Showing posts with label Linux. Show all posts
Showing posts with label Linux. Show all posts

How To Get The Needed Information During Footprinting


Hello Guys!! Let's talk about footprinting today and in this post, I'll reveal to you how to get the foundation information or administrations that a site is running. This will be useful in increasing some data amid the Information Gathering process and footprinting.

From Network:
  • Domain Name
  • IDS
  • Authentication Methods
  • Networking Protocols
  • Internal DNS Information
  • Private Websites
  • VPN Devices
  • TCP & UDP Services Running
  • Network Block
  • IP Addresses of Reachable Computer Systems
From Systems:
  • Passwords
  • Remote System Type
  • User & Group Names
  • System Banners
  • System Names
From Organizations:
  • Addresses & Phone Numbers
  • Background of the Organization
  • Company Directory
  • Location Details
  • Employee Details
  • Organization other websites
  • Press Releases
  • Security Policies Implemented
How to get that information from other areas:
  1. Search Engines ( Google, Altavista, Metacrawler, Bing, etc. )
  2. WHOIS Records
  3. DNS
  4. Social Networks
  5. Website Mirroring
  6. People Sites
  7. URL Analysis
  8. Job Sites
  9. Financial Web
  10. Alert Websites
  11. Archive Websites ( https://archive.org/web/ )
  12. Google Earth.



How to Find or Scan Hidden Wireless Networks (SSID's) Using Kali Linux

How to Find or Scan Hidden Wireless Networks (SSID's) Using Kali Linux















Welcome all, lets see how to scan hidden wireless networks using Kali Linux.These is performed using airmon-ng,airodump-ng and airplay-ng.Follow the below steps to unhide the SSID's.

Requirements:
  • Kali Linux
  • Knowledge on using Kali Linux
  • Wireless Card (TP Link or any other ...)

Lets start the Procedure

– Empowering Wireless Checking : airmon-ng

– Finding the APs (Access points) : airodump-ng

– Stay quiet for Affiliation or use de-authentication : aireplay-ng

We should Start

– Before begin, ensure that you have eth0, lo, wlan0 are in real life. (go to terminal and run ifconfig)

– We should begin to screen on that remote interface, run:

airmon-ng start wlan0


– In the wake of executing above charge, we should get another interface mon0 (monitor mode empowered)

– Check that both interfaces are up and running, run:

airmon-ng


– Look for wlan0 and mon0, run:

airodump-ng mon0

– For observing all the APs that Kali Linux OS can discover.

– From next stride, note BSSID and ESSID, if there is any concealed SSID, then ESSID will be configuration like this : <length: 0> [Notice, it's CH (Channel) and BSSID]

– CTRL+C (press)

airodump-ng -c 1 mon0

(Here, 1 is channel we see/you take note. This value may contrast.)

– After some time, you will see <length: 0> changes and uncovers SSID name.

– On the off chance that it requires parcel of investment to uncover SSID, we can take after de-verify process by cloning next terminal in Kali Linux.

– Duplicate BSSID (MAC) of ch 1

#Deauth Assault:

aireplay-ng -0 2 -a 00:A1:B2:11:20:13:5T mon0


– It sends de-auth to communicate

airodump-ng -c i mon0

– Hold up

– Head toward new Terminal

aireplay-ng -0 2 -a 00:A1:B2:11:20:13:5T mon0

– At long last you will get SSID in ESSID area.

Download and Use all Kali Linux Tools[Single Package] On Windows for Pentesting and Hacking - Complete Linux Environment

Download and Use all Kali Linux Tools[Single Package] On Windows for Pentesting and Hacking - Complete Linux Environment
Running all Pentesting tools on Windows Os

Have you ever wondered of using Kali Linux tools on Windows??yes , now you can download and plug in play all the Kali Linux Tools on Windows.The Good news is there is no need to install or remove any drivers specifically for these tools.Here are some the cool features of Pentest Box.

Features :-


  • EASY TO USE

It is a command line utility which is all what you want. You can get to know about the commands on tools.pentestbox.com.

