#1. arp-scanとは
同一Network内で使用されているIP/MACアドレスの一覧を取得するコマンド。
MACアドレスは48ビット長(6オクテット)から成るアドレス情報だが、上位3オクテットがOUI(Organizationally Unique Identifier)と呼ばれるベンダー固有の識別子IDを示している。arp-scanコマンドは、いちいちベンダーコード一覧から別途検索しなくともベンダー名まで出力してくれるので便利。
#2. arp-scanコマンドのインストール方法
[root@osc01 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@osc01 ~]# yum install -y git automake autoconf libpcap-devel gcc
[root@osc01 ~]# git clone https://github.com/royhills/arp-scan.git
[root@osc01 ~]# cd arp-scan/
[root@osc01 arp-scan]# ls
acinclude.m4 ChangeLog error.c get-oui.1 mac-vendor.txt pkt-custom-request-vlan.dat pkt-trailer-response.pcap strlcpy.c
arp-fingerprint check-decode get-iab ieee-iab.txt Makefile.am pkt-custom-request-vlan-llc.dat pkt-vlan-llc-response.pcap TODO
arp-fingerprint.1 check-host-list get-iab.1 ieee-oui.txt mt19937ar.c pkt-llc-response.pcap pkt-vlan-response.pcap utils.c
arp-scan.1 check-packet getopt1.c link-bpf.c NEWS pkt-net1921681-response.pcap pre-release-testing.txt wrappers.c
arp-scan.c check-run1 getopt.c link-dlpi.c pkt-custom-request.dat pkt-padding-response.pcap README
arp-scan.h configure.ac getopt.h link-packet-socket.c pkt-custom-request-llc.dat pkt-simple-request.dat README.md
AUTHORS COPYING get-oui mac-vendor.5 pkt-custom-request-padding.dat pkt-simple-response.pcap strlcat.c
[root@osc01 arp-scan]# autoreconf --install
[root@osc01 arp-scan]# ./configure
[root@osc01 arp-scan]# make
[root@osc01 arp-scan]# make check
make check-run1 check-packet check-decode check-host-list
make[1]: Entering directory `/root/arp-scan'
make[1]: Nothing to be done for `check-run1'.
make[1]: Nothing to be done for `check-packet'.
make[1]: Nothing to be done for `check-decode'.
make[1]: Nothing to be done for `check-host-list'.
make[1]: Leaving directory `/root/arp-scan'
make check-TESTS
make[1]: Entering directory `/root/arp-scan'
make[2]: Entering directory `/root/arp-scan'
PASS: check-run1
PASS: check-packet
PASS: check-decode
PASS: check-host-list
make[3]: Entering directory `/root/arp-scan'
make all-am
make[4]: Entering directory `/root/arp-scan'
make[4]: Leaving directory `/root/arp-scan'
make[3]: Leaving directory `/root/arp-scan'
============================================================================
Testsuite summary for arp-scan 1.9.5
============================================================================
# TOTAL: 4
# PASS: 4
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[2]: Leaving directory `/root/arp-scan'
make[1]: Leaving directory `/root/arp-scan'
[root@osc01 arp-scan]# make install
make[1]: Entering directory `/root/arp-scan'
/usr/bin/mkdir -p '/usr/local/bin'
/usr/bin/install -c arp-scan '/usr/local/bin'
/usr/bin/mkdir -p '/usr/local/bin'
/usr/bin/install -c get-oui get-iab arp-fingerprint '/usr/local/bin'
/usr/bin/mkdir -p '/usr/local/share/arp-scan'
/usr/bin/install -c -m 644 ieee-oui.txt ieee-iab.txt mac-vendor.txt '/usr/local/share/arp-scan'
/usr/bin/mkdir -p '/usr/local/share/man/man1'
/usr/bin/install -c -m 644 arp-scan.1 get-oui.1 get-iab.1 arp-fingerprint.1 '/usr/local/share/man/man1'
/usr/bin/mkdir -p '/usr/local/share/man/man5'
/usr/bin/install -c -m 644 mac-vendor.5 '/usr/local/share/man/man5'
make[1]: Leaving directory `/root/arp-scan'
#3. arp-scanコマンドの利用方法
-Iでインターフェースを指定して検索対象のインターフェースを指定する。デフォルトでは、loopbackインターフェース以外の起動済インターフェースで最も番号が小さいもの(例えばeth0/eth1/eth2ならばeth0)が利用される(どのインターフェースに対して検索しているのか曖昧になるのを避けるために、明示的に指定する方が良いと思われる)。
