Blind Scanning using ARP By Case (phric@legions.org) Broadcast ARP scanning is based of the concept that when a packet is sent from host A to nonexistent host B, host B - 1 hop will send an arp broadcast in an effort to locate the location of host B. Voila commence BARP scans. So we should now understand the basic concept and be able to exploit this feature to perform blind port scans or ping scans. What we need - A nonexistent host on our subnet, Host None - A target host, Host Target - Us, Host Us First we find a host on our subnet that does not exist, Host None. Now we forge a FIN packet from host none, to our target host.And we wait and listen for arp broadcasts. -Host Us sends TCP FIN or NULL, Forged IP SRC of Host None ---> Host target -Host Target sends TCP RST ---> Host in Route 1 hop before Host None -Host in Route 1 hop before Host None sends ARP Broadcast ---> 1.1.1.* Now if we receive a broadcast looking for the hardware address of Host None we know that the taget host must have sent a packet back. Since FIN packets only return RSTs when the ports are closed we have found a closed port. Now if on the next packet sent no arp broadcast is snooped we know that the port is most likely open. The magic of great blind scans begin. The problem is the scan can be narrowed down to your subnet, the benefit is that is can be one of a number computers example using tcpdump and IP Sorcery THANKS GUYS!. -Send packet to ssh returns nothing we can assume it is open 192.168.0.7.1993 > legions.org.ssh: F [tcp sum ok] 524637819:524637819(0) win 1346 (ttl 64, id 53339, len 40) -Send packet to Telnet it returns a RST we know by the ARP from the router 192.168.0.7.1993 > legions.org.telnet: F [tcp sum ok] 480732068:480732068(0) win 2957 (ttl 64, id 53332, len 40) arp who-has 192.168.0.7 tell 192.168.0.1 Now we NMAP to verify our results # nmap (V. 2.54BETA34) scan initiated Sun Jul 27 09:57:24 2003 as: nmap -sT -p22,23 -oN arp1.log www.legions.org Interesting ports on mail.legions.org (66.12.11.166): (The 1 port scanned but not shown below is in state: closed) Port State Service 22/tcp open ssh example code http://www.legions.org/~phric/arpscan.c I'm a chunky monkey from funkytown... Any question or comments email phric@legions.org.