  • PERFORMANCE

PentestBox directly runs on host machine instead of virtual machines, so performance is obvious.

  • PORTABLE

PentestBox is entirely portable, so now you can carry your own Penetration Testing Environment on a USB stick. It will take care of all dependencies and configuration required to run tools.

  • NO DRIVERS ISSUE

Windows has already large support of drivers for Graphic Card and wireless. So now you don't have to worry about drivers compaitability issues. For Example now you can use your GPU power to crack hashes using Project RainbowCrack which is particularly not compaitable on linux environment.

  • LESS MEMORY USAGE

PentestBox runs on host machine without any need for virtual machine. So it only need's 20 MB for launching compared to atleast 2GB of RAM need for running virtual machine distributions.

  • INBUILT BROWSER

PentestBox contains a version of Mozilla Firefox Browser with nearly all security addons. To know the complete list of addons.

  • CAN BE SHARED ON A NETWORK

Consider a environment where you want to use PentestBox on many computers like office, lab, etc. Instead of installing PentestBox on each and every computer, you can just install that on one computer and share that folder as a drive to other computers on the same network. 

  • SIMPLE DESIGN

It is the same green font on black terminal but in an modern way.

  • NO DEPENDENCIES NEEDED

All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle.

  • LINUX ENVIRONMENT

PentestBox contains nearly all linux utilities like bash, cat, chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others. It even contains your favourite text editor "vim". For complete list, please look at tools.pentestbox.com/#linux-utilities
Because of this most of the pentesting tools which were earlier compatible only with Linux are working smoothly in PentestBox.

  • MODULAR

In the making of PentestBox we have included only the best tools , but in that process we have missed some tools which you might want to use. In that case you can easily install those tools using toolsmanager present inside PentestBox, it can install/update/Uninstall tools which are not there in PentestBox.

  • LESS DISK USAGE

It is very light on Disk as well, it only acquires less than third of linux pentesting distro do.

  • COOL UPDATE FEATURE

It contains an update feature through which you can keep your tools updated. To know more about update feature, please click here.

  • 32-BIT SYSTEM SUPPORTED

Most users aren’t concerned about 32-bit support because they normally uses 64 bit systems. But this was introduced to make low-end systems in to a Pentesting Environment. Just to give an idea, i have tested PentestBox on this $200 machine, and it ran on it very smoothly.
Pentest Box is a 2GB package containing almost all pentest tools for hackers and pentesters.
Download Pentest Box From Official Site: https://pentestbox.com/#download
See the Below Video For Demo


Sources:PentestBox.com

How to Crack WPA/WPA2 Password With Reaver Using Kali Linux 2.0

Hello Guy's , today lets see on how to crack WPA/WPA2 Password using Reaver in Kali Linux.This tutorial shows how cracking the password with WPS enabled using reaver and also a small video tutorial is also available below.

How to perform the attack

Now it would are robust to hold out this attack at some purpose in history, but now, its a breeze. If you have got all the conditions, then hacking the network would be as simple as

reaver -i <interface-name> -b <BSSID of target>

And if you're already at home with hacking WEP, then simply visit your Kali Linux terminal and kind the higher than command (replacing what must be replaced). Leave your machine as is, come ten minutes later, check the progress (must be 1 Chronicles or  something), and go take a nap. However, if you are a starter, then accompany.

Kali Linux

First off, you would like to possess Kali Linux (or backtrack) up and running on your machine. the other Linux distro may work, however you'll have to put in Reaver on your own. currently if you do not have Kali Linux put in, you may wish to travel to the present page, which is able to get you started on hacking with Kali Linux. (Reaver features a familiar issue : typically it does not work with Virtual Machines, and you may ought to do a live boot mistreatment live CD or live USB of Kali Linux. See the last section of this post on = troubleshooting by scrolling down a bit)

Information Gathering

Now you would like to search out out the subsequent concerning you target network-

  • Does it have WPS enabled. If not, then the attack won't work.
  • The BSSID of the network.

