1
00:00:00,170 --> 00:00:02,420
Address resolution protocol.

2
00:00:02,450 --> 00:00:09,860
ARP is a network layer protocol used for mapping a network address, such as an IPV four address to

3
00:00:09,860 --> 00:00:12,230
a physical address such as a mac address.

4
00:00:12,860 --> 00:00:15,650
To simulate how the AARP mechanism works.

5
00:00:15,830 --> 00:00:22,550
We have a small network in the slide, a switch on top, and three computers connected to it.

6
00:00:22,580 --> 00:00:25,280
Computer A wants to talk to Computer C.

7
00:00:26,560 --> 00:00:30,940
It puts an ARP request onto the wire, which happens to be broadcast.

8
00:00:31,480 --> 00:00:36,040
Essentially what it's saying is who has computer sees Mac address.

9
00:00:37,020 --> 00:00:41,520
Of course, because it's a broadcast, every system on the network hears it.

10
00:00:42,110 --> 00:00:43,640
Does everybody respond?

11
00:00:43,820 --> 00:00:47,000
Well, what happens is that B hears it.

12
00:00:47,000 --> 00:00:49,850
A is looking for the Mac address of Computer C.

13
00:00:50,790 --> 00:00:56,850
Be knows that it's not computer see, and therefore does not respond to the broadcast.

14
00:00:57,590 --> 00:00:58,670
The broadcast.

15
00:00:58,670 --> 00:01:06,770
The request goes out to every system, but the only system that will reply is computer C with an ARP

16
00:01:06,770 --> 00:01:07,580
reply.

17
00:01:08,410 --> 00:01:13,060
In other words, Computer A says who has the Mac address of Computer C?

18
00:01:13,090 --> 00:01:19,210
And although all the workstations here, the question only C replies and says, I've got the Mac address

19
00:01:19,210 --> 00:01:22,300
of Computer C and this is what it is.

20
00:01:22,450 --> 00:01:30,190
So the ARP reply sends back the Mac address to Computer A and each of these machines start building

21
00:01:30,190 --> 00:01:31,330
an ARP table.

22
00:01:31,360 --> 00:01:33,250
So what is the ARP table?

23
00:01:33,950 --> 00:01:38,930
Since computers cannot send broadcast messages every time they need to connect with another network

24
00:01:38,930 --> 00:01:44,720
device, they store the IP addresses and the corresponding Mac addresses of systems they frequently

25
00:01:44,720 --> 00:01:48,200
communicate with in a table called ARP table.

26
00:01:48,230 --> 00:01:50,930
All the systems in the LAN maintain this table.

27
00:01:51,740 --> 00:01:57,590
The entries in the ARP cache table are generally short lived and are updated every 15 to 20 minutes.

28
00:01:57,920 --> 00:01:59,310
Now let's get back to our topic.

29
00:01:59,330 --> 00:02:05,630
Can we say that one of the passive scan methods is just looking into the ARP table of a system which

30
00:02:05,630 --> 00:02:07,490
is a network that we are scanning?

31
00:02:07,520 --> 00:02:08,990
Well, sure we can.

32
00:02:09,259 --> 00:02:11,030
Inside an ARP table.

33
00:02:11,060 --> 00:02:17,510
We see the IP addresses of some of the systems of the network and their corresponding Mac addresses.

34
00:02:17,780 --> 00:02:24,980
Let's see the ARP tables in three different platforms Mac OS Windows and Debian Linux.

35
00:02:25,520 --> 00:02:32,480
We are in a macOS operating system first open the terminal, first type terminal in the search box of

36
00:02:32,480 --> 00:02:36,410
the applications window, which brings you the terminal application.

37
00:02:36,410 --> 00:02:42,080
Typing ARP and hitting enter shows a small help for ARP command.

38
00:02:42,940 --> 00:02:47,500
If you want to see detailed help about the ARP command, you can use man command.

39
00:02:47,710 --> 00:02:51,230
Type man ARP and hit enter.

40
00:02:51,250 --> 00:02:52,750
You'll get detailed help.

41
00:02:54,120 --> 00:02:58,500
A parameter is used to display all current ARP table entries.

