`
$ sudo arp-scan 172.16.10.10 -I br_public
We also need to tell arp-scan which network interface to send
packets on, as there are a few network interfaces in Kali. To achieve
this, we use the -I argument. The br_public interface
corresponds to the 172.16.10.0/24 network in the lab.
To scan entire networks, you can pass arp-scan a CIDR
range, such as /24. For example, the following command scans all IP
addresses between 172.16.10.1 and 172.16.10.254:
$ sudo arp-scan 172.16.10.0/24 -I br_public
Lastly, you can make use of the hosts file you created in
“Generating a List of Consecutive IP addresses” on page XX as
input to arp-scan:
$ sudo arp-scan -f 172-16-10-hosts.txt -I br_public
The output generated by arp-scan should look like the
following:
172.16.10.10 02:42:ac:10:0a:0a (Unknown: locally administered)
172.16.10.11 02:42:ac:10:0a:0b (Unknown: locally administered)
172.16.10.12 02:42:ac:10:0a:0c (Unknown: locally administered)
172.16.10.13 02:42:ac:10:0a:0d (Unknown: locally administered)
It consists of three fields: the IP address, the MAC address, and
vendor details, identified by the first three octets of the MAC
address. In this scan, the tool identified four hosts on the network
that responded to ARP packets.
Exercise 3: Receiving Notifications When New Hosts Are Detected
Imagine that you want to be notified whenever a new host
appears on the network. For example, maybe you want to know
when new laptops or IT assets have connected. This could be useful
if you’re testing a target in a different time zone, where device users
might not be online when you are.
We can use bash to send ourselves an email whenever our script
discovers new assets. Listing 4-9 runs a continuous scan to identify
new online hosts, adds these to the 172-16-10-hosts.txt file we
created in “Generating a List of Consecutive IP Addresses” on page
XX, and notifies us of the discovery. We’ll walk through this code,
then discuss ways in which you can improve it.
#!/bin/bash
Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks