Merge branch 'master' of https://github.com/Rhig/arp-scan into Rhig-m…

…aster
ajdelgado · Aug 22, 2016 · ee47cc6 · ee47cc6
2 parents c953ec8 + 8273501
commit ee47cc6
Showing 1 changed file with 66 additions and 35 deletions.
diff --git a/arp-fingerprint b/arp-fingerprint
@@ -33,6 +33,8 @@ use warnings;
 use strict;
 use Getopt::Std;
 #
+sub get_localnet($);
+#
 my $arpscan="arp-scan -q -r 1";
 #
 # Hash of known fingerprints
@@ -46,8 +48,7 @@ my $arpscan="arp-scan -q -r 1";
 # FreeBSD 4.3	FreeBSD 4.3 i386 on VMware
 # DragonflyBSD 2.0	Dragonfly BSD 2.0.0 i386 on VMware
 # DragonflyBSD 3.0	Dragonfly BSD 3.0.2 i386 on VMware
-# DragonflyBSD 3.2	Dragonfly BSD 3.2.2 amd64 on VMware
-# Win 3.11	Windows for Workgroups 3.11/DOS 6.22 on VMware
+# DragonflyBSD 3.2	Dragonfly BSD 3.2.2 amd64 on VMware# Win 3.11	Windows for Workgroups 3.11/DOS 6.22 on VMware
 # 95		Windows 95 OSR2 on VMware
 # Win98		Windows 98 SE on VMware
 # WinME		Windows ME on VMware
@@ -68,16 +69,15 @@ my $arpscan="arp-scan -q -r 1";
 # Linux 2.6	Kindle 3.1 on Amazon Kindle 3
 # Linux 2.6	Linux 2.6.32.60 x86_64 on VMware (debian squeeze)
 # Linux 3.2	Linux 3.2.0 686 on VMware (debian wheezy)
-# Linux 3.8	Linux 3.8.8 x86_64 on VMware (fedora 17)
-# Cisco IOS	IOS 11.2(17) on Cisco 2503
+# Linux 3.8	Linux 3.8.8 x86_64 on VMware (fedora 17) # Cisco IOS	IOS 11.2(17) on Cisco 2503
 # Cisco IOS	IOS 11.3(11b)T2 on Cisco 2503
 # Cisco IOS	IOS 12.0(8) on Cisco 1601
 # Cisco IOS	IOS 12.1(27b) on Cisco 2621
 # Cisco IOS	IOS 12.2(32) on Cisco 1603
 # Cisco IOS	IOS 12.3(15) on Cisco 2503
 # Cisco IOS	IOS 12.4(3) on Cisco 2811
 # Cisco IOS	IOS 12.4(24)T1 on Cisco 1841
-# Cisco IOS	IOS 15.0(1)M on Cisco 7206 (dynamips)
+# Cisco IOS	IOS 15.0(1)M on Cisco 7206 (dynamips) 
 # Solaris 2.5.1	Solaris 2.5.1 (SPARC) on Sun SPARCstation 20
 # Solaris 2.6	Solaris 2.6 (SPARC) on Sun Ultra 5
 # Solaris 7	Solaris 7 (x86) on VMware
@@ -103,8 +103,7 @@ my $arpscan="arp-scan -q -r 1";
 # NetBSD 2.0.2	NetBSD 2.0.2 i386 on VMware
 # NetBSD 4.0	NetBSD 4.0 i386 on VMware
 # NetBSD 5.1	NetBSD 5.1.2 i386 on VMware
-# NetBSD 6.0-amd64	NetBSD 6.0.1 amd64 on VMware
-# IPSO 3.2.1	IPSO 3.2.1-fcs1 on Nokia VPN 210
+# NetBSD 6.0-amd64	NetBSD 6.0.1 amd64 on VMware# IPSO 3.2.1	IPSO 3.2.1-fcs1 on Nokia VPN 210
 # Netware 6.5	Novell NetWare 6.5 on VMware
 # HP-UX 11	HP-UX B.11.00 A 9000/712 (PA-RISC)
 # PIX OS	PIX OS (unknown vsn) on Cisco PIX 525
@@ -158,7 +157,7 @@ my %fp_hash = (
    '11110100011' => 'MacOS 10.3, FreeBSD 4.3, IRIX 6.5, AIX 4.3, AIX 5.3',
    '10010100011' => 'SCO OS 5.0.7',
    '10110100000' => 'Win 3.11, 95, NT 3.51',
-   '11110000011' => '2.11BSD, 4.3BSD, OpenBSD 3.1, 3.9, 4.8, 5.1, Nortel Contivity 6.00, 6.05, RiscOS 5.19',
+   '11110000011' => '2.11BSD, 4.3BSD, OpenBSD 3.1, OpenBSD 3.9, 4.8, 5.1, Nortel Contivity 6.00, 6.05, RiscOS 5.19',
    '10110110000' => 'NetBSD 2.0.2, 4.0, 5.1',
    '10110111111' => 'PIX OS 4.4, 5.1, 5.2, 5.3, Android 4.1',
    '11110111111' => 'PIX OS 6.0, 6.1, 6.2, ScreenOS 5.0 (transparent), Plan9, Blackberry OS',
@@ -179,16 +178,19 @@ Fingerprint the target system using arp-scan.
         -h Display this usage message.
         -v Give verbose progress messages.