Now to see whether or not the network has WPS enabled or not, you'll either use wash or simply use the great recent airodump-ng. Wash is specifically meant to see whether or not a network has WPS enabled or not, and thereby is far easier to use. Here ar the steps-

Set your wireless interface in monitor mode- 

airmon-ng start wlan0





Use wash (easy however typically unable to find networks even after they have wps enabled). If any network shows up there, it's WPS enabled.

wash -i mon0

Use airodump-ng. it'll show all networks around you. It tells that of them use WPA. you'll need to assume they need WPS, then move to next steps.

airodump-ng mon0

BSSID of the network - currently regardless of what you used, you must have a BSSID column within the result that you just get. Copy the BSSID of the network you wish to hack. that is all the data you wish.

So by currently you want to have one thing like XX:XX:XX:XX:XX:XX, that is that the BSSID of your target network. Keep this derived, as you'll have it.

Reaver

Now finally we tend to are about to use Reaver to urge the password of the WPA/WPA2 network. Reaver makes hacking terribly simple, and every one you wish to try and do is enter-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX 

Explanation = i  - interface used. keep in mind making a monitor interface mon0 using airmon-ng start wlan0. this is often what we tend to are using. -b species the BSSID of the network that we tend to realized earlier.

This is all the knowledge that Reaver got to start. However, Reaver comes with several advanced choices, and a few areasure} suggested by me. most significantly, you must use the -vv option, that will increase the expressive style of the tool. Basically, it writes everything thats occurring to the terminal. This helps you see whats happening, track the progress, and if required, do some troubleshooting. thus final command ought to be-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv


After some hours, you'll see one thing like this. The pin during this case was advisedly 12345670, thus it had been  hacked in three seconds.



See The Below Video To Get better understanding:




Or See it on Youtube

Top 8 Kali Linux Compatible WiFi Cards and Adapters for Wireless Packet Capturing

Kali Linux Compatible Wireless Adapters

When you install Kali Linux on your pc typically you are doing that victimisation VMware Workstation/Player or VirtualBox. to Illustrate you employ your portable computer and after you wish to attach to your LAN association using your laptop's inherent wireless card and you bought a haul as a result of Kali Linux will not acknowledge it and not showing any wireless data card.

Kali Linux will work solely with a couple of wireless cards. do not try and use a bridged association or one thing like that, though you found a "solution" on the net, it will not work.
If you're designing solely to attach to LAN association and do not wish to use any LAN tools from Kali and change the "monitor mode", then you'll twin boot your pc and use the laptop's inherent wireless card. i am undecided, however if you are attempting to form a bootable Kali USB flash drive or videodisk, perhaps the inherent driver work once more.
If you wish to change the "monitor mode" then you actually would like an external USB wireless adapters.

And I can show the list of USB Wireless Adapters/Cards compatible with Kali Linux old versions and with Kali Sana too.

If you're still using backtrack(But extremely why you wish to use Backtrack anymore) then this adapters too can work for you.


1.Alfa AWUS036NHA

Chipset: AtherosAR9271

2.Alfa AWUS051NH

Chipset: RT3572

3.TP-LINK TL-WN722N

Chipset: AtherosAR9271

4.Alfa AWUS036H

Chipset: Realtek 8187

5.Alfa AWUSO36NH

Chipset: RT3070

6.Panda PAU05

Chipset: RT3070

7.Alfa AWUS036NHR v2

Chipset: Realtek RTL8188RU

8.Alfa AWUS036NEH

Chipset: Realtek RT3070

How to Setup Angry IP Scanner in Kali Linux

Angry ip Scanner (or merely ipscan) is an ASCII text file and cross-platform network scanner designed to be quick and easy to use. it's a awfully quick ip address and port scanner. It will scan ip addresses in any vary in addition as any their ports. it's cross-platform and light-weight. Not requiring any installations, it may be freely derived and used anyplace.

