Time
12 minutes
Difficulty
Intermediate

Video Transcription

00:02
Hello and welcome to breaking stuff with Joe with me. You're a part of his host, Joe Perry. If you haven't seen this serious before, that's totally okay. We're gonna do a quick walk through off what this video series is and who I am and why you are here. So to start out we do this slightly out of order. But I'm Joe Perry. I'm the director of research here at Psy Berry.
00:21
That means that I get to not only work on research projects where I get to advance our knowledge and understanding of cyber security,
00:26
but and probably more importantly, I get to create videos like this to help people in the cyber security an ideal world get familiar with and comfortable with not only the information and the skills and the knowledge thinking for their jobs, but the tools which will allow them to do those jobs. And today we're gonna focus on exactly one of those tools. Because in breaking stuff with Joe,
00:44
every video is short digestible. No more than 30 minutes of the absolute outside, usually closer to 10
00:50
in which we examine the different tools used in cyber security, particularly offensive security and we understand how they could fit into our role as a cyber security professional How we use them effectively. Today, we're gonna be talking about the tool AARP scan.
01:03
And as always, we have three objectives. Ritalin. What? The tool is what it does, how it's used. We're going to learn we're going to get comfortable with the tool. We're going to explore its options. We're gonna run some help tests.
01:11
We're gonna figure out exactly what it does and then third and finally room to actually run the tool and see what it looks like in action. So that whole thing together should take about 10 minutes. Not too much more. Definitely not a full half hour, so you'll be in and out nice and easy. So first, of course. What is our scan? What's it for? What does it do? Our?
01:30
For those of you who don't already know
01:32
is the protocol that's used to map I P addresses to physical addresses. A physical address is generally referred to as your Mac address. It's important to note that it is possible to spoof the Mac address. It is a little bit more digital than than physical, however, Generally speaking, a Mac address is actually physically burned into a chip once that ship is made. So it is a very, very,
01:52
uh,
01:53
singularly identifiable address. And as long as someone's not actively smoothing it, you're not going to run into many Mac collisions. It's not generally going to happen. So the Mac address the our protocol or or theatrics resolution protocol are sorry, the name collision A T M. Machine kind of thing again.
02:12
But the address resolution protocol
02:14
identifies a Mac address, and it associates it with an I P address. Now that does have some built in limitations and some advantages over other scanning tools. One of the built in and probably the most important, built in limitation of that is because you're targeting the Mac. Address the physical address. You are not using something that is row double across the Internet. You can, For example, I can't from this computer
02:34
reach out to your computer based on its Mac address. Writers don't know. Mac addresses Roger Stone associate to them. They don't know how to find him,
02:40
which means that your arms stand can only work when you're in your target network. When you're working from that network.
02:46
However, the advantage to it is because it exists in a lower level of the of the S A modeler, the TCP eyepiece stack. Because it exists below I p I m p. Security generally doesn't work on it. Most machines, almost all machines will respond to an ARP request. And even more importantly than that,
03:04
very few firewalls will protect against it because our pigs just settle low level.
03:08
So art is a really great way of identifying tools that might be active on your network. Which is why this tool is actually valuable not just for the offensive practitioner, but also for the defense of practitioners, someone who's trying to identify how many machines are currently on this network. Or are they the right machines? Are they on the list of approved Mac addresses? Are they are they re sources and assets we know about
03:28
and are safe? Having,
03:30
if not you have, is here in breach. So that's the great use of the AARP scan tool. We now understand that what it does is look for Mac addresses and associate them to I. P addresses are scanned in particular is a great tool for that because it is lightning fast. One of the faster tools you're ever gonna run really, really effective gets the job done like that.
03:47
And it's small enough and portable enough that you can pull it onto the machine you've
03:52
managed to explain gain access to in order to scan in a given local network. So now we know what it is. We know what it does. Now we're gonna move under a second objective. We're gonna get familiar with the tool and, as always, we're gonna do that in R V m.