[root@osc01 arp-scan]# arp-scan -I eth0 10.132.75.0/24
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
10.132.75.65 00:00:0c:9f:f0:01 Cisco Systems, Inc
10.132.75.66 e4:c7:22:61:7a:41 Cisco Systems, Inc
10.132.75.67 e4:c7:22:63:c2:c1 Cisco Systems, Inc
(途中略)
12 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.958 seconds (130.75 hosts/sec). 12 responded
-lを使えば、network interfaceの持つIP addressとsubnet mask情報を使って検索対象のネットワークを自動的に生成してくれるので、network addressやsubnet maskの指定をしなくても良い。
[root@osc01 arp-scan]# arp-scan -I eth1 -l
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 32 hosts (https://github.com/royhills/arp-scan)
161.202.86.1 00:00:0c:9f:f0:01 Cisco Systems, Inc
161.202.86.4 06:cd:a1:96:1a:d9 (Unknown)
161.202.86.2 e4:c7:22:63:c1:c1 Cisco Systems, Inc
161.202.86.3 e4:c7:22:61:83:41 Cisco Systems, Inc
(途中略)
9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 32 hosts scanned in 1.525 seconds (20.98 hosts/sec). 9 responded
-v -v -vと重ねると、詳細なdebug情報が出力される。
[root@osc01 arp-scan]# arp-scan -v -v -v -I eth0 10.132.75.65/29
Interface: eth0, datalink type: EN10MB (Ethernet)
DEBUG: pcap filter string: "ether dst 06:09:40:ca:64:fd and (arp or (ether[14:4]=0xaaaa0300 and ether[20:2]=0x0806) or (ether[12:2]=0x8100 and ether[16:2]=0x0806) or (ether[12:2]=0x8100 and ether[18:4]=0xaaaa0300 and ether[24:2]=0x0806))"
DEBUG: Loaded 22487 IEEE OUI/Vendor entries from ieee-oui.txt.
DEBUG: Loaded 4575 IEEE IAB/Vendor entries from ieee-iab.txt.
DEBUG: Loaded 6 MAC/Vendor entries from mac-vendor.txt.
WARNING: host part of 10.132.75.65/29 is non-zero
DEBUG: pkt len=64 bytes, bandwidth=256000 bps, interval=2000 us
Starting arp-scan 1.9.5 with 8 hosts (https://github.com/royhills/arp-scan)
Host List:
Entry IP Address
1 10.132.75.64
2 10.132.75.65
3 10.132.75.66
4 10.132.75.67
5 10.132.75.68
6 10.132.75.69
7 10.132.75.70
8 10.132.75.71
Total of 8 host entries.
--- Sending packet #1 to host 10.132.75.64 tmo 500000
--- Sending packet #1 to host 10.132.75.65 tmo 500000
--- Sending packet #1 to host 10.132.75.66 tmo 500000
--- Sending packet #1 to host 10.132.75.67 tmo 500000
--- Received packet #1 from 10.132.75.65
10.132.75.65 00:00:0c:9f:f0:01 Cisco Systems, Inc
--- Removing host 10.132.75.65 - Received 60 bytes
--- Sending packet #1 to host 10.132.75.68 tmo 500000
--- Received packet #1 from 10.132.75.66
10.132.75.66 e4:c7:22:61:7a:41 Cisco Systems, Inc
--- Removing host 10.132.75.66 - Received 60 bytes
--- Sending packet #1 to host 10.132.75.69 tmo 500000
--- Received packet #1 from 10.132.75.67
10.132.75.67 e4:c7:22:63:c2:c1 Cisco Systems, Inc
--- Removing host 10.132.75.67 - Received 60 bytes
--- Sending packet #1 to host 10.132.75.70 tmo 500000
--- Sending packet #1 to host 10.132.75.71 tmo 500000
--- Pass 1 complete
--- Sending packet #2 to host 10.132.75.64 tmo 750000
--- Sending packet #2 to host 10.132.75.68 tmo 750000
--- Sending packet #2 to host 10.132.75.69 tmo 750000
--- Sending packet #2 to host 10.132.75.70 tmo 750000
--- Sending packet #2 to host 10.132.75.71 tmo 750000
--- Pass 2 complete
--- Removing host 10.132.75.64 - Timeout
--- Removing host 10.132.75.68 - Timeout
--- Removing host 10.132.75.69 - Timeout
--- Removing host 10.132.75.70 - Timeout
--- Removing host 10.132.75.71 - Timeout
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 8 hosts scanned in 1.466 seconds (5.46 hosts/sec). 3 responded