ArpScan
From SCADApedia
ArpScanning [arp scan, arp-scan, arpscan] is a network enumeration technique that only works on a local network segment. As ARP traffic is ubiquitous an ArpScan can often be performed on a segment without triggering any IDS/IPS alarms.
Contents |
How an ArpScan Works
An ArpScan sends ARP ping (an ARP request) packet(s) to devices in the specified IP range. For example arpscan 192.168.10.1-255 will send an arping packet to all host ons the 192.168.10.* network segment. If an host is present and active at a given IP address a MAC address is returned that correlates to the IP. This can be used to enumerate all of the active devices on a network segment and their correlating MAC addresses.
As arp traffic does not cross segment boundaries ArpScanning only functions on the local network segment.
ArpScanning will only identify active systems, it does not identify active ports or services.
There are various ARP scanning tools available online or it is easy to script one on top of the iputils arping utility. ArpScanners are also fairly simple to write in various programming languages.
Stealthy Nature of ArpScan
ARP traffic is universal on a network. When a device wants to send a packet to another system on the network segment but does not know the MAC address of the destination system an ARP request is sent (broadcast) to the network. The target device responds with its MAC address so the source knows how to route that packet. As ARP traffic is always occurring the majority of network segments do not monitor ARP traffic. ArpScanning allows for the enumeration of devices on a network segment in a "stealthy" manner, unlikely to trigger any IDS alarms, as other active scanners (such as Nmap) are likely to trigger.
Using ArpScan to Identify Field Devices
As the ArpScan returns a list of active IPs and their correlating MAC address, the resulting MAC addresses can be fed into MAC lookup engines. The results can be used to identify field devices on a control system network. For example the MAC address of: 00:00:bc:3e:eb:e4 correlates to Rockwell Automation. As the field device manufactures are a small subset of the NIC manufacturers, there is a very high probability that a MAC address that is identified as belonging to one of the known control system vendors (Rockwell, Allen-Bradley, ABB, Siemens, etc) correlates to a PLC, RTU etc.
