By: Doug Bonderud
September 29, 2020
Why Use ARP Scan
By: Doug Bonderud
September 29, 2020
Knowledge is Power: The ARP-Scan Advantage
Hackers are hiding in plain sight. As noted by HelpNetSecurity, hidden applications were responsible for almost half of all malicious activity last year, and attackers continue to develop new ways for these apps to avoid detection on corporate networks.
There's an even bigger problem on the horizon: Devices. Most users now own multiple devices, including smartphones, tablets, and traditional desktop computers. If these devices are compromised, they can be used to infiltrate enterprise systems. And by leveraging widely available toolkits, hackers can create persistent backdoors for these devices, allowing them to stay connected — and undetected — even as IT teams ramp up security efforts.
The ARP-Scan network discovery tool is designed to locate and identify devices across enterprise networks, even if those devices don't want to be found. Equipped with ARP-scan knowledge, IT pros gain the advantage over malicious actors. Here's what you need to know about ARP, how it works, why it matters, and where it fits your cybersecurity career.
What is ARP?
ARP stands for "Address Resolution Protocol" and is used to map dynamic Internet Protocol (IP) addresses to permanent physical machine addresses, also called media access control (MAC) addresses. ARP was designed to let these two systems interoperate by converting 32-bit IPV4 addresses to 48-bit MAC addresses. This conversion protocol lives between layers 2 and 3 of the Open Systems Interconnection (OSI) model — MAC addresses are part of layer 2, the data link layer. In contrast, IP addresses are part of layer 3, the network layer.
Functionally, ARP made it possible for companies to get a more complete picture of their device and network infrastructure at scale — something that's now critical as device use expands, and IT complexity increases. But ARP also offers another benefit: Enhanced security.
How Does ARP-Scan Work?
ARP-Scan is a network discovery tool that combines the ARP framework with an active scanning function. Even if hackers attempt to hide devices behind firewalls or other obfuscation operations, ARP-scans can detect any active device using the IPV4 protocol.
Here's why: All IPV4 devices — using traditional wired ethernet or WiFi — automatically respond to ARP inquiries. Any attempt to remove this response also renders those devices unable to communicate with any other network device. As a result, all devices on corporate networks — including those known to IT teams, those connected by users but unapproved by IT, and those attempting to perform malicious actions or remain hidden — are visible.
Why Use ARP-Scan?
ARP-Scan offers four key benefits for IT teams:
Discovery of all IPV4 connected devices— Regardless of where they're located or how they've been configured to avoid detection, ARP-Scans will detect all IPV4 connected devices, in turn giving IT pros a complete picture of the network and device infrastructure. This discovery is a critical first step in identifying potentially malicious devices that may exist on enterprise networks.
Quick identification and mapping of IP addresses to MAC addresses— By linking generated IPV4 addresses to physical MAC addresses, infosec professionals can create a comprehensive map of all connected devices. This both identifies key device dependencies and pinpoints potentially disruptive devices.
Identification of duplicate IP addresses— Attackers will often use duplicate IP addresses to obfuscate the existence of malicious devices used to deliver malware payloads. ARP-Scans reveal this duplicate data, allowing infosec pros to track down devices that don't belong.
Isolation and location of rogue devices— Rogue devices are a common problem for enterprises. In many cases, these devices aren't intentionally malicious — staff may connect personal devices without approval or make configuration errors when setting up new connected technologies. But these rogue devices pose a potential risk if compromised by malicious actors. ARP-Scans help isolates and locate these devices so they can be verified and approved, or removed as required.
Device identification by NIC vendor— ARP-Scans can also provide more in-depth data to identify devices by their network interface controller (NIC) vendor. This information can help IT teams determine where devices originated and how they could compromise security controls.
Increasing Your ARP Advantage
ARP-Scan tools offer the benefit of transparency — both for IT teams and potentially for malicious actors. If hackers can compromise enterprise networks and intercept ARP messaging, or deploy spoofed ARP responses, they can create a complete picture of current network infrastructure to better plan new attacks. As a result, companies must employ security staff with both an in-depth knowledge of ARP scanning methods and the skills to detect potential ARP misuse.
On their own, however, ARP-Scan training and skills typically aren't enough to earn IT professional's ideal infosec opportunities. Instead, the ARP advantage works best when paired with other in-demand security skills and IT certifications such as CISSP, CISM, CEH, or CompTIA Security+.
Knowledge is power. Backed by ARP-Scan expertise and infosec credentials, IT professionals gain the advantage when it comes to finding their best-fit cybersecurity career.