LAN’s not over WAN’s. Also notice the -c switch that is used and tells arping to send a count of three packets.
arping Functionality – Ping Host By Hostname
root@bt:~# arping -c 3 ubuntu.example.com ARPING 192.168.44.210 60 bytes from 00:25:90:77:aa:a3 (192.168.44.210): index=0 time=313.997 usec 60 bytes from 00:25:90:77:aa:a3 (192.168.44.210): index=1 time=437.021 usec 60 bytes from 00:25:90:77:aa:a3 (192.168.44.210): index=2 time=311.136 usec --- 192.168.44.210 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) root@bt:~#
As you can see above the responses from arping when pinging a hostname are the same as when pinging an IP address. Again the -c switch was used to send only three packets.
arping Functionality – Ping Host By MAC Address
root@bt:~# arping -c 3 00:25:90:aa:42:dd ARPING 00:25:90:aa:42:dd --- 00:25:90:7c:42:8f statistics --- 3 packets transmitted, 0 packets received, 100% unanswered (0 extra) root@bt:~#
The above output is what you would typically see when pinging a MAC address using arping. Most devices block the ICMP echo requests that are sent via arping though I have found some devices that do response such as Apple TV’s and other Apple devices. It is also easy to modify a couple settings on Linux servers to allow them to respond to the ICMP echo requests as well. The author of arping discusses potentially obtaining results when modifying the OS task scheduler using the “nice” command however I have yet to have any different results using this command so I left it out of the examples until I can understand more about it. Below we demonstrate both a Apple TV responding to arping’s ICMP echo requests as well as describe the Linux server settings modification and display the before/after output of arping sending ICMP echo requests to a Backtrack Linux server.
arping Functionality – Ping Apple TV By MAC Address
root@bt:~# arping -c 3 98:d6:bb:00:66:af ARPING 98:d6:bb:00:d7:af 60 bytes from 192.168.33.222 (98:d6:bb:00:66:af): icmp_seq=0 time=830.889 usec 60 bytes from 192.168.33.222 (98:d6:bb:00:66:af): icmp_seq=1 time=1.681 msec 60 bytes from 192.168.33.222 (98:d6:bb:00:66:af): icmp_seq=2 time=717.163 usec --- 98:d6:bb:00:d7:af statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) root@bt:~#
Pretty slick! I have seen various feedback provided to the author of arping calling the tool useless however I would strongly disagree. It would appear to me that these people attempted to use the tool once against a default Windows host or similar and then started complaining. With a little exploring I could see this tool coming in handy when on large flat networks and when layer two connectivity is not locked down as an entry point for info gathering.
arping – Modify Linux Host To Respond To ICMP Echo Requests
root@bt:~# echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts root@bt:~# echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
After the above changes are made to that specific Backtrack Linux server it will now respond to ICMP echo requests however once it is rebooted it will go back to denying those same requests as before. If you wanted to make the changes permanent then you would just need to make the modifications to sysctl.conf. Below are results of arping from the same Backtrack Linux server that was used above when there were 0 responses received.
arping Functionality – Ping Host By MAC Address After Modifications
root@bt:~# arping -c 3 00:25:90:dd:a9:aa ARPING 00:25:90:dd:a9:aa 60 bytes from 192.168.44.210 (00:25:90:dd:a9:aa): icmp_seq=0 time=628.948 usec 60 bytes from 192.168.44.210 (00:25:90:dd:a9:aa): icmp_seq=1 time=319.004 usec 60 bytes from 192.168.44.210 (00:25:90:dd:a9:aa): icmp_seq=2 time=319.004 usec --- 00:25:90:7c:a9:a3 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) root@bt:~#
To round out this post I wanted to provide a couple more examples using different switches so you get an idea of other arping capabilities. Keep in mind that by reading the man page provided you can obtain most of this information and you should always read a commands man page in detail before using the command or asking any questions!
arping – Verbose Output Switch Addition
root@bt:~# arping -c 3 -vv 00:25:90:dd:a9:aa libnet_init(<null>) libnet_init(<null>) libnet_init(eth0) pcap_get_selectable(): 6 This box: Interface: eth0 IP: 192.168.44.7 MAC address: 00:26:b9:33:42:33 ARPING 00:25:90:dd:a9:aa arping: sending packet at time 1360148998 853165 60 bytes from 192.168.44.210 (00:25:90:dd:a9:aa): icmp_seq=0 time=492.096 usec arping: sending packet at time 1360148999 853767 60 bytes from 192.168.44.210 (00:25:90:dd:a9:aa): icmp_seq=1 time=334.024 usec arping: sending packet at time 1360149000 854182 60 bytes from 192.168.44.210 (00:25:90:dd:a9:aa): icmp_seq=2 time=307.083 usec --- 00:25:90:7c:a9:a3 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) root@bt:~#
Notice there is more informational output about the command before the ICMP echo requests are sent. This assists in troubleshooting and/or understanding how arping functions.
There are a bunch of other switches that can be used including the -a switch to provide a sound for every success, -i to set the from interface, -b to se the source broadcast address and many more. Overall while arping is a fairly basic application it does provide a good amount of functionality and I read the author is looking to provide DoS functionality in the future potentially. If anyone else has devices that respond to ICMP echo requests without modifications I would be interested in hearing those in the comments!
|
|
||||||||
|
|
||||||||
Entries (RSS)
Bro where are all the new articles. How am I supposed to learn with you not posting son!
[Reply]
dear sir :
how are you,i want to ask about some thing pls,i want to do some thing on backtrack but they ask for interface can you tell me whats the interface please.
thank you
best regards
[Reply]