1
00:00:00,870 --> 00:00:07,470
‫Before talking about using Arp tables for passive scanning, let's talk a little bit about Arp protocol

2
00:00:07,470 --> 00:00:08,820
‫and mechanism first.

3
00:00:09,570 --> 00:00:17,190
‫So Address Resolution Protocol Arp is a network layer protocol used for mapping a network address,

4
00:00:17,190 --> 00:00:22,110
‫such as an IPv4 address to a physical address, such as a Mac address.

5
00:00:23,140 --> 00:00:30,790
‫To simulate how the ARPU mechanism works, we have a small network in the slide, a switch on top and

6
00:00:30,790 --> 00:00:35,140
‫three computers connected to it Computer A wants to talk to computer see.

7
00:00:36,760 --> 00:00:40,750
‫It puts an AAP request onto the wire, which happens to be broadcast.

8
00:00:41,620 --> 00:00:45,910
‫Essentially, what it's saying is who has computer seized Mac address?

9
00:00:47,140 --> 00:00:51,280
‫Of course, because it's a broadcast, every system on the network hears it.

10
00:00:52,270 --> 00:00:53,440
‫Does everybody respond?

11
00:00:54,160 --> 00:00:59,710
‫Well, what happens is that be hears it is looking for the Mac address of computers, see?

12
00:01:01,040 --> 00:01:06,710
‫B knows that it's not Computer C and therefore does not respond to the broadcast.

13
00:01:07,860 --> 00:01:15,420
‫The broadcast, the AAP request goes out to every system, but the only system that will reply is computer

14
00:01:15,420 --> 00:01:17,520
‫see with an AAP reply.

15
00:01:18,540 --> 00:01:24,720
‫In other words, computer age says who has the Mac address of computer C. And although all the workstations

16
00:01:24,720 --> 00:01:31,590
‫here, the question only C replies and says, I've got the Mac address of Computer C. And this is what

17
00:01:31,590 --> 00:01:32,070
‫it is.

18
00:01:32,820 --> 00:01:33,360
‫So they are.

19
00:01:33,420 --> 00:01:36,420
‫Reply sends back the Mac address to Computer A..

20
00:01:37,290 --> 00:01:41,220
‫And each of these machines start building in our table.

21
00:01:41,700 --> 00:01:43,140
‫So what is the ARP table?

22
00:01:44,270 --> 00:01:49,040
‫Since computers cannot send broadcast messages every time they need to connect with another network

23
00:01:49,040 --> 00:01:54,860
‫device, they store the IP addresses and the corresponding Mac addresses of systems they frequently

24
00:01:54,860 --> 00:01:58,130
‫communicate with in a table called Arp Table.

25
00:01:58,520 --> 00:02:00,860
‫All the systems in the LAN maintain this table.

26
00:02:01,930 --> 00:02:07,390
‫The entries in the ARB cash table are generally short lived and are updated every 15 to 20 minutes.

27
00:02:08,160 --> 00:02:09,280
‫Now let's get back to our topic.

28
00:02:09,520 --> 00:02:15,730
‫Can we say that one of the passive scan methods is just looking into the ARB table of a system, which

29
00:02:15,730 --> 00:02:17,290
‫is a network that we are scanning?

30
00:02:17,680 --> 00:02:18,010
‫Wow.

31
00:02:18,190 --> 00:02:18,790
‫Sure we can.

32
00:02:19,600 --> 00:02:26,410
‫Inside an ARB table, we see the IP addresses of some of the systems of the network and their corresponding

33
00:02:26,410 --> 00:02:27,310
‫Mac addresses.

34
00:02:28,120 --> 00:02:30,880
‫Let's see the ARB tables in three different platforms.

35
00:02:31,510 --> 00:02:34,780
‫Mac OS, Windows and Debian Linux.

36
00:02:35,760 --> 00:02:42,510
‫We are in a Mac OS operating system, first open the terminal first type terminal in the search box

37
00:02:42,510 --> 00:02:46,260
‫of the applications window, which brings you the terminal application.

38
00:02:46,740 --> 00:02:51,990
‫Typing AARP and hitting enter shows a small help for ARP command.

39
00:02:53,210 --> 00:03:00,710
‫If you want to see detailed help about the AAP command, you can use Man Command Type M.E.N:, AAP and

40
00:03:00,710 --> 00:03:01,250
‫hit enter.

41
00:03:01,490 --> 00:03:02,600
‫You'll get detailed help.

42
00:03:04,170 --> 00:03:09,360
‫A parameter is used to display all current ARP table entries, but hold on.

43
00:03:09,630 --> 00:03:12,990
‫It says A is used to delete all entries as well.

44
00:03:13,260 --> 00:03:14,250
‫How can that be?

45
00:03:14,850 --> 00:03:19,560
‫Well, to delete an ARP table entry, you use D parameter.

46
00:03:20,370 --> 00:03:26,160
‫If you use this parameter with a parameter, you are able to delete all entries of ARP tables.

47
00:03:26,700 --> 00:03:30,090
‫IE parameter is used to see the entries of a single interface.

48
00:03:30,930 --> 00:03:36,120
‫By default, ARP Command tries to show the display addresses symbolically.

49
00:03:37,190 --> 00:03:43,040
‫To see the IP addresses instead of display names of the systems you have to use and parameter.

50
00:03:44,100 --> 00:03:46,470
‫Which means do not resolve names.

51
00:03:47,670 --> 00:03:47,980
‫OK.

52
00:03:48,010 --> 00:03:55,980
‫Press cue to quit the man page of the art command now type LP Dash and to see all the entries of the

53
00:03:55,980 --> 00:03:56,580
‫ARP table.

54
00:03:57,660 --> 00:04:04,200
‫Since Mac OS is a BSD based operating system, the results of the ARP command is displayed in BSD style.

55
00:04:05,270 --> 00:04:08,030
‫Saga Machine is a Microsoft Windows eight.

56
00:04:09,150 --> 00:04:10,920
‫Let's open a command prompt first.

57
00:04:11,370 --> 00:04:14,940
‫I have a shortcut on my status bar, so I click it to start a command prompt.

58
00:04:15,990 --> 00:04:20,560
‫Alternatively, press windows plus arm buttons open the dialog box.

59
00:04:20,820 --> 00:04:22,710
‫Run Command and hit enter.

60
00:04:23,910 --> 00:04:28,380
‫If you type in a Windows system, the help page of ARP command is displayed.

61
00:04:29,580 --> 00:04:37,440
‫Type AAP Dash A to see the entries of the ARP table, in my opinion, this display is more, I don't

62
00:04:37,440 --> 00:04:40,530
‫know, human readable than BSD style.

63
00:04:41,490 --> 00:04:45,570
‫Now, although we're not interested in these at the moment, I would like to talk a little about the

64
00:04:45,570 --> 00:04:50,070
‫IP addresses that start with 3:58 to calm your curiosity.

65
00:04:51,250 --> 00:04:59,290
‫Two two four zero zero two two is the multicast address for Internet Group Management Protocol two two

66
00:04:59,290 --> 00:05:08,110
‫four zero zero two five two is used by recent versions of Windows for Link Local Multicast Name Resolution

67
00:05:08,740 --> 00:05:12,940
‫L-l and are searching for local network computers.

68
00:05:13,870 --> 00:05:18,670
‫The third machine is Our Colli, which is a Debian based Linux operating system.

69
00:05:19,510 --> 00:05:20,620
‫Open the terminal window.

70
00:05:21,430 --> 00:05:25,660
‫If you type ERP and hit, enter the ARP table.

71
00:05:25,660 --> 00:05:29,200
‫Entries are displayed in a human readable format.

72
00:05:29,890 --> 00:05:38,770
‫As you see, systems are listed with a known domain name such as WW Dot, OWASP, BW, Wacom by default.

73
00:05:39,670 --> 00:05:47,940
‫AARP Dash H brings you a small help page if you want a detailed help page type men space.

74
00:05:48,340 --> 00:05:48,730
‫AAP.

75
00:05:51,350 --> 00:05:58,430
‫In a Debian based Linux system, Dash eight parameter of Arp command is used to see the entries in BSD

76
00:05:58,430 --> 00:06:00,490
‫format, which we saw in Mac OS.

77
00:06:01,070 --> 00:06:04,670
‫Dash is again to see the entries of a single interface.

78
00:06:05,390 --> 00:06:07,580
‫OK, press Q to quit the man page.

79
00:06:08,270 --> 00:06:17,750
‫AARP Dash A displays are table entries in BSD format and use N parameter to see the IP addresses instead

80
00:06:17,750 --> 00:06:19,280
‫of domain names of the system's.