Angry ip scanner merely pings every ip address to ascertain if it’s alive, then optionally it's partitioning its hostname, determines the waterproof address, scans ports, etc. the quantity of gathered knowledge concerning every host may be extended with plugins.

It additionally has further options, like NetBIOS info (computer name, workgroup name, and presently logged in Windows user), favorite ip address ranges, internet server detection, customizable openers, etc.

Scanning results may be saved to CSV, TXT, XML or IP-Port list files. With facilitate of plugins, Angry ip Scanner will gather any info concerning scanned IPs. Anybody WHO will write Java code is ready to write down plugins and extend practicality of Angry ip Scanner. 

Install Angry ip Scanner on Kali Linux operating system - 

It is wide employed by network directors and simply curious users round the world, as well as giant and tiny enterprises, banks, and government agencies.

It runs on Linux operating system, Windows, and MAC OS X, probably supporting alternative platforms in addition.

Install Angry ip Scanner on Kali Linux operating system

For Linux operating system we will download a .deb package. Kali Linux operating system could be a Debian primarily based package, therefore we will merely install that downloaded .deb package on Kali Linux operating system. Use the subsequent link to transfer the .deb file:

http://angryip.org/w/Download

You will see one thing like this:

Download version 3.4 below or browse previous releases or maybe older releases.

DEB Package for Ubuntu/Debian/Mint, 64-bit
RPM Package for Fedora/RedHat/Mageia/openSUSE, 64-bit
DEB Package for Ubuntu/Debian/Mint, 32-bit
RPM Package for Fedora/RedHat/Mageia/openSUSE, 32-bit

Download DEB Package for Ubuntu/Debian/Mint, looking on your Kali installation, choose either 32-bit or the 64-bit package. currently i'm employing a terribly recent laptop computer that doesn’t even support 64-bit, therefore I’ll transfer the 32-bit .deb file and install that. In your case, you're presumably to run a more modern version or a in an exceedingly Virtual atmosphere. therefore amend the computer filename as needed.

Install .deb package using dpkg

Install the downloaded .deb package using the subsequent commands.


root@kali:~/Downloads# dpkg -i ipscan_3.4_i386.deb 
Selecting previously unselected package ipscan.
(Reading database ... 383693 files and directories currently installed.)
Preparing to unpack ipscan_3.4_i386.deb ...
Unpacking ipscan (3.4-1) ...
Setting up ipscan (3.4-1) ...
Processing triggers for gnome-menus (3.13.3-6) ...
Processing triggers for desktop-file-utils (0.22-1) ...
Processing triggers for mime-support (3.58) ...
root@kali:~/Downloads#

Now run the application from App menu.


Angry IP Scanner


How to Disconnect any person from Internet using Kali Linux

I'm progressing to teach you have got to kick that annoying room mate of the web. i'll be using wlan0 as a result of thats my wireless however use yours.

1.Airmon-Ng

open up a terminal and type airmon-ng start wlan0 (or eth0 if your victimization LAN.) (Some times you may got to kind airmon-ng check kill).


How to remove anyone from using Internet


2.Airodump-Ng

Next type airodump-ng wlan0 then notice your web copy its bssid then type airodump-ng --bssid (your bssid) wlan0. it'll show your victims mac.




3.Airplay-Ng

Now if you recognize their internet protocol address you do not ought to use airodump-ng.

If you recognize their internet protocol address you'll type airplay-ng --deauth zero -a (networks bssid) -k (Their internet protocol address).

If your progressing to use their mac address type this airplay-ng --deauth zero -a (networks bssid) -c (Their mac address).

The zero in Deauth zero means that keep deauthenticates  them till you stop it with CTRL C.

