ICMP ping sweep is one way to discover live hosts in a network. It may sometimes be blocked on the network. You then resort to using an ARP scan to discover live hosts. Like ICMP, ARP can also be blocked on the network.
ARP scans have an advantage of finding hidden devices on the network.
The Address Resolution Protocol (ARP) is a protocol that maps MAC addresses on the network with IP Addresses and keeps it on a list for reference.
How does it work?
ARP requests are broadcasted to all the MAC addresses on the network to request them to respond with their assigned IP addresses. Each received IP address means a live host.
ARP Scan using Netdiscover
Open up your attacker machine terminal and type in the following command: netdiscover -r 192.168.221.0/24
Make sure you change the IP range/subnet to yours. This command with the “-r” flag tells netdiscover to send out ARP requests to the given subnet. All responds will be displayed on the screen.
As you can see it has found 4 hosts.
ARP Scan using arp-scan
Type the following command on your terminal: arp-scan --interface=eth0 192.168.221.0/24
This command tells arp-scan to scan on the eth0 interface with which you are connected to the network and scan the given subnet.
The results match Netdiscover, as they both used the same fundamental network scanning tactic.
-Jayesh Kerai (@secjay)