 	-o <option-string> Pass specified options to arp-scan
+	-l Fingerprint all targets in the local net.
 /;
 my %opts;
 my $user_opts="";
 my $verbose;
 my $fingerprint="";
 my $fp_name;
+my @targets;
+my $target;
 #
 # Process options
 #
-die "$usage\n" unless getopts('hvo:',\%opts);
+die "$usage\n" unless getopts('hlvo:',\%opts);
 if ($opts{h}) {
    print "$usage\n";
    exit(0);
@@ -197,55 +199,65 @@ $verbose=$opts{v} ? 1 : 0;
 if ($opts{o}) {
    $user_opts = $opts{o};
 }
-#
-if ($#ARGV != 0) {
+
+#If we're working in localnet mode, we don't need arguments
+if ($#ARGV != 0 && !$opts{l}) {
    die "$usage\n";
 }
-my $target=shift;
+
+if ($opts{l}) {
+   @targets=get_localnet($user_opts);
+} else {
+   @targets=@ARGV;
+}
+
+for $target (@targets) {
+   $fingerprint="";
 #
 # Check that the target is not an IP range or network.
 #
-if ($target =~ /\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+/ ||
-    $target =~ /\d+\.\d+\.\d+\.\d+\/\d+/ ||
-    $target =~ /\d+\.\d+\.\d+\.\d+:\d+\.\d+\.\d+\.\d+/) {
-   die "argument must be a single IP address or hostname\n";
-}
+   if ($target =~ /\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+/ ||
+       $target =~ /\d+\.\d+\.\d+\.\d+\/\d+/ ||
+       $target =~ /\d+\.\d+\.\d+\.\d+:\d+\.\d+\.\d+\.\d+/) {
+      die "argument must be a single IP address or hostname\n";
+   }
 #
 # Check that the system responds to an arp-scan with no options.
 # If it does, then fingerprint the target.
 #
-if (&fp("","$target") eq "1") {
+   if (&fp("","$target") eq "1") {
 # 1: source protocol address = localhost
-   $fingerprint .= &fp("--arpspa=127.0.0.1","$target");
+      $fingerprint .= &fp("--arpspa=127.0.0.1","$target");
 # 2: source protocol address = zero
-   $fingerprint .= &fp("--arpspa=0.0.0.0","$target");
+      $fingerprint .= &fp("--arpspa=0.0.0.0","$target");
 # 3: source protocol address = broadcast
-   $fingerprint .= &fp("--arpspa=255.255.255.255","$target");
+      $fingerprint .= &fp("--arpspa=255.255.255.255","$target");
 # 4: source protocol address = non local (network 1 is reserved)
-   $fingerprint .= &fp("--arpspa=1.0.0.1","$target");	# Non-local source IP
+      $fingerprint .= &fp("--arpspa=1.0.0.1","$target");	# Non-local source IP
 # 5: invalid arp opcode
-   $fingerprint .= &fp("--arpop=255","$target");
+      $fingerprint .= &fp("--arpop=255","$target");
 # 6: arp hardware type = IEEE_802.2
-   $fingerprint .= &fp("--arphrd=6","$target");
+      $fingerprint .= &fp("--arphrd=6","$target");
 # 7: invalid arp hardware type
-   $fingerprint .= &fp("--arphrd=255","$target");
+      $fingerprint .= &fp("--arphrd=255","$target");
 # 8: invalid arp protocol type
-   $fingerprint .= &fp("--arppro=0xffff","$target");
+      $fingerprint .= &fp("--arppro=0xffff","$target");
 # 9: arp protocol type = Novell IPX
-   $fingerprint .= &fp("--arppro=0x8137","$target");
+      $fingerprint .= &fp("--arppro=0x8137","$target");
 # 10: invalid protocol address length
-   $fingerprint .= &fp("--arppln=6","$target");
+      $fingerprint .= &fp("--arppln=6","$target");
 # 11: Invalid hardware address length
-   $fingerprint .= &fp("--arphln=8","$target");
+      $fingerprint .= &fp("--arphln=8","$target");
 #
-   if (defined $fp_hash{$fingerprint}) {
-      $fp_name = "$fp_hash{$fingerprint}";
+      if (defined $fp_hash{$fingerprint}) {
+         $fp_name = "$fp_hash{$fingerprint}";
+      } else {
+         $fp_name = "UNKNOWN";
+      }
+      print "$target\t$fingerprint\t$fp_name\n";
    } else {
-      $fp_name = "UNKNOWN";
+      print "$target\tNo Response\n";
    }
-   print "$target\t$fingerprint\t$fp_name\n";
-} else {
-   print "$target\tNo Response\n";
 }
 #
 # Scan the specified IP address with arp-scan using the given options.
@@ -276,3 +288,22 @@ sub fp ($$) {
 
    return $response;
 }
+
+#
+# use -l flag on arp-scan to collect all IPs in the local network
+#
+sub get_localnet($) {
+   my $user_opts = $_[0];
+   my @targets;
+
+   open(ARPSCAN, "$arpscan $user_opts -l |") || die "arp-scan failed";
+   while (<ARPSCAN>) {
+      if (/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\t/) {
+         push @targets, $1;
+      }
+   }
+   close(ARPSCAN);
+
+   die "parse of arp-scan failed" unless @targets;
+   return @targets;
+}