How To Spoof Caller Id Using Metasploit (Kali Linux) - VoIP Pentesting

Today we will learn how to conduct Penetration testing of VoIP (Voice over IP) against a Private Branch Exchange as it’s must to perform pen tests for all type of attacks. For VoIP security assessment, most important pen test is Caller ID Spoofing and how hackers spoof caller ID to make fake calls on behalf of someone else without disclosing his/her information. Before starting pen test we have to understand what is Caller ID Spoofing? Caller ID spoofing is a type of attack where a malicious attacker will impersonate a legitimate SIP user to call other legitimate users on the voice network. So let’s learn how hackers spoof caller ID. Penetration testing of Caller ID Spoofing will require certain pre-requisties to perform complete VoIP pen test.

Requirements for Caller ID Spoofing Pen test:


Metasploit - Introduction to using Metasploit in Kali Linux

Viproy

InviteFlood


        Now Consider an attack scenario where a malicious attacker calling some customer by pretending that he is an CEO of some organization and he wish to verify some information from customer or want to transfer ABC amount to customer’s account like we see spam emails of huge money transfers and lottery winnings. The attacker is changing the header of the SIP INVITE request in order to spoof his caller ID to CEO. Customer accepts the call as the caller ID seems to be from CEO which is considered trusted and initiates the phone conversation with the attacker.


        Caller-ID-Spoofing-VoIP-picateshackz.com
        Spoof Caller ID

        The crafted malformed SIP INVITE message can be seen below:

        Caller-ID-Spoofing-VoIP-picateshackz.com
        Spoofed Caller ID header packet
        Now let’s see how this type of attack can be conducted with the use of various tools.


        Penetration testing of VoIP Using VIPROY for Caller ID Spoofing :

        Now lets see how we can use Viproy tool for VoIP penetration tests. Viproy is penetration testing toolkit for VoIP assessments and it works with MetaSpoilt framework. There is a specific module that can be used for Caller ID spoofing and in the image below you can see the configuration of the module:

        Caller-ID-Spoofing-VoIP-picateshackz.com
        Penetration testing of VoIP using Viproy Spoofed Caller ID
        This will cause the phone device to ring with the custom message of our choice even from phone extensions that are not valid.

        Penetration testing of VoIP Using InviteFlood for Spoofing Caller ID :

        There is another tool for Spoofing caller ID’s known by name InviteFlood. InvitedFlood is part of the Kali Linux.

          The main purpose of inviteflood is to be used for DoS (Denial of Service) attacks against SIP devices by sending multiple INVITE requests but it can accommodate our need to spoof our ID with the following command:

          Caller-ID-Spoofing-VoIP-picateshackz.com
          Caller ID Spoofing Inviteflood

          Penetration testing of VoIP Using MetaSploit for Spoofing Caller ID :

          Metasploit framework contains an existing module which can send a fake SIP INVITE message to an existing extension which can be used for Spoofing Caller ID :

          Caller-ID-Spoofing-VoIP-picateshackz.com
          Using Metasploit for Invite Spoof
          The device will ring with showing caller ID as The Metasploit has you.

          In order for the attack to be successful the Private Branch Exchange needs to allow anonymous inbound SIP calls. It is very easy to be implemented even from people with limited knowledge about VoIP and hacking. That’s why systems owners need to ensure that their Private Branch Exchange’s prevent anonymous inbound calls to reach their legitimate users in order to mitigate the risk of this attack.

          Credits:Picatehackz,Matasploit Docs

          Keep Sharing.Happy Hacking!!
          How To Find Hidden Devices In Your Network Using ARP Scan In Kali Linux

