Sunday, August 11, 2013

Scan ARP MAC addresses of other devices on the LAN

(Disclaimer: this is not IPv6 related. Just plain IPv4)

It can be useful to see which other devices are connected to a LAN, and then check the MAC address to get some kind identification. This way you can see - for example - if a smartphone is there, so thus guess if a certain person is there.

There is an easy tool for that: "arp-scan". It's available on Ubuntu Linux 13.04 after installing it "sudo apt-get install arp-scan". You have to run it as root:

$ sudo arp-scan --localnet --interface=wlan0
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.0.1 64:d1:a3:03:8a:01 Sitecom Europe BV
192.168.0.113 00:06:dc:44:57:f3 Syabas Technology (Amquest)
192.168.0.102 04:46:65:7a:9d:55 (Unknown)
192.168.0.108 00:1f:e1:9f:eb:d2 Hon Hai Precision Ind. Co., Ltd.
192.168.0.109 f0:5a:09:35:ff:42 (Unknown)
192.168.0.102 04:46:65:7a:9d:55 (Unknown) (DUP: 2)
192.168.0.104 00:37:6d:01:ed:9a (Unknown) (DUP: 1)

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.336 seconds (191.62 hosts/sec). 7 responded

It works, but some MAC addresses are unknown. If you want the newer version, get it from http://www.nta-monitor.com/tools-resources/security-tools/arp-scan and compile it. Result:


$ sudo ./arp-scan --localnet --interface=wlan0
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.0.1 64:d1:a3:03:8a:01 Sitecom Europe BV
192.168.0.113 00:06:dc:44:57:f3 Syabas Technology (Amquest)
192.168.0.104 00:37:6d:01:ed:9a Murata Manufacturing Co., Ltd.
192.168.0.109 f0:5a:09:35:ff:42 Samsung Electronics Co.,Ltd
192.168.0.108 00:1f:e1:9f:eb:d2 Hon Hai Precision Ind. Co., Ltd.
192.168.0.102 04:46:65:7a:9d:55 Murata Manufacturing Co., Ltd.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 1.981 seconds (129.23 hosts/sec). 6 responded

So the f0:5a:09:35:ff:42 is my Samsung Android smartphone. That means I'm at home (or I left my phone at home ;-) )

Tip: run arp-scan a few times; sometimes it shows more lines that other times.

2 comments:

Silvester Norman said...

Can it be possible using IPv4 protocol? I have done this with IPv6 and just being curious to know whether the same can be possible with IPv4 protocol...

Regards,
Silvester Norman
Change MAC Address
25 ongiumo

Hugo said...

This is fantastic!