42
00:02:58,500 --> 00:02:59,370
But hold on.

43
00:02:59,370 --> 00:03:03,210
It says A is used to delete all entries as well.

44
00:03:03,240 --> 00:03:04,380
How can that be?

45
00:03:04,530 --> 00:03:09,660
Well, to delete an ARP table entry you use D parameter.

46
00:03:10,130 --> 00:03:16,370
If you use this parameter with a parameter, you are able to delete all entries of ARP tables.

47
00:03:16,560 --> 00:03:20,300
IE parameters used to see the entries of a single interface.

48
00:03:20,570 --> 00:03:26,240
By default, ARP command tries to show the display addresses symbolically.

49
00:03:26,960 --> 00:03:33,080
To see the IP addresses instead of display names of the systems, you have to use n parameter.

50
00:03:33,840 --> 00:03:36,630
Which means do not resolve names.

51
00:03:37,520 --> 00:03:37,910
Okay.

52
00:03:37,910 --> 00:03:38,240
Press.

53
00:03:38,240 --> 00:03:40,790
Q to quit the main page of the ARP Command.

54
00:03:40,820 --> 00:03:46,670
Now type ARP dash a n to see all the entries of the ARP table.

55
00:03:47,360 --> 00:03:54,320
Since macOS is a BSD based operating system, the results of the command is displayed in BSD style.

56
00:03:54,980 --> 00:03:58,280
Second machine is a Microsoft Windows 8.

57
00:03:58,890 --> 00:04:01,200
Let's open a command prompt first.

58
00:04:01,230 --> 00:04:05,130
I have a shortcut on my status bar, so I click it to start a command prompt.

59
00:04:05,790 --> 00:04:12,780
Alternatively, press windows plus buttons, open the dialog box, run command and hit enter.

60
00:04:13,700 --> 00:04:18,560
If you type AARP in a Windows system, the Help page of ARP Command is displayed.

61
00:04:19,470 --> 00:04:24,270
Type AARP a to see the entries of the ARP table.

62
00:04:24,480 --> 00:04:27,000
In my opinion, this display is more.

63
00:04:27,030 --> 00:04:30,630
I don't know, human readable than BSD style.

64
00:04:31,290 --> 00:04:35,520
Now, although we're not interested in these at the moment, I would like to talk a little about the

65
00:04:35,520 --> 00:04:40,170
IP addresses that start with 2 to 4 to calm your curiosity.

66
00:04:41,050 --> 00:04:48,340
224.0.0.22 is the multicast address for internet group management protocol.

67
00:04:48,640 --> 00:04:58,270
224.0.0.252 is used by recent versions of Windows for Link-local multicast name resolution.

68
00:04:59,590 --> 00:04:59,980
N.

69
00:04:59,980 --> 00:05:03,100
Are searching for local network computers.

70
00:05:03,520 --> 00:05:08,830
The third machine is our Kali, which is a Debian based Linux operating system.

71
00:05:09,160 --> 00:05:10,720
Open the terminal window.

72
00:05:11,110 --> 00:05:15,550
If you type ARP and hit enter the ARP table.

73
00:05:15,550 --> 00:05:19,390
Entries are displayed in a human readable format.

74
00:05:19,540 --> 00:05:27,940
As you see, systems are listed with a known domain name such as W-w-w dot owasp Broadway.com.

75
00:05:27,940 --> 00:05:38,140
By default, arp dash h brings you a small help page if you want a detailed help page type man Space

76
00:05:38,170 --> 00:05:38,830
ARP.

77
00:05:41,120 --> 00:05:43,100
In a Debian based Linux system.

78
00:05:43,850 --> 00:05:50,660
A parameter of ARP command is used to see the entries in BSD format which we saw in Mac OS.

79
00:05:50,890 --> 00:05:54,860
Dash I is again to see the entries of a single interface.

80
00:05:55,190 --> 00:06:05,720
Okay, press Q to quit the man page arp dash a displays arp table entries in BSD format and use n parameter

81
00:06:05,720 --> 00:06:09,440
to see the IP addresses instead of domain names of the systems.