          How To Find Hidden Devices In Your Network Using ARP Scan In Kali Linux

          The Address Resolution Protocol uses a simple message format containing one address resolution request or response. The size of the ARP message depends on the upper layer and lower layer address sizes, which are given by the type of networking protocol (usually IPv4) in use and the type of hardware or virtual link layer that the upper layer protocol is running on. The message header specifies these types, as well as the size of addresses of each. The message header is completed with the operation code for request (1) and reply (2). The payload of the packet consists of four addresses, the hardware and protocol address of the sender and receiver hosts.Use arp-scan to find hidden devices in your network - blackMORE Ops -1
          The principal packet structure of ARP packets is shown in the following table which illustrates the case of IPv4 networks running on Ethernet. In this scenario, the packet has 48-bit fields for the sender hardware address (SHA) and target hardware address (THA), and 32-bit fields for the corresponding sender and target protocol addresses (SPA and TPA). Thus, the ARP packet size in this case is 28 bytes. The EtherType for ARP is 0x0806. (This appears in the Ethernet frame header when the payload is an ARP packet. Not to be confused with PTYPE below, which appears within this encapsulated ARP packet.)
          If you have a device that is on the same network but not responding to any requests such as ping, HTTP, HTTPS etc. This is done intentionally, for example a Check Point Firewall doesn’t respond to anything by design. Similarly a Cisco ASA, Router or BIG-IP F5 might not respond to any requests as they are designed to be silent. In those cases, using arp-scan to scan MAC address is a quick way to find those devices.

          arp-scan

          The ARP Scan Tool (also called ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment).
          The ARP Scan Tool shows all active devices even if they have firewalls. Devices cannot hide from ARP packets like they can hide from Ping. To find active IP addresses outside your subnet, use the Ping Scan Tool (a Ping Sweep tool AKA NetScanner).

          Install arp-scan

          Binary packages are available for the following operating systems:
          1. Debian Linux: arp-scan is part of the standard Debian distribution on Lenny and later.
          2. Ubuntu Linux: arp-scan is available from gutsy (7.10) in universe.
          3. Fedora: arp-scan is available for Fedora 6 and later
          4. RedHat Enterprise Linux: arp-scan is available for RedHat EL 5 and later
          5. Gentoo Linux
          6. FreeBSD: arp-scan is available from the FreeBSD ports collection
          7. OpenBSD: arp-scan is available as an OpenBSD package
          Installation is usually as simple as shown below for Debian or Ubuntu like distributions:
          root@debian:~# apt-get install arp-scan
          (or)
          user@ubuntu:~$ apt-get install arp-scan
          Kali Linux being the awesome pentest distro it is, has it pre-installed.

          Use arp-scan to find hidden devices

          arp-scan can be used to discover IP hosts on the local network. It can discover all hosts, including those that block all IP traffic such as firewalls and systems with ingress filters.
          arp-scan works on Ethernet and 802.11 wireless networks. It may also work with token ring and FDDI, but they have not been tested. It does not support serial links such as PPP or SLIP, because ARP is not supported on them. You will need to be root, or arp-scan must be SUID root, in order to run arp-scan, because the functions that it uses to read and write Ethernet packets require root privilege.