04:03
So here we are in our Callie V. M. As usual, and this is a pretty straightforward tool, so we're not gonna have to take too much time getting familiar with it. We're gonna go ahead. We're going on our scam.
04:15
Attack eight. Now it is worth noting that our skin comes preinstalled in Cali. There's not an installation process for its use on this B M.
04:21
So hearts can't tak h. We'll see if that works. Sure does.
04:27
And of course, as always, because resumed in the Texas a little bit screwy
04:31
for all the way back up to the top. You know what we're gonna go up this one. We're gonna put this one in, the less
04:39
there we go.
04:40
So, uh, usage. We have the basic command that we invoke our options, and then we have this ellipses here suggests that there are multiple argument or multiple hosts that we can give.
04:50
So we say that we have to specify the target host on our command line unless we give it a file. So that shows us our very first option, which is the file option which indicates the target. We have a target file that has the AP, isn't it that we want to,
05:04
um
05:08
they want a target that we want to address. Sorry about that. We want to find out the Mac addresses for you can see here that you have to be rude, that sort of thing.
05:15
And we're just gonna keep scrolling down until we get to our actual that we get to our actual options.
05:25
There we go.
05:28
And one of the things that I really appreciate about our scan that it's a minor thing that most people probably won't care about, but help menus could be an absolute nightmare to read. It can just be mayhem trying to figure out what any of these things say. Uh, and one of the things that our skin does that I really, really appreciate it
05:46
are these little keys right here?
05:49
That's just indicating what type of data given argument takes. So, for example,
05:55
not here. When we get to the actual options,
06:00
you can see file and then in brackets we have, that s and that indicates that it's a straight That's not a huge deal. That's not something that's gonna, you know, change the world. But if you're like me and you spend a Thanh of time in man pages and help documentation, little quality of life upgrades like that get you a full minute of my 15 minute video
06:19
just showing how cool and how much I appreciate that particular fact.
06:24
So
06:25
file is s. That's if we want to give it a target and a target file. We're not gonna need do that. The other thing that we want to do here is this tack tack local net on that says that it's going to use The local network is going to generate addresses from the network interface configuration. So that's gonna be how we determine
06:42
what address is we're going to be targeting Instead of using an input file, we're just gonna say the local network everything that we can get to
06:48
and down here. We should have some example Commands
06:53
we have re try which obviously, you know, how many times will we attempt time out? How long will you give it before it gives up? How often do we want to send packets? Remember, from our discussion of scanning tools,
07:03
Interval is actually a very useful command. Ah, lot of security products. A lot of PS ps. A lot of network security tools are based on how many packets are being sent from a given host or even if they're not based on it, they will analyze that, and that might potentially send up red flags. So
07:19
having a good interval makes it much more likely that you're going to get away with whatever you're doing in this case, scanning our
07:27
and we're gonna make our way all the way down to the bottom. We're not really terribly worried about the band with command. It's just not that essential in most modern systems. You've got enough space and you're not going to You're not gonna blow the network with the data you're sending.
07:47
And of course you can see Here is we're scrolling down. There are a ton of other options that are definitely worth exploring. We're not doing that just because, you know the goal here is to get you familiar with. So you can start working with the tool rather than necessarily
08:01
exhaustively going piece by piece like a normal course. So you can see here one of the last options that I do want to talk about this source atter I mentioned earlier that Mac addresses do come burned into your chip, but they are impossible to spoof. One of the great things about Callie. One of the reasons why Callie is such a useful distribution is that it gives you the ability to very easily spoof your Mac address
08:20
s O. If you wanted to give it a fake source address. If you want it to seem like you're coming from a different host,
08:26
you could do that by using Double Dash S R. C a D D E r. And then you give it a Mac address. We're not gonna do that, but that is something that you're capable of doing with this is modifying, giving it a false Mac address so that P S P is on the network. Don't actually know what the source of this our request is.
