ARPing is a tool that can be used to send ARP requests and identify whether a host is alive and responding:

1. The tool is used by simply passing an IP address as an argument to it:

2. In the example provided, a single ARP request is sent to the broadcast address, requesting the physical location of the 172.16.36.135 IP address. As indicated by the output, a single reply was received by the host with the 00:0C:29:3D:84:32 MAC address. This tool can be more effectively used for layer 2 discovery scanning if a bash script is used to perform this action on multiple hosts simultaneously. In order to test the responses of each instance in bash, we should determine a unique string that is included in the response, indicating a live host, but not included when no response is received.
3. To identify a unique string, an ARPing request should be made to a non-responsive IP address:

4. By analyzing varying responses from successful and unsuccessful ARPings, one might notice that the unique bytes from a string only exist in the response if there is a live host associated with the provided IP address, and it is also within a line that includes the IP address. By grepping this response, we can extract the IP address for each responding host:

5. Grepping for this unique string when performing an ARPing against an actual host IP returns a line with that IP address included, as seen in the first response from the previous set of commands. Performing the same task against an IP address that is not associated with an actual host returns nothing, as seen in the last response from the previous set of commands. Using cut with a specially crafted delimiter (-d) and the field (-f) values, we can quickly extract the IP address from this string. The command-line function cut can be used in bash to separate a line into an array, based on a specified delimiter. A specific value can then be returned from the cut function by specifying the field. By piping over the output multiple times, we can easily extract the MAC address from the returned string. Have a look at the following set of commands:

6. We can easily extract the IP address from the returned string by merely manipulating the delimiter and field values supplied to the cut function:

7. Upon identifying how to extract the IP address from a positive ARPing response, we can easily pass this task through a loop in a bash script and output a list of live IP addresses. An example of a script that uses this technique is as follows:

        #!/bin/bash

        if [ "$#" -ne 1 ]; then
        echo "Usage - ./arping.sh [interface]"
        echo "Example - ./arping.sh eth0"
        echo "Example will perform an ARP scan of the 
          local subnet to which eth0 is assigned"
        exit
        fi

        interface=$1
        prefix=$(ifconfig $interface | grep 'inet ' 
        | awk '{ print $2 }'| cut -d ':' -f 2 | cut -d '.' -f 1-3)

        for addr in {1..254}; do
        arping -c 1 $prefix.$addr | grep "bytes from" 
        | cut -d " " -f 5 | cut -d "(" -f 2 | cut -d ")" -f 1 &
        done

8. Notice that an ampersand is used at the end of the for loop task instead of a semicolon. The ampersand allows the tasks to be performed in parallel instead of in sequence. This drastically reduces the amount of time required to scan the IP range. Have a look at the following set of commands:

9. One can easily redirect the output of the script to a text file that can then be used for subsequent analysis. The output can be redirected using the greater-than sign, followed  by the name of the text file. An example of this can be seen here:

10. Once the output has been redirected to the output file, you can use the ls command to verify that the file was written to the filesystem, or you can use the cat command to view the contents of the file. This script can also be modified to read from an input file and only verify that the hosts listed in this file are alive. For the following script, you will need an input file with a list of IP addresses. For this, we can use the same input file that was used for the Scapy script, discussed in the previous recipe:

        #!/bin/bash

        if [ "$#" -ne 1 ]; then
        echo "Usage - ./arping.sh [input file]"
        echo "Example - ./arping.sh iplist.txt"
        echo "Example will perform an ARP scan of all IP addresses
         defined in iplist.txt"
        exit
        fi

        file=$1

        for addr in $(cat $file); do
        arping -c 1 $addr | grep "bytes from" 
        | cut -d " " -f 5 | cut -d "(" -f 2 | cut -d ")" -f 1 &
        done

11. The only major difference between this script and the preceding one is that rather than supplying an interface name, the filename of the input list is supplied upon the execution of the script. This argument is passed to the file variable. The for loop is then used to loop through each value in this file to perform the ARPing task. To execute the script, use a period and forward slash, followed by the name of the executable script:

12. Executing the script without any arguments supplied will return the usage of the script. This usage indicates that an input file should be supplied as an argument. When this is done, the script is executed, and a list of live IP addresses is returned from the input list of IP addresses. In the same manner as discussed earlier, the output of this script can easily be redirected to an output file using the greater-than sign. An example of this can be seen as follows:

13. Once the output has been redirected to the output file, you can use the ls command to verify that the file was written to the filesystem, or you can use the cat command to view the contents of the file.