          Discovering all hosts on the local network

          If the system you are testing from has an address on the network you wish to scan, the simplest way to scan it is with a command similar to:
          root@kali:~# arp-scan --interface=eth0 --localnet
          (or)
          user@ubuntu:~$ sudo arp-scan --interface=eth0 --localnet
          Here, --interface=eth0 represents the interface to use for scanning, and --localnet makes arp-scan scan all possible IP addresses on the network connected to this interface, as defined by the interface IP address and netmask. You can omit the --interface option, in which case arp-scan will search the system interface list for the lowest numbered, configured up interface (excluding loopback).
          The network interface name depends on the operating system you are using, the network type (Ethernet, Wireless Etc), and for some operating systems on the interface card type as well. In this document, the interface name eth0 is used for examples except where a different network type is being discussed.
          All arp-scan options have both a long form like --interface=eth0 and a corresponding short form like -I eth0.
          I’ve used the long form in this document for clarity. I’ve also used wlan0 in the following example and I am on a Wireless network.
          root@kali:~# arp-scan --interface=wlan0 --localnet
          Interface: wlan0, datalink type: EN10MB (Ethernet)
          Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
          10.0.1.3 0b:1a:a0:c2:94:c0 Dell Inc
          10.0.1.57 0b:0c:29:34:f9:6a VMware, Inc.
          10.0.1.69 d4:85:64:63:b7:48 Hewlett-Packard Company
          10.0.1.70 0b:0c:29:6d:92:b5 VMware, Inc.
          10.0.1.27 c4:e9:84:0e:c1:12 (Unknown)
          10.0.1.148 28:80:23:ac:dd:c2 (Unknown)
          10.0.1.150 0b:50:56:b1:80:db VMware, Inc.
          10.0.1.151 0b:50:56:b1:dc:a7 VMware, Inc.
          10.0.1.195 18:a9:05:4b:61:58 Hewlett-Packard Company
          10.0.1.198 ae:95:9a:69:f7:6c (Unknown)
          10.0.1.199 1e:a8:82:10:66:4a (Unknown)
          10.0.1.213 0b:50:56:b1:fd:62 VMware, Inc.
          10.0.1.213 0b:50:56:b1:2b:08 VMware, Inc. (DUP: 2)
          10.0.1.213 0b:50:56:b1:f3:b7 VMware, Inc. (DUP: 3)
          10.0.1.213 0b:50:56:b1:f3:2b VMware, Inc. (DUP: 4)
          10.0.1.213 0b:50:56:b1:8f:5a VMware, Inc. (DUP: 5)
          10.0.1.240 0b:22:55:cb:59:81 CISCO SYSTEMS, INC.
          10.0.1.242 3c:a8:2a:0f:d3:d2 (Unknown)
          10.0.1.241 0b:25:84:69:6f:c0 CISCO SYSTEMS, INC.
          10.0.1.243 3c:a8:2a:0e:c5:78 (Unknown)
          10.0.1.244 0b:0c:29:4e:54:38 VMware, Inc.
          10.0.1.250 0b:1b:54:97:68:8c CISCO SYSTEMS, INC.
          10.0.1.252 0b:21:d8:70:e4:4b CISCO SYSTEMS, INC.
          10.0.1.253 0b:19:55:9d:60:c1 CISCO SYSTEMS, INC.
          10.0.1.145 bc:ea:fa:6f:ec:d2 (Unknown)
          10.0.1.77 98:fc:11:ab:65:b9 Cisco-Linksys, LLC
          10.0.1.178 48:5a:3f:12:d9:df WISOL
          10.0.1.167 f0:25:b7:3e:a1:b1 (Unknown)
          10.0.1.182 60:57:18:71:c5:a5 Intel Corporate

          29 packets received by filter, 0 packets dropped by kernel
          Ending arp-scan 1.9: 256 hosts scanned in 2.259 seconds (113.32 hosts/sec). 29 responded
          root@kali:~#
          So in the above example arp-scan was used to scan the network of the device wlan0, and it discovered 29 alive nodes apart from localhost machine. The option --localnet makes arp-scan scan the local network.
          Use arp-scan to find hidden devices in your network - blackMORE Ops - 3
          Here is an example showing arp-scan being run against the network 10.0.1.0/24:
          root@kali:~# arp-scan --interface=wlan0 10.0.1.0/24
          (or)
          user@ubuntu:~$ sudo arp-scan --interface=wlan0 10.0.1.0/24
          Interface: wlan0, datalink type: EN10MB (Ethernet)
          Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
          10.0.1.3 0b:1a:a0:c2:94:c0 Dell Inc
          10.0.1.57 0b:0c:29:34:f9:6a VMware, Inc.
          10.0.1.69 d4:85:64:63:b7:48 Hewlett-Packard Company
          10.0.1.70 0b:0c:29:6d:92:b5 VMware, Inc.
          10.0.1.41 ac:7b:a1:c6:14:e3 Intel Corporate
          10.0.1.27 c4:e9:84:0e:c1:12 (Unknown)
          10.0.1.145 bc:ea:fa:6f:ec:d2 (Unknown)
          10.0.1.148 28:80:23:ac:dd:c2 (Unknown)
          10.0.1.150 0b:50:56:b1:80:db VMware, Inc.
          10.0.1.151 0b:50:56:b1:dc:a7 VMware, Inc.
          10.0.1.195 18:a9:05:4b:61:58 Hewlett-Packard Company
          10.0.1.198 ae:95:9a:69:f7:6c (Unknown)
          10.0.1.199 1e:a8:82:10:66:4a (Unknown)
          10.0.1.213 0b:50:56:b1:fd:62 VMware, Inc.
          10.0.1.213 0b:50:56:b1:f3:b7 VMware, Inc. (DUP: 2)
          10.0.1.213 0b:50:56:b1:8f:5a VMware, Inc. (DUP: 3)
          10.0.1.213 0b:50:56:b1:2b:08 VMware, Inc. (DUP: 4)
          10.0.1.213 0b:50:56:b1:f3:2b VMware, Inc. (DUP: 5)
          10.0.1.240 0b:22:55:cb:59:81 CISCO SYSTEMS, INC.
          10.0.1.241 0b:25:84:69:6f:c0 CISCO SYSTEMS, INC.
          10.0.1.242 3c:a8:2a:0f:d3:d2 (Unknown)
          10.0.1.243 3c:a8:2a:0e:c5:78 (Unknown)
          10.0.1.244 0b:0c:29:4e:54:38 VMware, Inc.
          10.0.1.250 0b:1b:54:97:68:8c CISCO SYSTEMS, INC.
          10.0.1.252 0b:21:d8:70:e4:4b CISCO SYSTEMS, INC.
          10.0.1.253 0b:19:55:9d:60:c1 CISCO SYSTEMS, INC.
          10.0.1.77 98:fc:11:ab:65:b9 Cisco-Linksys, LLC
          10.0.1.182 60:57:18:71:c5:a5 Intel Corporate
          10.0.1.178 48:5a:3f:12:d9:df WISOL
          10.0.1.174 84:7a:88:5c:a0:90 HTC Corporation
          10.0.1.173 84:7a:88:30:5e:32 HTC Corporation

          31 packets received by filter, 0 packets dropped by kernel
          Ending arp-scan 1.9: 256 hosts scanned in 2.221 seconds (115.26 hosts/sec). 31 responded
          root@kali:~#
          Now I’ve found 31 hosts that responded to this new sweep, so those two are my hidden servers.
          Use arp-scan to find hidden devices in your network - blackMORE Ops - 4

          Using an interface without an IP address

          You can still use arp-scan even if the interface does not have an IP address. If you use arp-scan in this way, it will use the IP address of 0.0.0.0 for the arpsha field in the ARP packet unless you specify the IP address to use with the –arpsha option.
          Some operating systems will only respond to ARP requests if the IP address specified in the arpsha field is plausible. The exact rules vary between operating systems, but the most common is that the address in arpsha must be within the IP network of the interface that the ARP request is received on. This is explored further in the fingerprinting section.

          ARP spoofing and Proxy ARP

          Because ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address. An ARP proxy is a system which answers the ARP request on behalf of another system for which it will forward traffic, normally as a part of the network’s design, such as for a dialup internet service. By contrast, in ARP spoofing the answering system, or spoofer, replies to a request for another system’s address with the aim of intercepting data bound for that system. A malicious user may use ARP spoofing to perform a man-in-the-middle or denial-of-service attack on other users on the network. Various software exists to both detect and perform ARP spoofing attacks, though ARP itself does not provide any methods of protection from such attacks.
          Conclusion
          arp-scan is a simple tool yet very powerful.  Those of you who are familiar with Cisco Routers and switches, CheckPoint Firewall and Big-IP F5, you know it too well that sometimes the only way to find a device is by using a arp response. Once you’ve found the MAC address, you can find more info about that device by matching that MAC address to it’s vendor. It is importing to understand ARP/MAC responses for penetration tester and it is used heavily for arpspoof and Man-In-The-Middle Attack. It also helps in cases when someone is spoofing IP address and DoS-ing your server. You can however spoof MAC address easily to evade trace.
          All in all, it’s a useful tool and you should try the commands shown above. It will help someday when you are scratching your head in the middle of a service outage!
          Thanks for reading, Keep sharing!!

          Resources