08:54
And we should be getting to the bottom here in just a second.
08:58
That's the downside of using glasses that the scroll could take a little while.
09:01
Okay. It doesn't come with the sample command. That's totally okay. We're gonna go ahead and we're gonna make our own sample. Commander. We're gonna do that by making use of the options that we just learned about.
09:11
Well, to be more accurate, really, Just one of the options that we just learned about, and that's going to be We're gonna run our base camp and they're going to just give it
09:20
local net.
09:22
And so what this is going to do as I mentioned before it is going to examine all of the addressable are all of the addresses it confined in the local network based on the interface that it has access to because we're not specifying an interface is just going to pick the lowest number interface we have, which, generally speaking, it's gonna be your either zero or whatever. In this case, your BM connection,
09:41
whatever the first sort of interface you have available is.
09:43
So it's going to search the network based on that interface, the subject mask that has access to. And it's going to see if it can find all of the Mac addresses on that network, and we could just run it
09:52
and you can see very, very quickly, almost ridiculously quickly. It scans through 256 possible hosts and immediately gets back to us and says, These three exists on your network. Now again, this is using my you can see here it says, Eat 00 is actually sort of a fake network because I'm using this B M.
10:09
So these are all of the machines this BM is capable of identifying.
10:13
But so that's that's all we are all of the Mac addresses
10:16
on this network. You can see that it associate in each of them to specific I p addresses and so you can see how, when you're performing your intelligence gathering your reconnaissance stage of fantastic, this is a really important step to identify what machines are on the network. Are they all in the documentation you received. Or if you're doing this in a black box style, you know,
10:33
are you able to identify maybe using an and map scan or using, you know, more targeted scanning of specific I p ease
10:39
what each of these tools or each of these machines are. And, of course, on the other side is a defensive user. If you're regularly running the scan and identifying, okay, these are all Mac addresses that interacts it. Lists. These are all tagged is acceptable assets. We're good to go
10:54
if something if something exists in your arms can that isn't in your list. Even if you know where normally you might have to go through I p
11:01
and wonder if DCP is messing things up with Mac addresses. You can say if this isn't on our approved asset list, there's a problem somewhere.
11:07
So it's gonna be all there is for arts can. Hopefully, you confined this tool valuable on. You can make use of it again in your day to day work. As a cyber security professional, we went through some basic options. We looked at the help the help material. We discuss the concept of AARP scanning and why it's useful to the offensive and the defensive practitioner. And then, as always, we closed out by actually running the command.
11:28
I want to thank you all for watching. I want to remind you, as I have the end of many of our videos,
11:31
that all of the material on cyber ery, except for the videos that I and my spectacular colleague can make, are made by members of our community. And to some extent, I suppose we're part of the community ourselves. All this material comes from people like you who watch videos on cyber who engage with our material and who decide that they want to give something back to the community
11:50
and help other people build their careers.
11:52
The only way this community is gonna get built is by building itself. So that's what we're doing here. It's library, and we hope that you can help. So go to our community page, apply to be an instructor, apply to be a TA apply to be a beta tester and tell us what's wrong with our videos before they go out. Any of these things that allows us to make sure that cyber it could help people build their careers. You will be helping and you'll get
12:13
swag. You might get, you know,
12:15
fame. You might get all sorts of different things back for it. I'm not our marketing guy. So they're probably gonna yell at me for my terrible marketing. But it is really, really important that we get more and more community members involved. And we're gonna help you help us to help everyone else. Thank you for watching. This has been breaking stuff with Joe. I have been your host, Joe Perry,
12:33
director of research here. Cy Marie. And you're watching Cyberia on demand.

How to Use Arp-Scan (BSWJ)

Arp-scan is a low-level network discovery tool used to associate physical (MAC) addresses to logical (IP) addresses. It's used to identify network assets which may not normally be captured by network scanning devices.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor