arp-scan | Kali Linux Tools (2024)

arp-scan

arp-scan is a command-line tool that uses the ARP protocol to discover andfingerprint IP hosts on the local network. It is available for Linux and BSDunder the GPL licence

Installed size: 1.53 MB
How to install: sudo apt install arp-scan

arp-fingerprint

Fingerprint a system using ARP

root@kali:~# arp-fingerprint -hUsage: arp-fingerprint [options] <target>Fingerprint the target system using arp-scan.'options' is one or more of: -h Display this usage message. -v Give verbose progress messages.-o <option-string> Pass specified options to arp-scan-l Fingerprint all targets in the local net.

arp-scan

Send ARP requests to target hosts and display responses

root@kali:~# arp-scan -hUsage: arp-scan [options] [hosts...]Target hosts must be specified on the command line unless the --file or--localnet option is used.arp-scan uses raw sockets, which requires privileges on some systems:Linux with POSIX.1e capabilities support using libcap: arp-scan is capabilities aware. It requires CAP_NET_RAW in the permitted set and only enables that capability for the required functions.BSD and macOS: You need read/write access to /dev/bpf*Any operating system: Running as root or SUID root will work on any OS but other methods are preferable where possible.Targets can be IPv4 addresses or hostnames. You can also use CIDR notation(10.0.0.0/24) (network and broadcast included), ranges (10.0.0.1-10.0.0.10),and network:mask (10.0.0.0:255.255.255.0).Options:The data type for option arguments is shown by a letter in angle brackets: <s> Character string.<i> Decimal integer, or hex if preceeded by 0x e.g. 2048 or 0x800.<f> Floating point decimal number.<m> MAC address, e.g. 01:23:45:67:89:ab or 01-23-45-67-89-ab (case insensitive)<a> IPv4 address e.g. 10.0.0.1<h> Hex encoded binary data. No leading 0x. (case insensitive).<x> Something else - see option description.General Options:--help or -hDisplay this usage message and exit.--verbose or -vDisplay verbose progress messages.Can be used than once to increase verbosity. Max=3.--version or -VDisplay program version details and exit.Shows the version, license details, libpcap version,and whether POSIX.1e capability support is included.--interface=<s> or -I <s> Use network interface <s>.If this option is not specified, arp-scan will searchthe system interface list for the lowest numbered,configured up interface (excluding loopback).Host Selection:--file=<s> or -f <s>Read hostnames or addresses from the specified fileOne name or address pattern per line. Use "-" for stdin.--localnet or -lGenerate addresses from interface configuration.Generates list from interface address and netmask(network and broadcast included). You cannot use the--file option or give targets on the command line.Use --interface to specify the interface.MAC/Vendor Mapping Files:--ouifile=<s> or -O <s>Use IEEE registry vendor mapping file <s>.Default is ieee-oui.txt in the current directory. Ifthat is not found /usr/share/arp-scan/ieee-oui.txtis used.--macfile=<s> or -m <s>Use custom vendor mapping file <s>.Default is mac-vendor.txt in the current directory.If that is not found/etc/arp-scan/mac-vendor.txt is used.Output Format Control:--quiet or -qDisplay minimal output for each responding host.Only the IP address and MAC address are displayed.Reduces memory usage by about 5MB because thevendor mapping files are not used. Only the ${ip}and ${mac} fields are available for the --formatoption if --quiet is specified.--plain or -xSupress header and footer text.Only display the responding host details. Useful ifthe output will be parsed by a script.--ignoredups or -gDon't display duplicate packets.By default duplicate packets are flagged with"(DUP: n)" where n is the number of times thishost has responded.--rtt or -DCalculate and display the packet round-trip time.The time is displayed in milliseconds and fractionalmicroseconds. Makes the ${rtt} field available for--format.--format=<s> or -F <s>Specify the output format string.The format is a string that will be output for eachresponding host. Host details can be included byinserting references to fields using the syntax"${field[;width]}". Fields are displayed right-aligned unless the width is negative in which caseleft alignment will be used. The following case-insensitive field names are recognised:IPHost IPv4 address in dotted quad formatNameHost name if --resolve option givenMACHost MAC address xx:xx:xx:xx:xx:xxHdrMACEthernet source addr if differentVendorVendor details stringPaddingPadding after ARP packet in hex if nonzeroFramingFraming type if not Ethernet_IIVLAN802.1Q VLAD ID if presentProtoARP protocol if not 0x0800DUPPacket number for duplicate packets (>1)RTTRound trip time if --rtt option givenOnly the "ip" and "mac" fields are available if the--quiet option is specified.Any characters that are not fields are outputverbatim. "\" introduces escapes:\n newline\r carriage return\t tab\ suppress special meaning for following characterYou should enclose the --format argument in 'singlequotes' to protect special characters from the shell.Example: --format='${ip}\t${mac}\t${vendor}'Host List Randomisation:--random or -RRandomise the target host list.--randomseed=<i>Seed the pseudo random number generator.Useful if you want a reproducible --random order.Output Timing and Retry:--retry=<i> or -r <i>Set total number of attempts per host to <i>,default=2.--backoff=<f> or -b <f>Set backoff factor to <f>, default=1.50.Multiplies timeout by <f> for each pass.--timeout=<i> or -t <i>Set initial per host timeout to <i> ms, default=500.This timeout is for the first packet sent to each host.subsequent timeouts are multiplied by the backofffactor which is set with --backoff.--interval=<x> or -i <x> Set minimum packet interval to <x>.This controls the outgoing bandwidth usage by limitingthe packet rate. If you want to use up to a givenbandwidth it is easier to use the --bandwidth optioninstead. The interval is in milliseconds, ormicroseconds if "u" is appended.--bandwidth=<x> or -B <x> Set outbound bandwidth to <x>, default=256000.The value is in bits per second. Append K forkilobits or M for megabits (decimal multiples). Youcannot specify both --interval and --bandwidth.DNS Resolution:--numeric or -NTargets must be IP addresses, not hostnames.Can reduce startup time for large target lists.--resolve or -dResolve responding addresses to hostnames.The default output format will display the hostnameinstead of the IPv4 address. This option makes the${name} field available for the --format option.Output ARP Packet:--arpsha=<m> or -u <m>Set the ARP source Ethernet address.Sets the 48-bit ar$sha field but does not change thehardware address in the frame header, see --srcaddrfor how to change that address. Default is theEthernet address of the outgoing interface.--arptha=<m> or -w <m>Set the ARP target Ethernet address.Sets the 48-bit ar$tha field. The default is zerobecause this field is not used for ARP request packets.--arphrd=<i> or -H <i>Set the ARP hardware type, default=1.Sets the 16-bit ar$hrd field. The default is 1(ARPHRD_ETHER). Many operating systems also respond to6 (ARPHRD_IEEE802)--arppro=<i> or -p <i>Set the ARP protocol type, default=0x0800.Sets the 16-bit ar$pro field. Most operating systemsonly respond to 0x0800 (IPv4).--arphln=<i> or -a <i>Set the hardware address length, default=6.Sets the 8-bit ar$hln field. The lengths of thear$sha and ar$tha fields are not changed by thisoption; it only changes the ar$hln field.--arppln=<i> or -P <i>Set the protocol address length, default=4.Sets the 8-bit ar$pln field. The lengths of the ar$spaand ar$tpa fields are not changed by this option;it only changes the ar$pln field.--arpop=<i> or -o <i>Specify the ARP operation, default=1.Sets the 16-bit ar$op field. Most operating systemsonly respond to the value 1 (ARPOP_REQUEST).--arpspa=<a> or -s <a>Set the source IPv4 address.The address should be in dotted quad format, or thestring "dest", which sets the source address tothe target host address. The default is the outgoinginterface address. Sets the 32-bit ar$spa field. Someoperating systems only respond if the source addressis within the network of the receiving interface.Setting ar$spa to the destination IP address can causesome operating systems to report an address clash.Output Ethernet Header:--srcaddr=<m> or -S <m> Set the source Ethernet MAC address.Default is the interface MAC address. This sets theaddress in the Ethernet header. It does not change theaddress in the ARP packet: use --arpsha to changethat address.--destaddr=<m> or -T <m> Set the destination MAC address.Sets the destination address in the Ethernetheader. Default is ff:ff:ff:ff:ff:ff (broadcast)Hosts also respond if the request is sent to theirunicast address, or to a multicast address theyare listening on.--prototype=<i> or -y <i> Sets the Ethernet protocol type, default=0x0806.This sets the protocol type field in the Ethernetheader.--llc or -LUse RFC 1042 LLC/SNAP encapsulation for 802.2 networks.arp-scan will decode and display ARP responses in bothEthernet-II and IEEE 802.2 formats irrespective ofthis option.--vlan=<i> or -Q <i>Use 802.1Q tagging with VLAN id <i>.The id should be in the range 0 to 4095. arp-scan willdecode and display ARP responses in 802.1Q formatirrespective of this option.Misc Options:--limit=<i> or -M <i>Exit after the specified number of hosts have responded.arp-scan will exit with status 1 if the number ofresponding hosts is less than the limit. Can be usedin scripts to check if fewer hosts respond withouthaving to parse the output.--pcapsavefile=<s> or -W <s>Write received packets to pcap savefile <s>.ARP responses will be written to the specified fileas well as being decoded and displayed.--snap=<i> or -n <i>Set the pcap snap length to <i>. Default=64.Specifies the frame capture length, including theEthernet header. The default is normally sufficient.--retry-send=<i> or -Y <i> Set number of send attempts, default=20.--retry-send-interval=<i> or -E <i> Set interval between send attempts.Interval is in milliseconds or microseconds if "u"is appended. default=5.--padding=<h> or -A <h>Specify padding after packet data.Set padding after the ARP request to hex value <h>.Report bugs or send suggestions at https://github.com/royhills/arp-scanSee the arp-scan homepage at https://github.com/royhills/arp-scan

get-iab

get-oui

Fetch the arp-scan OUI file from the ieee-data package

root@kali:~# get-oui --help/usr/sbin/get-oui version [unknown] calling Getopt::Std::getopts (version 1.13 [paranoid]),running under Perl version 5.38.2.Usage: get-oui [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]The following single-character options are accepted:With arguments: -f -uBoolean (without arguments): -h -vOptions may be merged together. -- stops processing of options.Space is not required between options and their arguments. [Now continuing due to backward compatibility and excessive paranoia. See 'perldoc Getopt::Std' about $Getopt::Std::STANDARD_HELP_VERSION.]