1
00:00:00,210 --> 00:00:07,440
Address Resolution Protocol AAFP is a network layer protocol used for mapping a network address such

2
00:00:07,440 --> 00:00:12,090
as an IP v4 address to a physical address such as a Mac address.

3
00:00:13,100 --> 00:00:20,750
To simulate how the ARPU mechanism works, we have a small network in the slide, a switch on top and

4
00:00:20,750 --> 00:00:22,340
three computers connected to it.

5
00:00:22,910 --> 00:00:25,100
Computer wants to talk to computers, see?

6
00:00:26,700 --> 00:00:32,640
It puts an ARP request onto the wire, which happens to be broadcast, essentially what it's saying

7
00:00:32,640 --> 00:00:35,910
is who has computers, his Mac address.

8
00:00:37,080 --> 00:00:41,270
Of course, because it's a broadcast, every system on the network hears it.

9
00:00:42,260 --> 00:00:48,800
Does everybody respond well, what happens is that B hears that A is looking for the Mac address of

10
00:00:48,800 --> 00:00:49,700
Computer C.

11
00:00:51,000 --> 00:00:56,700
B knows that it's not computer C and therefore does not respond to the broadcast.

12
00:00:57,820 --> 00:01:05,410
The broadcast, the AAP request goes out to every system, but the only system that will reply is computer

13
00:01:05,410 --> 00:01:07,470
see with an AAP reply.

14
00:01:08,490 --> 00:01:13,200
In other words, Computer says, who has the Mac address of a computer, see?

15
00:01:13,210 --> 00:01:19,290
And although all the workstations here, the question only C replies and says, I've got the Mac address

16
00:01:19,290 --> 00:01:22,070
of computer C and this is what it is.

17
00:01:22,770 --> 00:01:30,150
So they are purply sends back the Mac address, the computer A and each of these machines start building

18
00:01:30,300 --> 00:01:31,170
an ark table.

19
00:01:31,650 --> 00:01:33,090
So what is the ARP table?

20
00:01:34,200 --> 00:01:39,030
Since computers cannot send broadcast messages every time they need to connect with another network

21
00:01:39,030 --> 00:01:44,820
device, they store the IP addresses and the corresponding MAC addresses of systems they frequently

22
00:01:44,820 --> 00:01:48,110
communicate with in a table called ARP Table.

23
00:01:48,480 --> 00:01:50,790
All the systems in the land maintain this table.

24
00:01:51,880 --> 00:01:57,370
The entries in the Aakash table are generally short lived and are updated every 15 to 20 minutes.

25
00:01:58,060 --> 00:01:59,250
Now, let's get back to our topic.

26
00:01:59,500 --> 00:02:05,710
Can we say that one of the passive scan methods is just looking into the ARP table of a system which

27
00:02:05,710 --> 00:02:07,240
is a network that we are scanning?

28
00:02:07,630 --> 00:02:08,800
Wow, sure we can.

29
00:02:09,550 --> 00:02:16,360
Inside an art table, we see the IP addresses of some of the systems of the network and their corresponding

30
00:02:16,360 --> 00:02:17,280
MAC addresses.

31
00:02:18,070 --> 00:02:24,790
Let's see the tables in three different platforms, Mac OS, Windows and Debian Linux.

32
00:02:25,720 --> 00:02:32,470
We are in a Mac OS operating system, first open the terminal, first type terminal in the search box

33
00:02:32,470 --> 00:02:39,400
of the applications window, which brings you the terminal application typing AARP and hitting enter

34
00:02:39,940 --> 00:02:41,920
shows a small help for our common.

35
00:02:43,160 --> 00:02:50,690
If you want to see detailed help about the art command, you can use man command type MRN, AARP and

36
00:02:50,690 --> 00:02:52,610
hit enter, you'll get detailed help.

37
00:02:54,100 --> 00:03:01,750
A parameter is used to display all current ARP table entries, but hold on, it says A is used to delete

38
00:03:01,780 --> 00:03:02,960
all entries as well.

39
00:03:03,190 --> 00:03:04,180
How can that be?

40
00:03:04,810 --> 00:03:09,510
Well, to delete an ARP table entry, you use the parameter.

41
00:03:10,300 --> 00:03:16,120
If you use this parameter with a parameter, you are able to delete all entries of our tables.

42
00:03:16,630 --> 00:03:21,580
IE parameter is used to see the entries of a single interface by default.

43
00:03:22,120 --> 00:03:26,080
ARP Command tries to show the display addresses symbolically.

44
00:03:27,090 --> 00:03:33,000
To see the IP addresses instead of display names of the systems, you have to use any parameter.

45
00:03:34,060 --> 00:03:36,460
Which means do not resolve names.

46
00:03:37,620 --> 00:03:45,960
OK, press cue to quit the man page of the command now type IRP Dash and to see all the entries of the

47
00:03:45,960 --> 00:03:46,530
art table.

48
00:03:47,610 --> 00:03:54,150
Since Mac OS is a BSD based operating system, the results of the command is displayed in BSD style.

49
00:03:55,200 --> 00:03:58,080
Sagger machine is a Microsoft Windows eight.

50
00:03:59,080 --> 00:04:04,510
Let's open a command prompt first, I have a shortcut on my status bar, so I click it to start a command

51
00:04:04,510 --> 00:04:04,960
prompt.

52
00:04:05,950 --> 00:04:12,670
Alternatively, press windows, plus are buttons, open the dialog box, run command and hit enter.

53
00:04:13,830 --> 00:04:18,360
If you type AARP and a Windows system, the help page of our command is displayed.

54
00:04:19,570 --> 00:04:27,400
Type IRP Dash A to see the entries of the art table, in my opinion, this display is more, I don't

55
00:04:27,400 --> 00:04:30,490
know, human readable than BSD style.

56
00:04:31,400 --> 00:04:35,540
Now, although we're not interested in these at the moment, I would like to talk a little about the

57
00:04:35,540 --> 00:04:40,040
IP addresses that start with two to four to calm your curiosity.

58
00:04:41,190 --> 00:04:49,250
Two two four zero zero two two is the multicast address for Internet group management protocol two to

59
00:04:49,250 --> 00:04:58,100
four zero zero two five two is used by recent versions of Windows four link local multicast name resolution

60
00:04:58,670 --> 00:05:02,920
L.M. and are searching for local network computers.

61
00:05:03,800 --> 00:05:08,650
The third machine is our colleague, which is a Debian based Linux operating system.

62
00:05:09,440 --> 00:05:18,050
Open the terminal window if you type ERP and hit enter the ARP table entries are displayed in a human

63
00:05:18,050 --> 00:05:19,160
readable format.

64
00:05:19,820 --> 00:05:28,730
As you see, systems are listed with a known domain name, such as would always be wacom by default.

65
00:05:29,610 --> 00:05:38,730
AARP dash age brings you a small health page if you want a detailed health page type man space AAFP.

66
00:05:41,280 --> 00:05:48,420
In a Debian based Linux system, that's a parameter of our command is used to see the entries in BSD

67
00:05:48,420 --> 00:05:54,650
format, which we saw in Mac OS, Dash is again to see the entries of a single interface.

68
00:05:55,320 --> 00:06:04,770
OK, press queue to quit the man page AARP dash a display's art table entries in BSD format and use

69
00:06:04,770 --> 00:06:09,270
any parameter to see the IP addresses instead of domain names of the systems.